Adding upstream version 1.0.9.upstream/1.0.9upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1257 files changed, 107693 insertions, 0 deletions

diff --git a/tests/build/README b/tests/build/README
new file mode 100644
index 0000000..c365b88
--- /dev/null
+++ b/tests/build/README
@@ -0,0 +1,12 @@
+Testsuite for NFT compile options.
+
+In this testsuite, automated testing is done for following nft compile options:
+
+  cli support
+  enable debugging symbols
+  use mini-gmp
+  enable man page
+  libxtables support
+
+Run the test script 'run-tests.sh' as root user: ./run-tests.sh
+Any error encountered on compiling is saved in tests/build/tests.log file.
diff --git a/tests/build/run-tests.sh b/tests/build/run-tests.sh
new file mode 100755
index 0000000..916df2e
--- /dev/null
+++ b/tests/build/run-tests.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+log_file="$(pwd)/tests.log"
+dir=../..
+argument=( --without-cli --with-cli=linenoise --with-cli=editline --enable-debug --with-mini-gmp
+	   --enable-man-doc --with-xtables --with-json)
+ok=0
+failed=0
+
+[ -f "$log_file" ] && rm -rf "$log_file"
+
+tmpdir=$(mktemp -d)
+if [ ! -w "$tmpdir" ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+git clone "$dir" "$tmpdir" &>>"$log_file"
+cd "$tmpdir" || exit
+
+if ! autoreconf -fi &>>"$log_file" ; then
+	echo "Something went wrong. Check the log '${log_file}' for details."
+	exit 1
+fi
+
+if ! ./configure &>>"$log_file" ; then
+	echo "Something went wrong. Check the log '${log_file}' for details."
+	exit 1
+fi
+
+echo  "Testing build with distcheck"
+if ! make distcheck &>>"$log_file" ; then
+	echo "Something went wrong. Check the log '${log_file}' for details."
+	exit 1
+fi
+
+echo -en "\033[1A\033[K"
+echo "Build works. Now, testing compile options"
+
+for var in "${argument[@]}" ; do
+	echo "[EXECUTING] Testing compile option $var"
+	./configure "$var" &>>"$log_file"
+	make -j 8 &>>"$log_file"
+	rt=$?
+	echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line
+
+	if [ $rt -eq 0 ] ; then
+		echo "[OK] Compile option $var works."
+		((ok++))
+	else
+		echo "[FAILED] Compile option $var does not work. Check log for details."
+		((failed++))
+	fi
+done
+
+rm -rf "$tmpdir"
+
+echo "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))"
+[ "$failed" -eq 0 ]
diff --git a/tests/build/tests.log b/tests/build/tests.log
new file mode 100644
index 0000000..efbb5de
--- /dev/null
+++ b/tests/build/tests.log
@@ -0,0 +1,3597 @@
+Clonando en '/tmp/tmp.nspSLnT0EN'...
+hecho.
+libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
+libtoolize: copying file 'build-aux/ltmain.sh'
+libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
+libtoolize: copying file 'm4/libtool.m4'
+libtoolize: copying file 'm4/ltoptions.m4'
+libtoolize: copying file 'm4/ltsugar.m4'
+libtoolize: copying file 'm4/ltversion.m4'
+libtoolize: copying file 'm4/lt~obsolete.m4'
+configure.ac:48: installing 'build-aux/ar-lib'
+configure.ac:25: installing 'build-aux/compile'
+configure.ac:49: installing 'build-aux/config.guess'
+configure.ac:49: installing 'build-aux/config.sub'
+configure.ac:6: installing 'build-aux/install-sh'
+configure.ac:6: installing 'build-aux/missing'
+examples/Makefile.am: installing 'build-aux/depcomp'
+configure.ac: installing 'build-aux/ylwrap'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for readline in -ledit... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          no
+make  dist-xz am__post_remove_distdir='@:'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make  distdir-am
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+if test -d "nftables-1.0.8"; then find "nftables-1.0.8" -type d ! -perm -200 -exec chmod u+w {} ';' && rm -rf "nftables-1.0.8" || { sleep 5 && rm -rf "nftables-1.0.8"; }; else :; fi
+test -d "nftables-1.0.8" || mkdir "nftables-1.0.8"
+ (cd src && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/src \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  YACC     parser_bison.c
+/tmp/tmp.nspSLnT0EN/src/parser_bison.y:187.1-19: aviso: directiva no válida: «%name-prefix "nft_"», use «%define api.prefix {nft_}» [-Wdeprecated]
+  187 | %name-prefix "nft_"
+      | ^~~~~~~~~~~~~~~~~~~
+      | %define api.prefix {nft_}
+/tmp/tmp.nspSLnT0EN/src/parser_bison.y: aviso: fix-its can be applied.  Rerun with option '--update'. [-Wother]
+updating parser_bison.h
+make  distdir-am
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  LEX      scanner.c
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+ (cd include && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/include \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make  distdir-am
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+ (cd linux && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/include/linux \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make  distdir-am
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+ (cd netfilter && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make  distdir-am
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+ (cd netfilter_arp && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_arp \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make  distdir-am
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+ (cd netfilter_bridge && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_bridge \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make  distdir-am
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+ (cd netfilter_ipv4 && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_ipv4 \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make  distdir-am
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+ (cd netfilter_ipv6 && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_ipv6 \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make  distdir-am
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+ (cd nftables && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/include/nftables \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make  distdir-am
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+ (cd files && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/files \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make  distdir-am
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+ (cd nftables && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/files/nftables \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make  distdir-am
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+ (cd examples && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/files/examples \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make  distdir-am
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+ (cd osf && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/files/osf \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make  distdir-am
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+ (cd doc && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/doc \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make  distdir-am
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+  GEN      nft.8
+  GEN      libnftables-json.5
+  GEN      libnftables.3
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+ (cd examples && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/examples \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make  distdir-am
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+ (cd py && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/py \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make  distdir-am
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+test -n "" \
+|| find "nftables-1.0.8" -type d ! -perm -755 \
+	-exec chmod u+rwx,go+rx {} \; -o \
+  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+  ! -type d ! -perm -444 -exec /bin/bash /tmp/tmp.nspSLnT0EN/build-aux/install-sh -c -m a+r {} {} \; \
+|| chmod -R a+r "nftables-1.0.8"
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+tardir=nftables-1.0.8 && tar --format=posix -chf - "$tardir" | XZ_OPT=${XZ_OPT--e} xz -c >nftables-1.0.8.tar.xz
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+if test -d "nftables-1.0.8"; then find "nftables-1.0.8" -type d ! -perm -200 -exec chmod u+w {} ';' && rm -rf "nftables-1.0.8" || { sleep 5 && rm -rf "nftables-1.0.8"; }; else :; fi
+case 'nftables-1.0.8.tar.xz' in \
+*.tar.gz*) \
+  eval GZIP= gzip --best -dc nftables-1.0.8.tar.gz | tar -xf - ;;\
+*.tar.bz2*) \
+  bzip2 -dc nftables-1.0.8.tar.bz2 | tar -xf - ;;\
+*.tar.lz*) \
+  lzip -dc nftables-1.0.8.tar.lz | tar -xf - ;;\
+*.tar.xz*) \
+  xz -dc nftables-1.0.8.tar.xz | tar -xf - ;;\
+*.tar.Z*) \
+  uncompress -c nftables-1.0.8.tar.Z | tar -xf - ;;\
+*.shar.gz*) \
+  eval GZIP= gzip --best -dc nftables-1.0.8.shar.gz | unshar ;;\
+*.zip*) \
+  unzip nftables-1.0.8.zip ;;\
+*.tar.zst*) \
+  zstd -dc nftables-1.0.8.tar.zst | tar -xf - ;;\
+esac
+chmod -R a-w nftables-1.0.8
+chmod u+w nftables-1.0.8
+mkdir nftables-1.0.8/_build nftables-1.0.8/_build/sub nftables-1.0.8/_inst
+chmod a-w nftables-1.0.8
+test -d nftables-1.0.8/_build || exit 0; \
+dc_install_base=`CDPATH="${ZSH_VERSION+.}:" && cd nftables-1.0.8/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
+  && dc_destdir="${TMPDIR-/tmp}/am-dc-$$/" \
+  && am__cwd=`pwd` \
+  && CDPATH="${ZSH_VERSION+.}:" && cd nftables-1.0.8/_build/sub \
+  && ../../configure \
+     \
+     \
+    --srcdir=../.. --prefix="$dc_install_base" \
+  && make  \
+  && make  dvi \
+  && make  check \
+  && make  install \
+  && make  installcheck \
+  && make  uninstall \
+  && make  distuninstallcheck_dir="$dc_install_base" \
+        distuninstallcheck \
+  && chmod -R a-w "$dc_install_base" \
+  && ({ \
+       (cd ../.. && umask 077 && mkdir "$dc_destdir") \
+       && make  DESTDIR="$dc_destdir" install \
+       && make  DESTDIR="$dc_destdir" uninstall \
+       && make  DESTDIR="$dc_destdir" \
+            distuninstallcheck_dir="$dc_destdir" distuninstallcheck; \
+      } || { rm -rf "$dc_destdir"; exit 1; }) \
+  && rm -rf "$dc_destdir" \
+  && make  dist \
+  && rm -rf nftables-1.0.8.tar.xz \
+  && make  distcleancheck \
+  && cd "$am__cwd" \
+  || exit 1
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for readline in -ledit... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          no
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make  all-recursive
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making all in src
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make  all-am
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+  CC       main.o
+  CC       cli.o
+  CC       rule.lo
+  CC       statement.lo
+  CC       cache.lo
+  CC       cmd.lo
+  CC       datatype.lo
+  CC       expression.lo
+  CC       evaluate.lo
+  CC       proto.lo
+  CC       payload.lo
+  CC       exthdr.lo
+  CC       fib.lo
+  CC       hash.lo
+  CC       intervals.lo
+  CC       ipopt.lo
+  CC       meta.lo
+  CC       rt.lo
+  CC       numgen.lo
+  CC       ct.lo
+  CC       xfrm.lo
+  CC       netlink.lo
+  CC       netlink_linearize.lo
+  CC       netlink_delinearize.lo
+  CC       misspell.lo
+  CC       monitor.lo
+  CC       owner.lo
+  CC       segtree.lo
+  CC       gmputil.lo
+  CC       utils.lo
+  CC       nftutils.lo
+  CC       erec.lo
+  CC       mnl.lo
+  CC       iface.lo
+  CC       mergesort.lo
+  CC       optimize.lo
+  CC       osf.lo
+  CC       nfnl_osf.lo
+  CC       tcpopt.lo
+  CC       socket.lo
+  CC       print.lo
+  CC       sctp_chunk.lo
+  CC       dccpopt.lo
+  CC       libnftables.lo
+  CC       xt.lo
+  CC       libparser_la-parser_bison.lo
+  CC       libparser_la-scanner.lo
+  CCLD     libparser.la
+  CCLD     libnftables.la
+  CCLD     nft
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making all in include
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making all in linux
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making all in netfilter
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[5]: No se hace nada para 'all'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making all in netfilter_arp
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[5]: No se hace nada para 'all'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[5]: No se hace nada para 'all'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[5]: No se hace nada para 'all'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[5]: No se hace nada para 'all'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[5]: No se hace nada para 'all-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making all in nftables
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making all in files
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making all in nftables
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making all in examples
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making all in osf
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making all in doc
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making all in py
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making dvi in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[2]: No se hace nada para 'dvi'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making dvi in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making dvi in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making dvi in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[4]: No se hace nada para 'dvi'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making dvi in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'dvi'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making dvi in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'dvi'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making dvi in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'dvi'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making dvi in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'dvi'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: No se hace nada para 'dvi-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making dvi in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: No se hace nada para 'dvi'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: No se hace nada para 'dvi-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making dvi in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making dvi in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[3]: No se hace nada para 'dvi'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making dvi in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[3]: No se hace nada para 'dvi'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making dvi in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: No se hace nada para 'dvi'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: No se hace nada para 'dvi-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making dvi in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[2]: No se hace nada para 'dvi'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making dvi in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[2]: No se hace nada para 'dvi'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making dvi in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: No se hace nada para 'dvi'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[2]: No se hace nada para 'dvi-am'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making check in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make  check-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[3]: No se hace nada para 'check-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making check in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making check in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making check in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[4]: No se hace nada para 'check'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making check in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'check'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making check in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'check'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making check in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'check'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making check in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'check'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: No se hace nada para 'check-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making check in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: No se hace nada para 'check'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: No se hace nada para 'check-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making check in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making check in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[3]: No se hace nada para 'check'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making check in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[3]: No se hace nada para 'check'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making check in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: No se hace nada para 'check'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: No se hace nada para 'check-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making check in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[2]: No se hace nada para 'check'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making check in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make  nft-buffer nft-json-file
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+  CC       nft-buffer.o
+  CCLD     nft-buffer
+  CC       nft-json-file.o
+  CCLD     nft-json-file
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making check in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: No se hace nada para 'check'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making install in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make  install-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib'
+ /bin/bash ../libtool   --mode=install /usr/bin/install -c   libnftables.la '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib'
+libtool: install: /usr/bin/install -c .libs/libnftables.so.1.1.0 /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so.1.1.0
+libtool: install: (cd /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib && { ln -s -f libnftables.so.1.1.0 libnftables.so.1 || { rm -f libnftables.so.1 && ln -s libnftables.so.1.1.0 libnftables.so.1; }; })
+libtool: install: (cd /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib && { ln -s -f libnftables.so.1.1.0 libnftables.so || { rm -f libnftables.so && ln -s libnftables.so.1.1.0 libnftables.so; }; })
+libtool: install: /usr/bin/install -c .libs/libnftables.lai /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.la
+libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib
+----------------------------------------------------------------------
+Libraries have been installed in:
+   /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib
+
+If you ever happen to want to link against installed libraries
+in a given directory, LIBDIR, you must either use libtool, and
+specify the full pathname of the library, or use the '-LLIBDIR'
+flag during linking and do at least one of the following:
+   - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
+     during execution
+   - add LIBDIR to the 'LD_RUN_PATH' environment variable
+     during linking
+   - use the '-Wl,-rpath -Wl,LIBDIR' linker flag
+   - have your system administrator add LIBDIR to '/etc/ld.so.conf'
+
+See any operating system documentation about shared libraries for
+more information, such as the ld(1) and ld.so(8) manual pages.
+----------------------------------------------------------------------
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin'
+  /bin/bash ../libtool   --mode=install /usr/bin/install -c nft '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin'
+libtool: install: /usr/bin/install -c .libs/nft /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin/nft
+make[4]: No se hace nada para 'install-data-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making install in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making install in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making install in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making install in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making install in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making install in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making install in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making install in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/include/nftables'
+ /usr/bin/install -c -m 644 ../../../../include/nftables/libnftables.h '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/include/nftables'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[4]: No se hace nada para 'install-exec-am'.
+make[4]: No se hace nada para 'install-data-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making install in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making install in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/nftables'
+ /usr/bin/install -c -m 644 ../../../../files/nftables/all-in-one.nft ../../../../files/nftables/arp-filter.nft ../../../../files/nftables/bridge-filter.nft ../../../../files/nftables/inet-filter.nft ../../../../files/nftables/inet-nat.nft ../../../../files/nftables/ipv4-filter.nft ../../../../files/nftables/ipv4-mangle.nft ../../../../files/nftables/ipv4-nat.nft ../../../../files/nftables/ipv4-raw.nft ../../../../files/nftables/ipv6-filter.nft ../../../../files/nftables/ipv6-mangle.nft ../../../../files/nftables/ipv6-nat.nft ../../../../files/nftables/ipv6-raw.nft ../../../../files/nftables/netdev-ingress.nft '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/nftables'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making install in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/doc/nftables/examples'
+ /usr/bin/install -c ../../../../files/examples/ct_helpers.nft ../../../../files/examples/load_balancing.nft ../../../../files/examples/secmark.nft ../../../../files/examples/sets_and_maps.nft '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/doc/nftables/examples'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making install in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/etc/nftables/osf'
+ /usr/bin/install -c -m 644 ../../../../files/osf/pf.os '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/etc/nftables/osf'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[4]: No se hace nada para 'install-exec-am'.
+make[4]: No se hace nada para 'install-data-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making install in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[3]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man3'
+ /usr/bin/install -c -m 644 ../../../doc/libnftables.3 '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man3'
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man5'
+ /usr/bin/install -c -m 644 ../../../doc/libnftables-json.5 '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man5'
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man8'
+ /usr/bin/install -c -m 644 ../../../doc/nft.8 '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man8'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making install in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[3]: No se hace nada para 'install-exec-am'.
+make[3]: No se hace nada para 'install-data-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making install in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[3]: No se hace nada para 'install-exec-am'.
+make[3]: No se hace nada para 'install-data-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[3]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/pkgconfig'
+ /usr/bin/install -c -m 644 libnftables.pc '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/pkgconfig'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making installcheck in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[2]: No se hace nada para 'installcheck'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making installcheck in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making installcheck in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making installcheck in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[4]: No se hace nada para 'installcheck'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making installcheck in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'installcheck'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making installcheck in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'installcheck'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making installcheck in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'installcheck'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making installcheck in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'installcheck'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: No se hace nada para 'installcheck-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making installcheck in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: No se hace nada para 'installcheck'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: No se hace nada para 'installcheck-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making installcheck in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making installcheck in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[3]: No se hace nada para 'installcheck'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making installcheck in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[3]: No se hace nada para 'installcheck'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making installcheck in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: No se hace nada para 'installcheck'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: No se hace nada para 'installcheck-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making installcheck in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[2]: No se hace nada para 'installcheck'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making installcheck in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[2]: No se hace nada para 'installcheck'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making installcheck in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: No se hace nada para 'installcheck'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[2]: No se hace nada para 'installcheck-am'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making uninstall in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+ /bin/bash ../libtool   --mode=uninstall rm -f '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.la'
+libtool: uninstall: rm -f /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.la /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so.1.1.0 /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so.1 /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin' && rm -f nft )
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making uninstall in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making uninstall in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making uninstall in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making uninstall in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making uninstall in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making uninstall in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making uninstall in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: No se hace nada para 'uninstall-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making uninstall in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/include/nftables' && rm -f libnftables.h )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: No se hace nada para 'uninstall-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making uninstall in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making uninstall in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/nftables' && rm -f all-in-one.nft arp-filter.nft bridge-filter.nft inet-filter.nft inet-nat.nft ipv4-filter.nft ipv4-mangle.nft ipv4-nat.nft ipv4-raw.nft ipv6-filter.nft ipv6-mangle.nft ipv6-nat.nft ipv6-raw.nft netdev-ingress.nft )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making uninstall in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/doc/nftables/examples' && rm -f ct_helpers.nft load_balancing.nft secmark.nft sets_and_maps.nft )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making uninstall in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/etc/nftables/osf' && rm -f pf.os )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: No se hace nada para 'uninstall-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making uninstall in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man3' && rm -f libnftables.3 )
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man5' && rm -f libnftables-json.5 )
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man8' && rm -f nft.8 )
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making uninstall in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[2]: No se hace nada para 'uninstall'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making uninstall in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: No se hace nada para 'uninstall'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+ ( cd '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/pkgconfig' && rm -f libnftables.pc )
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making install in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make  install-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib'
+ /bin/bash ../libtool   --mode=install /usr/bin/install -c   libnftables.la '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib'
+libtool: install: /usr/bin/install -c .libs/libnftables.so.1.1.0 /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so.1.1.0
+libtool: install: (cd /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib && { ln -s -f libnftables.so.1.1.0 libnftables.so.1 || { rm -f libnftables.so.1 && ln -s libnftables.so.1.1.0 libnftables.so.1; }; })
+libtool: install: (cd /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib && { ln -s -f libnftables.so.1.1.0 libnftables.so || { rm -f libnftables.so && ln -s libnftables.so.1.1.0 libnftables.so; }; })
+libtool: install: /usr/bin/install -c .libs/libnftables.lai /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.la
+libtool: warning: remember to run 'libtool --finish /tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib'
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin'
+  /bin/bash ../libtool   --mode=install /usr/bin/install -c nft '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin'
+libtool: warning: 'libnftables.la' has not been installed in '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib'
+libtool: install: /usr/bin/install -c .libs/nft /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin/nft
+make[4]: No se hace nada para 'install-data-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making install in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making install in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making install in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making install in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making install in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making install in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making install in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[5]: No se hace nada para 'install-exec-am'.
+make[5]: No se hace nada para 'install-data-am'.
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making install in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/include/nftables'
+ /usr/bin/install -c -m 644 ../../../../include/nftables/libnftables.h '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/include/nftables'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[4]: No se hace nada para 'install-exec-am'.
+make[4]: No se hace nada para 'install-data-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making install in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making install in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/nftables'
+ /usr/bin/install -c -m 644 ../../../../files/nftables/all-in-one.nft ../../../../files/nftables/arp-filter.nft ../../../../files/nftables/bridge-filter.nft ../../../../files/nftables/inet-filter.nft ../../../../files/nftables/inet-nat.nft ../../../../files/nftables/ipv4-filter.nft ../../../../files/nftables/ipv4-mangle.nft ../../../../files/nftables/ipv4-nat.nft ../../../../files/nftables/ipv4-raw.nft ../../../../files/nftables/ipv6-filter.nft ../../../../files/nftables/ipv6-mangle.nft ../../../../files/nftables/ipv6-nat.nft ../../../../files/nftables/ipv6-raw.nft ../../../../files/nftables/netdev-ingress.nft '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/nftables'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making install in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/doc/nftables/examples'
+ /usr/bin/install -c ../../../../files/examples/ct_helpers.nft ../../../../files/examples/load_balancing.nft ../../../../files/examples/secmark.nft ../../../../files/examples/sets_and_maps.nft '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/doc/nftables/examples'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making install in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[4]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/etc/nftables/osf'
+ /usr/bin/install -c -m 644 ../../../../files/osf/pf.os '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/etc/nftables/osf'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[4]: No se hace nada para 'install-exec-am'.
+make[4]: No se hace nada para 'install-data-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making install in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[3]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man3'
+ /usr/bin/install -c -m 644 ../../../doc/libnftables.3 '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man3'
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man5'
+ /usr/bin/install -c -m 644 ../../../doc/libnftables-json.5 '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man5'
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man8'
+ /usr/bin/install -c -m 644 ../../../doc/nft.8 '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man8'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making install in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[3]: No se hace nada para 'install-exec-am'.
+make[3]: No se hace nada para 'install-data-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making install in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[3]: No se hace nada para 'install-exec-am'.
+make[3]: No se hace nada para 'install-data-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[3]: No se hace nada para 'install-exec-am'.
+ /usr/bin/mkdir -p '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/pkgconfig'
+ /usr/bin/install -c -m 644 libnftables.pc '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/pkgconfig'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making uninstall in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+ /bin/bash ../libtool   --mode=uninstall rm -f '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.la'
+libtool: uninstall: rm -f /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.la /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so.1.1.0 /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so.1 /tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/libnftables.so
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/sbin' && rm -f nft )
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making uninstall in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making uninstall in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making uninstall in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making uninstall in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making uninstall in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making uninstall in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making uninstall in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'uninstall'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[4]: No se hace nada para 'uninstall-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making uninstall in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/include/nftables' && rm -f libnftables.h )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[3]: No se hace nada para 'uninstall-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making uninstall in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making uninstall in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/nftables' && rm -f all-in-one.nft arp-filter.nft bridge-filter.nft inet-filter.nft inet-nat.nft ipv4-filter.nft ipv4-mangle.nft ipv4-nat.nft ipv4-raw.nft ipv6-filter.nft ipv6-mangle.nft ipv6-nat.nft ipv6-raw.nft netdev-ingress.nft )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making uninstall in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/doc/nftables/examples' && rm -f ct_helpers.nft load_balancing.nft secmark.nft sets_and_maps.nft )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making uninstall in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/etc/nftables/osf' && rm -f pf.os )
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[3]: No se hace nada para 'uninstall-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making uninstall in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man3' && rm -f libnftables.3 )
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man5' && rm -f libnftables-json.5 )
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/share/man/man8' && rm -f nft.8 )
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making uninstall in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[2]: No se hace nada para 'uninstall'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making uninstall in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: No se hace nada para 'uninstall'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+ ( cd '/tmp/am-dc-9318//tmp/tmp.nspSLnT0EN/nftables-1.0.8/_inst/lib/pkgconfig' && rm -f libnftables.pc )
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make  dist-xz am__post_remove_distdir='@:'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make  distdir-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+if test -d "nftables-1.0.8"; then find "nftables-1.0.8" -type d ! -perm -200 -exec chmod u+w {} ';' && rm -rf "nftables-1.0.8" || { sleep 5 && rm -rf "nftables-1.0.8"; }; else :; fi
+test -d "nftables-1.0.8" || mkdir "nftables-1.0.8"
+ (cd src && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/src \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make  distdir-am
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+ (cd include && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/include \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make  distdir-am
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+ (cd linux && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/include/linux \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make  distdir-am
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+ (cd netfilter && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make  distdir-am
+make[9]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[9]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+ (cd netfilter_arp && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_arp \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make  distdir-am
+make[9]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[9]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+ (cd netfilter_bridge && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_bridge \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make  distdir-am
+make[9]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[9]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+ (cd netfilter_ipv4 && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_ipv4 \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make  distdir-am
+make[9]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[9]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+ (cd netfilter_ipv6 && make  top_distdir=../../../nftables-1.0.8 distdir=../../../nftables-1.0.8/include/linux/netfilter_ipv6 \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[8]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make  distdir-am
+make[9]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[9]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[8]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+ (cd nftables && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/include/nftables \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make  distdir-am
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+ (cd files && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/files \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make  distdir-am
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+ (cd nftables && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/files/nftables \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make  distdir-am
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+ (cd examples && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/files/examples \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make  distdir-am
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+ (cd osf && make  top_distdir=../../nftables-1.0.8 distdir=../../nftables-1.0.8/files/osf \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[6]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make  distdir-am
+make[7]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[7]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[6]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+ (cd doc && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/doc \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make  distdir-am
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+ (cd examples && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/examples \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make  distdir-am
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+ (cd py && make  top_distdir=../nftables-1.0.8 distdir=../nftables-1.0.8/py \
+     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make  distdir-am
+make[5]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[5]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+test -n "" \
+|| find "nftables-1.0.8" -type d ! -perm -755 \
+	-exec chmod u+rwx,go+rx {} \; -o \
+  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+  ! -type d ! -perm -444 -exec /bin/bash /tmp/tmp.nspSLnT0EN/nftables-1.0.8/build-aux/install-sh -c -m a+r {} {} \; \
+|| chmod -R a+r "nftables-1.0.8"
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+tardir=nftables-1.0.8 && tar --format=posix -chf - "$tardir" | XZ_OPT=${XZ_OPT--e} xz -c >nftables-1.0.8.tar.xz
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+if test -d "nftables-1.0.8"; then find "nftables-1.0.8" -type d ! -perm -200 -exec chmod u+w {} ';' && rm -rf "nftables-1.0.8" || { sleep 5 && rm -rf "nftables-1.0.8"; }; else :; fi
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+Making distclean in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+test -z "libnftables.la" || rm -f libnftables.la
+rm -f ./so_locations
+rm -rf .libs _libs
+test -z "libparser.la " || rm -f libparser.la 
+rm -f ./so_locations
+ rm -f nft
+rm -f *.o
+rm -f *.lo
+rm -f *.tab.c
+test -z "" || rm -f 
+test . = "../../../src" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f ./.deps/cache.Plo
+rm -f ./.deps/cli.Po
+rm -f ./.deps/cmd.Plo
+rm -f ./.deps/ct.Plo
+rm -f ./.deps/datatype.Plo
+rm -f ./.deps/dccpopt.Plo
+rm -f ./.deps/erec.Plo
+rm -f ./.deps/evaluate.Plo
+rm -f ./.deps/expression.Plo
+rm -f ./.deps/exthdr.Plo
+rm -f ./.deps/fib.Plo
+rm -f ./.deps/gmputil.Plo
+rm -f ./.deps/hash.Plo
+rm -f ./.deps/iface.Plo
+rm -f ./.deps/intervals.Plo
+rm -f ./.deps/ipopt.Plo
+rm -f ./.deps/json.Plo
+rm -f ./.deps/libminigmp_la-mini-gmp.Plo
+rm -f ./.deps/libnftables.Plo
+rm -f ./.deps/libparser_la-parser_bison.Plo
+rm -f ./.deps/libparser_la-scanner.Plo
+rm -f ./.deps/main.Po
+rm -f ./.deps/mergesort.Plo
+rm -f ./.deps/meta.Plo
+rm -f ./.deps/misspell.Plo
+rm -f ./.deps/mnl.Plo
+rm -f ./.deps/monitor.Plo
+rm -f ./.deps/netlink.Plo
+rm -f ./.deps/netlink_delinearize.Plo
+rm -f ./.deps/netlink_linearize.Plo
+rm -f ./.deps/nfnl_osf.Plo
+rm -f ./.deps/nftutils.Plo
+rm -f ./.deps/numgen.Plo
+rm -f ./.deps/optimize.Plo
+rm -f ./.deps/osf.Plo
+rm -f ./.deps/owner.Plo
+rm -f ./.deps/parser_json.Plo
+rm -f ./.deps/payload.Plo
+rm -f ./.deps/print.Plo
+rm -f ./.deps/proto.Plo
+rm -f ./.deps/rt.Plo
+rm -f ./.deps/rule.Plo
+rm -f ./.deps/sctp_chunk.Plo
+rm -f ./.deps/segtree.Plo
+rm -f ./.deps/socket.Plo
+rm -f ./.deps/statement.Plo
+rm -f ./.deps/tcpopt.Plo
+rm -f ./.deps/utils.Plo
+rm -f ./.deps/xfrm.Plo
+rm -f ./.deps/xt.Plo
+rm -f Makefile
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/src'
+Making distclean in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making distclean in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making distclean in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../../include/linux/netfilter" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f Makefile
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter'
+Making distclean in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../../include/linux/netfilter_arp" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f Makefile
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_arp'
+Making distclean in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../../include/linux/netfilter_bridge" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f Makefile
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_bridge'
+Making distclean in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../../include/linux/netfilter_ipv4" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f Makefile
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv4'
+Making distclean in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../../include/linux/netfilter_ipv6" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f Makefile
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../include/linux" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+rm -f Makefile
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/linux'
+Making distclean in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../include/nftables" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f Makefile
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../include" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+rm -f Makefile
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/include'
+Making distclean in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making distclean in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../files/nftables" || test -z "" || rm -f 
+rm -f Makefile
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/nftables'
+Making distclean in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../files/examples" || test -z "" || rm -f 
+rm -f Makefile
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/examples'
+Making distclean in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../../files/osf" || test -z "" || rm -f 
+rm -f Makefile
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../files" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+rm -f Makefile
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/files'
+Making distclean in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+test -z "*~" || rm -f *~
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../doc" || test -z "" || rm -f 
+rm -f Makefile
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/doc'
+Making distclean in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+ rm -f nft-buffer nft-json-file
+rm -rf .libs _libs
+rm -f *.o
+rm -f *.lo
+rm -f *.tab.c
+test -z "" || rm -f 
+test . = "../../../examples" || test -z "" || rm -f 
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f ./.deps/nft-buffer.Po
+rm -f ./.deps/nft-json-file.Po
+rm -f Makefile
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/examples'
+Making distclean in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "" || rm -f 
+test . = "../../../py" || test -z "" || rm -f 
+rm -f Makefile
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+rm -rf .libs _libs
+rm -f *.lo
+test -z "libnftables.pc" || rm -f libnftables.pc
+test . = "../.." || test -z "" || rm -f 
+rm -f config.h stamp-h1
+rm -f libtool config.lt
+rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+rm -f cscope.out cscope.in.out cscope.po.out cscope.files
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+rm -f config.status config.cache config.log configure.lineno config.status.lineno
+rm -f Makefile
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN/nftables-1.0.8/_build/sub'
+if test -d "nftables-1.0.8"; then find "nftables-1.0.8" -type d ! -perm -200 -exec chmod u+w {} ';' && rm -rf "nftables-1.0.8" || { sleep 5 && rm -rf "nftables-1.0.8"; }; else :; fi
+================================================
+nftables-1.0.8 archives ready for distribution: 
+nftables-1.0.8.tar.xz
+================================================
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			no
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          no
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  CC       main.o
+  CC       rule.lo
+  CC       statement.lo
+  CC       cache.lo
+  CC       cmd.lo
+  CC       datatype.lo
+  CC       expression.lo
+  CC       evaluate.lo
+  CC       proto.lo
+  CC       payload.lo
+  CC       exthdr.lo
+  CC       fib.lo
+  CC       hash.lo
+  CC       intervals.lo
+  CC       ipopt.lo
+  CC       meta.lo
+  CC       rt.lo
+  CC       numgen.lo
+  CC       ct.lo
+  CC       xfrm.lo
+  CC       netlink.lo
+  CC       netlink_linearize.lo
+  CC       netlink_delinearize.lo
+  CC       misspell.lo
+  CC       monitor.lo
+  CC       owner.lo
+  CC       segtree.lo
+  CC       gmputil.lo
+  CC       utils.lo
+  CC       nftutils.lo
+  CC       erec.lo
+  CC       mnl.lo
+  CC       iface.lo
+  CC       mergesort.lo
+  CC       optimize.lo
+  CC       osf.lo
+  CC       nfnl_osf.lo
+  CC       tcpopt.lo
+  CC       socket.lo
+  CC       print.lo
+  CC       sctp_chunk.lo
+  CC       dccpopt.lo
+  CC       libnftables.lo
+  CC       xt.lo
+  CC       libparser_la-parser_bison.lo
+  CC       libparser_la-scanner.lo
+  CCLD     libparser.la
+  CCLD     libnftables.la
+  CCLD     nft
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for linenoise in -llinenoise... no
+configure: error: No suitable version of linenoise found
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for readline in -ledit... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          no
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  CC       main.o
+  CC       cli.o
+  CC       rule.lo
+  CC       statement.lo
+  CC       cache.lo
+  CC       cmd.lo
+  CC       datatype.lo
+  CC       expression.lo
+  CC       evaluate.lo
+  CC       proto.lo
+  CC       payload.lo
+  CC       exthdr.lo
+  CC       fib.lo
+  CC       hash.lo
+  CC       intervals.lo
+  CC       ipopt.lo
+  CC       meta.lo
+  CC       rt.lo
+  CC       numgen.lo
+  CC       ct.lo
+  CC       xfrm.lo
+  CC       netlink.lo
+  CC       netlink_linearize.lo
+  CC       netlink_delinearize.lo
+  CC       misspell.lo
+  CC       monitor.lo
+  CC       owner.lo
+  CC       segtree.lo
+  CC       gmputil.lo
+  CC       utils.lo
+  CC       nftutils.lo
+  CC       erec.lo
+  CC       mnl.lo
+  CC       iface.lo
+  CC       mergesort.lo
+  CC       optimize.lo
+  CC       osf.lo
+  CC       nfnl_osf.lo
+  CC       tcpopt.lo
+  CC       socket.lo
+  CC       print.lo
+  CC       sctp_chunk.lo
+  CC       dccpopt.lo
+  CC       libnftables.lo
+  CC       xt.lo
+  CC       libparser_la-parser_bison.lo
+  CC       libparser_la-scanner.lo
+  CCLD     libparser.la
+  CCLD     libnftables.la
+  CCLD     nft
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for readline in -ledit... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: config.h is unchanged
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          no
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for readline in -ledit... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			yes
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          no
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  CC       main.o
+  CC       cli.o
+  CC       rule.lo
+  CC       statement.lo
+  CC       cache.lo
+  CC       cmd.lo
+  CC       datatype.lo
+  CC       expression.lo
+  CC       evaluate.lo
+  CC       proto.lo
+  CC       payload.lo
+  CC       exthdr.lo
+  CC       fib.lo
+  CC       hash.lo
+  CC       intervals.lo
+  CC       ipopt.lo
+  CC       meta.lo
+  CC       rt.lo
+  CC       numgen.lo
+  CC       ct.lo
+  CC       xfrm.lo
+  CC       netlink.lo
+  CC       netlink_linearize.lo
+  CC       netlink_delinearize.lo
+  CC       misspell.lo
+  CC       monitor.lo
+  CC       owner.lo
+  CC       segtree.lo
+  CC       gmputil.lo
+  CC       utils.lo
+  CC       nftutils.lo
+  CC       erec.lo
+  CC       mnl.lo
+  CC       iface.lo
+  CC       mergesort.lo
+  CC       optimize.lo
+  CC       osf.lo
+  CC       nfnl_osf.lo
+  CC       tcpopt.lo
+  CC       socket.lo
+  CC       print.lo
+  CC       sctp_chunk.lo
+  CC       dccpopt.lo
+  CC       libnftables.lo
+  CC       xt.lo
+  CC       libparser_la-parser_bison.lo
+  CC       libparser_la-scanner.lo
+  CC       libminigmp_la-mini-gmp.lo
+  CCLD     libminigmp.la
+  CCLD     libparser.la
+  CCLD     libnftables.la
+  CCLD     nft
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for readline in -ledit... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          no
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  CC       main.o
+  CC       cli.o
+  CC       rule.lo
+  CC       statement.lo
+  CC       cache.lo
+  CC       cmd.lo
+  CC       datatype.lo
+  CC       expression.lo
+  CC       evaluate.lo
+  CC       proto.lo
+  CC       payload.lo
+  CC       exthdr.lo
+  CC       fib.lo
+  CC       hash.lo
+  CC       intervals.lo
+  CC       ipopt.lo
+  CC       meta.lo
+  CC       rt.lo
+  CC       numgen.lo
+  CC       ct.lo
+  CC       xfrm.lo
+  CC       netlink.lo
+  CC       netlink_linearize.lo
+  CC       netlink_delinearize.lo
+  CC       misspell.lo
+  CC       monitor.lo
+  CC       owner.lo
+  CC       segtree.lo
+  CC       gmputil.lo
+  CC       utils.lo
+  CC       nftutils.lo
+  CC       erec.lo
+  CC       mnl.lo
+  CC       iface.lo
+  CC       mergesort.lo
+  CC       optimize.lo
+  CC       osf.lo
+  CC       nfnl_osf.lo
+  CC       tcpopt.lo
+  CC       socket.lo
+  CC       print.lo
+  CC       sctp_chunk.lo
+  CC       dccpopt.lo
+  CC       libnftables.lo
+  CC       xt.lo
+  CC       libparser_la-parser_bison.lo
+  CC       libparser_la-scanner.lo
+  CCLD     libparser.la
+  CCLD     libnftables.la
+  CCLD     nft
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for readline in -ledit... yes
+checking for xtables >= 1.6.1... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		yes
+  json output support:          no
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  CC       main.o
+  CC       cli.o
+  CC       rule.lo
+  CC       statement.lo
+  CC       cache.lo
+  CC       cmd.lo
+  CC       datatype.lo
+  CC       expression.lo
+  CC       evaluate.lo
+  CC       proto.lo
+  CC       payload.lo
+  CC       exthdr.lo
+  CC       fib.lo
+  CC       hash.lo
+  CC       intervals.lo
+  CC       ipopt.lo
+  CC       meta.lo
+  CC       rt.lo
+  CC       numgen.lo
+  CC       ct.lo
+  CC       xfrm.lo
+  CC       netlink.lo
+  CC       netlink_linearize.lo
+  CC       netlink_delinearize.lo
+  CC       misspell.lo
+  CC       monitor.lo
+  CC       owner.lo
+  CC       segtree.lo
+  CC       gmputil.lo
+  CC       utils.lo
+  CC       nftutils.lo
+  CC       erec.lo
+  CC       mnl.lo
+  CC       iface.lo
+  CC       mergesort.lo
+  CC       optimize.lo
+  CC       osf.lo
+  CC       nfnl_osf.lo
+  CC       tcpopt.lo
+  CC       socket.lo
+  CC       print.lo
+  CC       sctp_chunk.lo
+  CC       dccpopt.lo
+  CC       libnftables.lo
+  CC       xt.lo
+  CC       libparser_la-parser_bison.lo
+  CC       libparser_la-scanner.lo
+  CCLD     libparser.la
+  CCLD     libnftables.la
+  CCLD     nft
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+checking for a BSD-compatible install... /usr/bin/install -c
+checking whether build environment is sane... yes
+checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
+checking for gawk... gawk
+checking whether make sets $(MAKE)... yes
+checking whether make supports nested variables... yes
+checking how to create a pax tar archive... gnutar
+checking whether make supports nested variables... (cached) yes
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables... 
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking whether gcc understands -c and -o together... yes
+checking whether make supports the include directive... yes (GNU style)
+checking dependency style of gcc... gcc3
+checking how to run the C preprocessor... gcc -E
+checking for grep that handles long lines and -e... /usr/bin/grep
+checking for egrep... /usr/bin/grep -E
+checking for ANSI C header files... yes
+checking for sys/types.h... yes
+checking for sys/stat.h... yes
+checking for stdlib.h... yes
+checking for string.h... yes
+checking for memory.h... yes
+checking for strings.h... yes
+checking for inttypes.h... yes
+checking for stdint.h... yes
+checking for unistd.h... yes
+checking minix/config.h usability... no
+checking minix/config.h presence... no
+checking for minix/config.h... no
+checking whether it is safe to define __EXTENSIONS__... yes
+checking for a sed that does not truncate output... /usr/bin/sed
+checking for flex... flex
+checking lex output file root... lex.yy
+checking lex library... -lfl
+checking whether yytext is a pointer... yes
+checking for bison... bison -y
+checking for ar... ar
+checking the archiver (ar) interface... ar
+checking build system type... x86_64-pc-linux-gnu
+checking host system type... x86_64-pc-linux-gnu
+checking how to print strings... printf
+checking for a sed that does not truncate output... (cached) /usr/bin/sed
+checking for fgrep... /usr/bin/grep -F
+checking for ld used by gcc... /usr/bin/ld
+checking if the linker (/usr/bin/ld) is GNU ld... yes
+checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
+checking the name lister (/usr/bin/nm -B) interface... BSD nm
+checking whether ln -s works... yes
+checking the maximum length of command line arguments... 1572864
+checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
+checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
+checking for /usr/bin/ld option to reload object files... -r
+checking for objdump... objdump
+checking how to recognize dependent libraries... pass_all
+checking for dlltool... no
+checking how to associate runtime and link libraries... printf %s\n
+checking for archiver @FILE support... @
+checking for strip... strip
+checking for ranlib... ranlib
+checking command to parse /usr/bin/nm -B output from gcc object... ok
+checking for sysroot... no
+checking for a working dd... /usr/bin/dd
+checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
+checking for mt... mt
+checking if mt is a manifest tool... no
+checking for dlfcn.h... yes
+checking for objdir... .libs
+checking if gcc supports -fno-rtti -fno-exceptions... no
+checking for gcc option to produce PIC... -fPIC -DPIC
+checking if gcc PIC flag -fPIC -DPIC works... yes
+checking if gcc static flag -static works... yes
+checking if gcc supports -c -o file.o... yes
+checking if gcc supports -c -o file.o... (cached) yes
+checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
+checking whether -lc should be explicitly linked in... no
+checking dynamic linker characteristics... GNU/Linux ld.so
+checking how to hardcode library paths into programs... immediate
+checking whether stripping libraries is possible... yes
+checking if libtool supports shared libraries... yes
+checking whether to build shared libraries... yes
+checking whether to build static libraries... no
+checking whether compiler accepts -fvisibility=hidden... yes
+checking for a2x... a2x
+checking for pkg-config... /usr/bin/pkg-config
+checking pkg-config is at least version 0.9.0... yes
+checking for libmnl >= 1.0.4... yes
+checking for libnftnl >= 1.2.6... yes
+checking for __gmpz_init in -lgmp... yes
+checking for readline in -ledit... yes
+checking for json_object in -ljansson... yes
+checking whether getprotobyname_r is declared... yes
+checking whether getprotobynumber_r is declared... yes
+checking whether getservbyport_r is declared... yes
+checking that generated files are newer than configure... done
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating libnftables.pc
+config.status: creating src/Makefile
+config.status: creating include/Makefile
+config.status: creating include/nftables/Makefile
+config.status: creating include/linux/Makefile
+config.status: creating include/linux/netfilter/Makefile
+config.status: creating include/linux/netfilter_arp/Makefile
+config.status: creating include/linux/netfilter_bridge/Makefile
+config.status: creating include/linux/netfilter_ipv4/Makefile
+config.status: creating include/linux/netfilter_ipv6/Makefile
+config.status: creating files/Makefile
+config.status: creating files/examples/Makefile
+config.status: creating files/nftables/Makefile
+config.status: creating files/osf/Makefile
+config.status: creating doc/Makefile
+config.status: creating py/Makefile
+config.status: creating examples/Makefile
+config.status: creating config.h
+config.status: executing depfiles commands
+config.status: executing libtool commands
+
+nft configuration:
+  cli support:			editline
+  enable debugging symbols:	yes
+  use mini-gmp:			no
+  enable man page:              yes
+  libxtables support:		no
+  json output support:          yes
+make  all-recursive
+make[1]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+Making all in src
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+make  all-am
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/src'
+  CC       main.o
+  CC       cli.o
+  CC       rule.lo
+  CC       statement.lo
+  CC       cache.lo
+  CC       cmd.lo
+  CC       datatype.lo
+  CC       expression.lo
+  CC       evaluate.lo
+  CC       proto.lo
+  CC       payload.lo
+  CC       exthdr.lo
+  CC       fib.lo
+  CC       hash.lo
+  CC       intervals.lo
+  CC       ipopt.lo
+  CC       meta.lo
+  CC       rt.lo
+  CC       numgen.lo
+  CC       ct.lo
+  CC       xfrm.lo
+  CC       netlink.lo
+  CC       netlink_linearize.lo
+  CC       netlink_delinearize.lo
+  CC       misspell.lo
+  CC       monitor.lo
+  CC       owner.lo
+  CC       segtree.lo
+  CC       gmputil.lo
+  CC       utils.lo
+  CC       nftutils.lo
+  CC       erec.lo
+  CC       mnl.lo
+  CC       iface.lo
+  CC       mergesort.lo
+  CC       optimize.lo
+  CC       osf.lo
+  CC       nfnl_osf.lo
+  CC       tcpopt.lo
+  CC       socket.lo
+  CC       print.lo
+  CC       sctp_chunk.lo
+  CC       dccpopt.lo
+  CC       libnftables.lo
+  CC       xt.lo
+  CC       json.lo
+  CC       parser_json.lo
+  CC       libparser_la-parser_bison.lo
+  CC       libparser_la-scanner.lo
+  CCLD     libparser.la
+  CCLD     libnftables.la
+  CCLD     nft
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/src'
+Making all in include
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in linux
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in netfilter
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter'
+Making all in netfilter_arp
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_arp'
+Making all in netfilter_bridge
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_bridge'
+Making all in netfilter_ipv4
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv4'
+Making all in netfilter_ipv6
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: No se hace nada para 'all'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux/netfilter_ipv6'
+make[4]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[4]: No se hace nada para 'all-am'.
+make[4]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/linux'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include/nftables'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/include'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/include'
+Making all in files
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in nftables
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/nftables'
+Making all in examples
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/examples'
+Making all in osf
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: No se hace nada para 'all'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files/osf'
+make[3]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/files'
+make[3]: No se hace nada para 'all-am'.
+make[3]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/files'
+Making all in doc
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/doc'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/doc'
+Making all in examples
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/examples'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/examples'
+Making all in py
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: No se hace nada para 'all'.
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN/py'
+make[2]: se entra en el directorio '/tmp/tmp.nspSLnT0EN'
+make[2]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
+make[1]: se sale del directorio '/tmp/tmp.nspSLnT0EN'
diff --git a/tests/json_echo/run-test.py b/tests/json_echo/run-test.py
new file mode 100755
index 0000000..a6bdfc6
--- /dev/null
+++ b/tests/json_echo/run-test.py
@@ -0,0 +1,309 @@
+#!/usr/bin/python
+
+from __future__ import print_function
+import sys
+import os
+import json
+import argparse
+
+TESTS_PATH = os.path.dirname(os.path.abspath(__file__))
+sys.path.insert(0, os.path.join(TESTS_PATH, '../../py/'))
+
+from nftables import Nftables
+
+# Change working directory to repository root
+os.chdir(TESTS_PATH + "/../..")
+
+parser = argparse.ArgumentParser(description='Run JSON echo tests')
+parser.add_argument('-H', '--host', action='store_true',
+                    help='Run tests against installed libnftables.so.1')
+parser.add_argument('-l', '--library', default=None,
+                    help='Path to libntables.so, overrides --host')
+args = parser.parse_args()
+
+check_lib_path = True
+if args.library is None:
+    if args.host:
+        args.library = 'libnftables.so.1'
+        check_lib_path = False
+    else:
+        args.library = 'src/.libs/libnftables.so.1'
+
+if check_lib_path and not os.path.exists(args.library):
+    print("Library not found at '%s'." % args.library)
+    sys.exit(1)
+
+nftables = Nftables(sofile = args.library)
+nftables.set_echo_output(True)
+
+# various commands to work with
+
+flush_ruleset = { "flush": { "ruleset": None } }
+
+list_ruleset = { "list": { "ruleset": None } }
+
+add_table = { "add": {
+    "table": {
+        "family": "inet",
+        "name": "t",
+    }
+}}
+
+add_chain = { "add": {
+    "chain": {
+        "family": "inet",
+        "table": "t",
+        "name": "c"
+    }
+}}
+
+add_set = { "add": {
+    "set": {
+        "family": "inet",
+        "table": "t",
+        "name": "s",
+        "type": "inet_service"
+    }
+}}
+
+add_rule = { "add": {
+    "rule": {
+        "family": "inet",
+        "table": "t",
+        "chain": "c",
+        "expr": [ { "accept": None } ]
+    }
+}}
+
+add_counter = { "add": {
+    "counter": {
+        "family": "inet",
+        "table": "t",
+        "name": "c"
+    }
+}}
+
+add_quota = { "add": {
+    "quota": {
+        "family": "inet",
+        "table": "t",
+        "name": "q",
+        "bytes": 65536
+    }
+}}
+
+# helper functions
+
+def exit_err(msg):
+    print("Error: %s" %msg, file=sys.stderr)
+    sys.exit(1)
+
+def exit_dump(e, obj):
+    msg = "{}\n".format(e)
+    msg += "Output was:\n"
+    msg += json.dumps(obj, sort_keys = True, indent = 4, separators = (',', ': '))
+    exit_err(msg)
+
+def do_flush():
+    rc, out, err = nftables.json_cmd({ "nftables": [flush_ruleset] })
+    if rc != 0:
+        exit_err("flush ruleset failed: {}".format(err))
+
+def do_command(cmd):
+    if not type(cmd) is list:
+        cmd = [cmd]
+    rc, out, err = nftables.json_cmd({ "nftables": cmd })
+    if rc != 0:
+        exit_err("command failed: {}".format(err))
+    return out
+
+def do_list_ruleset():
+    echo = nftables.get_echo_output()
+    nftables.set_echo_output(False)
+    out = do_command(list_ruleset)
+    nftables.set_echo_output(echo)
+    return out
+
+def get_handle(output, search):
+    try:
+        for item in output["nftables"]:
+            if "add" in item:
+                data = item["add"]
+            elif "insert" in item:
+                data = item["insert"]
+            else:
+                data = item
+
+            k = list(search.keys())[0]
+
+            if not k in data:
+                continue
+            found = True
+            for key in list(search[k].keys()):
+                if key == "handle":
+                    continue
+                if not key in data[k] or search[k][key] != data[k][key]:
+                    found = False
+                    break
+            if not found:
+                continue
+
+            return data[k]["handle"]
+    except Exception as e:
+        exit_dump(e, output)
+
+# single commands first
+
+do_flush()
+
+print("Adding table t")
+out = do_command(add_table)
+handle = get_handle(out, add_table["add"])
+
+out = do_list_ruleset()
+handle_cmp = get_handle(out, add_table["add"])
+
+if handle != handle_cmp:
+    exit_err("handle mismatch!")
+
+add_table["add"]["table"]["handle"] = handle
+
+print("Adding chain c")
+out = do_command(add_chain)
+handle = get_handle(out, add_chain["add"])
+
+out = do_list_ruleset()
+handle_cmp = get_handle(out, add_chain["add"])
+
+if handle != handle_cmp:
+    exit_err("handle mismatch!")
+
+add_chain["add"]["chain"]["handle"] = handle
+
+print("Adding set s")
+out = do_command(add_set)
+handle = get_handle(out, add_set["add"])
+
+out = do_list_ruleset()
+handle_cmp = get_handle(out, add_set["add"])
+
+if handle != handle_cmp:
+    exit_err("handle mismatch!")
+
+add_set["add"]["set"]["handle"] = handle
+
+print("Adding rule")
+out = do_command(add_rule)
+handle = get_handle(out, add_rule["add"])
+
+out = do_list_ruleset()
+handle_cmp = get_handle(out, add_rule["add"])
+
+if handle != handle_cmp:
+    exit_err("handle mismatch!")
+
+add_rule["add"]["rule"]["handle"] = handle
+
+print("Adding counter")
+out = do_command(add_counter)
+handle = get_handle(out, add_counter["add"])
+
+out = do_list_ruleset()
+handle_cmp = get_handle(out, add_counter["add"])
+
+if handle != handle_cmp:
+    exit_err("handle mismatch!")
+
+add_counter["add"]["counter"]["handle"] = handle
+
+print("Adding quota")
+out = do_command(add_quota)
+handle = get_handle(out, add_quota["add"])
+
+out = do_list_ruleset()
+handle_cmp = get_handle(out, add_quota["add"])
+
+if handle != handle_cmp:
+    exit_err("handle mismatch!")
+
+add_quota["add"]["quota"]["handle"] = handle
+
+# adjust names and add items again
+# Note: Handles are per-table, hence add renamed objects to first table
+#       to make sure assigned handle differs from first run.
+
+add_table["add"]["table"]["name"] = "t2"
+add_chain["add"]["chain"]["name"] = "c2"
+add_set["add"]["set"]["name"] = "s2"
+add_counter["add"]["counter"]["name"] = "c2"
+add_quota["add"]["quota"]["name"] = "q2"
+
+print("Adding table t2")
+out = do_command(add_table)
+handle = get_handle(out, add_table["add"])
+if handle == add_table["add"]["table"]["handle"]:
+   exit_err("handle not changed in re-added table!")
+
+print("Adding chain c2")
+out = do_command(add_chain)
+handle = get_handle(out, add_chain["add"])
+if handle == add_chain["add"]["chain"]["handle"]:
+   exit_err("handle not changed in re-added chain!")
+
+print("Adding set s2")
+out = do_command(add_set)
+handle = get_handle(out, add_set["add"])
+if handle == add_set["add"]["set"]["handle"]:
+   exit_err("handle not changed in re-added set!")
+
+print("Adding rule again")
+out = do_command(add_rule)
+handle = get_handle(out, add_rule["add"])
+if handle == add_rule["add"]["rule"]["handle"]:
+   exit_err("handle not changed in re-added rule!")
+
+print("Adding counter c2")
+out = do_command(add_counter)
+handle = get_handle(out, add_counter["add"])
+if handle == add_counter["add"]["counter"]["handle"]:
+   exit_err("handle not changed in re-added counter!")
+
+print("Adding quota q2")
+out = do_command(add_quota)
+handle = get_handle(out, add_quota["add"])
+if handle == add_quota["add"]["quota"]["handle"]:
+   exit_err("handle not changed in re-added quota!")
+
+# now multiple commands
+
+# reset name changes again
+add_table["add"]["table"]["name"] = "t"
+add_chain["add"]["chain"]["name"] = "c"
+add_set["add"]["set"]["name"] = "s"
+add_counter["add"]["counter"]["name"] = "c"
+add_quota["add"]["quota"]["name"] = "q"
+
+do_flush()
+
+print("doing multi add")
+add_multi = [ add_table, add_chain, add_set, add_rule ]
+out = do_command(add_multi)
+
+thandle = get_handle(out, add_table["add"])
+chandle = get_handle(out, add_chain["add"])
+shandle = get_handle(out, add_set["add"])
+rhandle = get_handle(out, add_rule["add"])
+
+out = do_list_ruleset()
+
+if thandle != get_handle(out, add_table["add"]):
+    exit_err("table handle mismatch!")
+
+if chandle != get_handle(out, add_chain["add"]):
+    exit_err("chain handle mismatch!")
+
+if shandle != get_handle(out, add_set["add"]):
+    exit_err("set handle mismatch!")
+
+if rhandle != get_handle(out, add_rule["add"]):
+    exit_err("rule handle mismatch!")
diff --git a/tests/monitor/README b/tests/monitor/README
new file mode 100644
index 0000000..39096a7
--- /dev/null
+++ b/tests/monitor/README
@@ -0,0 +1,59 @@
+Simple NFT MONITOR Testsuite
+============================
+
+The purpose of this suite of tests is to assert correct 'nft monitor' output for
+known input. The suite consists of the single shell script 'run-tests.sh' which
+performs the tests and a number of test definition files in 'testcases/'. The
+latter have to be suffixed '.t' in order to be recognized as such.
+
+Test Case Syntax
+----------------
+
+Each testcase defines a number of commands to pass on to 'nft' binary and an
+associated 'nft monitor' output definition. Prerequisites for each command have
+to be established manually, i.e. in order to test monitor output when adding a
+chain, the table containing it has to be created first. In between each
+testcase, rule set is flushed completely.
+
+Input lines are prefixed by 'I'. Multiple consecutive input lines are passed to
+'nft' together, hence lead to a single transaction.
+
+There are two types of output lines: Those for standard syntax, prefixed by 'O'
+and those for JSON output, prefixed by 'J'. For standard syntax output lines,
+there is a shortcut: If a line consists of 'O -' only, the test script uses all
+previous input lines as expected output directly. Of course this is not
+available for JSON output lines.
+
+Empty lines and those starting with '#' are ignored.
+
+Test Script Semantics
+---------------------
+
+The script iterates over all test case files, reading them line by line. It
+assumes that sections of 'I' lines alternate with sections of 'O'/'J' lines.
+After stripping the prefix, each line is appended to a temporary file. There are
+separate files for input and output lines.
+
+If a set of input and output lines is complete (i.e. upon encountering either a
+new input line or end of file), a testrun is performed: 'nft monitor' is run in
+background, redirecting the output into a third file. The input file is passed
+to 'nft -f'. Finally 'nft monitor' is killed and it's output compared to the
+output file created earlier. If the files differ, a unified diff is printed and
+test execution aborts.
+
+After each testrun, input and output files are cleared.
+
+Note: Running 'nft monitor' in background is prone to race conditions. Hence
+an artificial delay is introduced before calling 'nft -f' to allow for 'nft
+monitor' to complete initialization and another one before comparing the output
+to allow for 'nft monitor' to process the netlink events.
+
+By default, only standard syntax is being tested for, i.e. 'J'-prefixed lines
+are simply ignored. If JSON testing was requested (by passing '-j' flag to the
+test script), 'O'-prefixed lines in turn are ignored.
+
+There is one caveat with regards to JSON output: Since it always contains handle
+properties (if the given object possesses such) which is supposed to be
+arbitrary, there is a filter script which normalizes all handle values in
+monitor output to zero before comparison. Therefore expected output must have
+all handle properties present but with a value of zero.
diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
new file mode 100755
index 0000000..f1ac790
--- /dev/null
+++ b/tests/monitor/run-tests.sh
@@ -0,0 +1,211 @@
+#!/bin/bash
+
+cd $(dirname $0)
+nft=${NFT:-../../src/nft}
+debug=false
+test_json=false
+
+mydiff() {
+	diff -w -I '^# ' "$@"
+}
+
+err() {
+	echo "$*" >&2
+}
+
+die() {
+	err "$*"
+	exit 1
+}
+
+if [ "$(id -u)" != "0" ] ; then
+	die "this requires root!"
+fi
+
+testdir=$(mktemp -d)
+if [ ! -d $testdir ]; then
+	die "Failed to create test directory"
+fi
+trap 'rm -rf $testdir; $nft flush ruleset' EXIT
+
+command_file=$(mktemp -p $testdir)
+output_file=$(mktemp -p $testdir)
+
+cmd_append() {
+	echo "$*" >>$command_file
+}
+monitor_output_append() {
+	[[ "$*" == '-' ]] && {
+		cat $command_file >>$output_file
+		return
+	}
+	echo "$*" >>$output_file
+}
+echo_output_append() {
+	# this is a bit tricky: for replace commands, nft prints a delete
+	# command - so in case there is a replace command in $command_file,
+	# just assume any other commands in the same file are sane
+	grep -q '^replace' $command_file >/dev/null 2>&1 && {
+		monitor_output_append "$*"
+		return
+	}
+	[[ "$*" == '-' ]] && {
+		grep '^\(add\|replace\|insert\)' $command_file >>$output_file
+		return
+	}
+	[[ "$*" =~ ^add|replace|insert ]] && echo "$*" >>$output_file
+}
+json_output_filter() { # (filename)
+	# unify handle values
+	sed -i -e 's/\("handle":\) [0-9][0-9]*/\1 0/g' "$1"
+}
+monitor_run_test() {
+	monitor_output=$(mktemp -p $testdir)
+	monitor_args=""
+	$test_json && monitor_args="vm json"
+	local rc=0
+
+	$nft -nn monitor $monitor_args >$monitor_output &
+	monitor_pid=$!
+
+	sleep 0.5
+
+	$debug && {
+		echo "command file:"
+		cat $command_file
+	}
+	$nft -f - <$command_file || {
+		err "nft command failed!"
+		rc=1
+	}
+	sleep 0.5
+	kill $monitor_pid
+	wait >/dev/null 2>&1
+	$test_json && json_output_filter $monitor_output
+	mydiff -q $monitor_output $output_file >/dev/null 2>&1
+	if [[ $rc == 0 && $? != 0 ]]; then
+		err "monitor output differs!"
+		mydiff -u $output_file $monitor_output >&2
+		rc=1
+	fi
+	rm $command_file
+	rm $output_file
+	touch $command_file
+	touch $output_file
+	return $rc
+}
+
+echo_run_test() {
+	echo_output=$(mktemp -p $testdir)
+	local rc=0
+
+	$debug && {
+		echo "command file:"
+		cat $command_file
+	}
+	$nft -nn -e -f - <$command_file >$echo_output || {
+		err "nft command failed!"
+		rc=1
+	}
+	mydiff -q $echo_output $output_file >/dev/null 2>&1
+	if [[ $rc == 0 && $? != 0 ]]; then
+		err "echo output differs!"
+		mydiff -u $output_file $echo_output >&2
+		rc=1
+	fi
+	rm $command_file
+	rm $output_file
+	touch $command_file
+	touch $output_file
+	return $rc
+}
+
+testcases=""
+while [ -n "$1" ]; do
+	case "$1" in
+	-d|--debug)
+		debug=true
+		shift
+		;;
+	-j|--json)
+		test_json=true
+		shift
+		;;
+	-H|--host)
+		nft=nft
+		shift
+		;;
+	testcases/*.t)
+		testcases+=" $1"
+		shift
+		;;
+	*)
+		echo "unknown option '$1'"
+		;&
+	-h|--help)
+		echo "Usage: $(basename $0) [-j|--json] [-d|--debug] [testcase ...]"
+		exit 1
+		;;
+	esac
+done
+
+if $test_json; then
+	variants="monitor"
+else
+	variants="monitor echo"
+fi
+
+rc=0
+for variant in $variants; do
+	run_test=${variant}_run_test
+	output_append=${variant}_output_append
+
+	for testcase in ${testcases:-testcases/*.t}; do
+		filename=$(basename $testcase)
+		echo "$variant: running tests from file $filename"
+		rc_start=$rc
+
+		# files are like this:
+		#
+		# I add table ip t
+		# O add table ip t
+		# I add chain ip t c
+		# O add chain ip t c
+
+		$nft flush ruleset
+
+		input_complete=false
+		while read dir line; do
+			case $dir in
+			I)
+				$input_complete && {
+					$run_test
+					let "rc += $?"
+				}
+				input_complete=false
+				cmd_append "$line"
+				;;
+			O)
+				input_complete=true
+				$test_json || $output_append "$line"
+				;;
+			J)
+				input_complete=true
+				$test_json && $output_append "$line"
+				;;
+			'#'|'')
+				# ignore comments and empty lines
+				;;
+			esac
+		done <$testcase
+		$input_complete && {
+			$run_test
+			let "rc += $?"
+		}
+
+		let "rc_diff = rc - rc_start"
+		[[ $rc_diff -ne 0 ]] && \
+			echo "$variant: $rc_diff tests from file $filename failed"
+	done
+done
+exit $rc
diff --git a/tests/monitor/testcases/map-expr.t b/tests/monitor/testcases/map-expr.t
new file mode 100644
index 0000000..8729c0b
--- /dev/null
+++ b/tests/monitor/testcases/map-expr.t
@@ -0,0 +1,6 @@
+# first the setup
+I add table ip t
+I add map ip t m { typeof meta day . meta hour : verdict; flags interval; counter; }
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": ["day", "hour"], "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}}
diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t
new file mode 100644
index 0000000..53a9f8c
--- /dev/null
+++ b/tests/monitor/testcases/object.t
@@ -0,0 +1,46 @@
+# first the setup
+I add table ip t
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+
+I add counter ip t c
+O add counter ip t c { packets 0 bytes 0 }
+J {"add": {"counter": {"family": "ip", "name": "c", "table": "t", "handle": 0, "packets": 0, "bytes": 0}}}
+
+I delete counter ip t c
+O -
+J {"delete": {"counter": {"family": "ip", "name": "c", "table": "t", "handle": 0, "packets": 0, "bytes": 0}}}
+
+# FIXME: input/output shouldn't be asynchronous here
+I add quota ip t q 25 mbytes
+O add quota ip t q { 25 mbytes }
+J {"add": {"quota": {"family": "ip", "name": "q", "table": "t", "handle": 0, "bytes": 26214400, "used": 0, "inv": false}}}
+
+I delete quota ip t q
+O -
+J {"delete": {"quota": {"family": "ip", "name": "q", "table": "t", "handle": 0, "bytes": 26214400, "used": 0, "inv": false}}}
+
+# FIXME: input/output shouldn't be asynchronous here
+I add limit ip t l rate 1/second
+O add limit ip t l { rate 1/second }
+J {"add": {"limit": {"family": "ip", "name": "l", "table": "t", "handle": 0, "rate": 1, "per": "second", "burst": 5}}}
+
+I delete limit ip t l
+O -
+J {"delete": {"limit": {"family": "ip", "name": "l", "table": "t", "handle": 0, "rate": 1, "per": "second", "burst": 5}}}
+
+I add ct helper ip t cth { type "sip" protocol tcp; l3proto ip; }
+O -
+J {"add": {"ct helper": {"family": "ip", "name": "cth", "table": "t", "handle": 0, "type": "sip", "protocol": "tcp", "l3proto": "ip"}}}
+
+I delete ct helper ip t cth
+O -
+J {"delete": {"ct helper": {"family": "ip", "name": "cth", "table": "t", "handle": 0, "type": "sip", "protocol": "tcp", "l3proto": "ip"}}}
+
+I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15s, replied : 12s }; }
+O -
+J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
+
+I delete ct timeout ip t ctt
+O -
+J {"delete": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t
new file mode 100644
index 0000000..5053c59
--- /dev/null
+++ b/tests/monitor/testcases/set-interval.t
@@ -0,0 +1,30 @@
+# setup first
+I add table ip t
+I add chain ip t c
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}}
+
+# add set with elements, monitor output expectedly differs
+I add set ip t s { type inet_service; flags interval; elements = { 20, 30-40 }; }
+O add set ip t s { type inet_service; flags interval; }
+O add element ip t s { 20 }
+O add element ip t s { 30-40 }
+J {"add": {"set": {"family": "ip", "name": "s", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [20]}}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [{"range": [30, 40]}]}}}}
+
+# this would crash nft
+I add rule ip t c tcp dport @s
+O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}}
+
+# test anonymous interval sets as well
+I add rule ip t c tcp dport { 20, 30-40 }
+O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}}
+
+# ... and anon concat range
+I add rule ip t c ether saddr . ip saddr { 08:00:27:40:f7:09 . 192.168.56.10-192.168.56.12 }
+O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "ether", "field": "saddr"}}, {"payload": {"protocol": "ip", "field": "saddr"}}]}, "right": {"set": [{"concat": ["08:00:27:40:f7:09", {"range": ["192.168.56.10", "192.168.56.12"]}]}]}}}]}}}
diff --git a/tests/monitor/testcases/set-maps.t b/tests/monitor/testcases/set-maps.t
new file mode 100644
index 0000000..acda480
--- /dev/null
+++ b/tests/monitor/testcases/set-maps.t
@@ -0,0 +1,14 @@
+# first the setup
+I add table ip t
+I add map ip t portip { type inet_service: ipv4_addr; flags interval; }
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"map": {"family": "ip", "name": "portip", "table": "t", "type": "inet_service", "handle": 0, "map": "ipv4_addr", "flags": ["interval"]}}}
+
+I add element ip t portip { 80-100: 10.0.0.1 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portip", "elem": {"set": [[{"range": [80, 100]}, "10.0.0.1"]]}}}}
+
+I add element ip t portip { 1024-65535: 10.0.0.1 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portip", "elem": {"set": [[{"range": [1024, 65535]}, "10.0.0.1"]]}}}}
diff --git a/tests/monitor/testcases/set-mixed.t b/tests/monitor/testcases/set-mixed.t
new file mode 100644
index 0000000..08c2011
--- /dev/null
+++ b/tests/monitor/testcases/set-mixed.t
@@ -0,0 +1,22 @@
+# first the setup
+I add table ip t
+I add set ip t portrange { type inet_service; flags interval; }
+I add set ip t ports { type inet_service; }
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"set": {"family": "ip", "name": "portrange", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}}
+J {"add": {"set": {"family": "ip", "name": "ports", "table": "t", "type": "inet_service", "handle": 0}}}
+
+# make sure concurrent adds work
+I add element ip t portrange { 1024-65535 }
+I add element ip t ports { 10 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "ports", "elem": {"set": [10]}}}}
+
+# delete items again
+I delete element ip t portrange { 1024-65535 }
+I delete element ip t ports { 10 }
+O -
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "ports", "elem": {"set": [10]}}}}
diff --git a/tests/monitor/testcases/set-multiple.t b/tests/monitor/testcases/set-multiple.t
new file mode 100644
index 0000000..bd7a624
--- /dev/null
+++ b/tests/monitor/testcases/set-multiple.t
@@ -0,0 +1,15 @@
+# first the setup
+I add table ip t
+I add set ip t portrange { type inet_service; flags interval; }
+I add set ip t portrange2 { type inet_service; flags interval; }
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"set": {"family": "ip", "name": "portrange", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}}
+J {"add": {"set": {"family": "ip", "name": "portrange2", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}}
+
+# make sure concurrent adds work
+I add element ip t portrange { 1024-65535 }
+I add element ip t portrange2 { 10-20 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange2", "elem": {"set": [{"range": [10, 20]}]}}}}
diff --git a/tests/monitor/testcases/set-simple.t b/tests/monitor/testcases/set-simple.t
new file mode 100644
index 0000000..8ca4f32
--- /dev/null
+++ b/tests/monitor/testcases/set-simple.t
@@ -0,0 +1,61 @@
+# first the setup
+I add table ip t
+I add set ip t portrange { type inet_service; flags interval; }
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"set": {"family": "ip", "name": "portrange", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}}
+
+# adding some ranges
+I add element ip t portrange { 1-10 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1, 10]}]}}}}
+I add element ip t portrange { 1024-65535 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+I add element ip t portrange { 20-30, 40-50 }
+O add element ip t portrange { 20-30 }
+O add element ip t portrange { 40-50 }
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [20, 30]}]}}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [40, 50]}]}}}}
+
+# test flushing -> elements are removed in reverse
+I flush set ip t portrange
+O delete element ip t portrange { 1024-65535 }
+O delete element ip t portrange { 40-50 }
+O delete element ip t portrange { 20-30 }
+O delete element ip t portrange { 1-10 }
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [40, 50]}]}}}}
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [20, 30]}]}}}}
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1, 10]}]}}}}
+
+# make sure lower scope boundary works
+I add element ip t portrange { 0-10 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [0, 10]}]}}}}
+
+# make sure half open before other element works
+I add element ip t portrange { 1024-65535 }
+I add element ip t portrange { 100-200 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [100, 200]}]}}}}
+
+# make sure deletion of elements works
+I delete element ip t portrange { 0-10 }
+O -
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [0, 10]}]}}}}
+I delete element ip t portrange { 100-200 }
+I delete element ip t portrange { 1024-65535 }
+O -
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [100, 200]}]}}}}
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+
+# make sure mixed add/delete works
+I add element ip t portrange { 10-20 }
+I add element ip t portrange { 1024-65535 }
+I delete element ip t portrange { 10-20 }
+O -
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [10, 20]}]}}}}
+J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}}
+J {"delete": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [10, 20]}]}}}}
diff --git a/tests/monitor/testcases/simple.t b/tests/monitor/testcases/simple.t
new file mode 100644
index 0000000..67be5c8
--- /dev/null
+++ b/tests/monitor/testcases/simple.t
@@ -0,0 +1,28 @@
+# first the setup
+I add table ip t
+I add chain ip t c
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}}
+
+I add rule ip t c accept
+O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"accept": null}]}}}
+
+I add rule ip t c tcp dport { 22, 80, 443 } accept
+O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [22, 80, 443]}}}, {"accept": null}]}}}
+
+I insert rule ip t c counter accept
+O insert rule ip t c counter packets 0 bytes 0 accept
+J {"insert": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"counter": {"packets": 0, "bytes": 0}}, {"accept": null}]}}}
+
+I replace rule ip t c handle 2 accept comment "foo bar"
+O delete rule ip t c handle 2
+O add rule ip t c handle 5 accept comment "foo bar"
+J {"delete": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"accept": null}]}}}
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "comment": "foo bar", "expr": [{"accept": null}]}}}
+
+I add counter ip t cnt
+O add counter ip t cnt { packets 0 bytes 0 }
+J {"add": {"counter": {"family": "ip", "name": "cnt", "table": "t", "handle": 0, "packets": 0, "bytes": 0}}}
diff --git a/tests/py/README b/tests/py/README
new file mode 100644
index 0000000..864a966
--- /dev/null
+++ b/tests/py/README
@@ -0,0 +1,197 @@
+Author: Ana Rey <anarey@gmail.com>
+Date: 18/Sept/2014
+
+Here, the automated regression testing for nftables and some test
+files.
+
+This script checks that the rule input and output of nft matches.
+More details here below.
+
+A) What is this testing?
+
+This script tests two different paths:
+
+* The rule input from the command-line. This checks the different steps
+  from the command line to the kernel. This includes the parsing,
+  evaluation and netlink generation steps.
+
+* The output listing that is obtained from the kernel. This checks the
+  different steps from the kernel to the command line: The netlink
+  message parsing, postprocess and textify steps to display the rule
+  listing.
+
+As a final step, this script compares that the rule that is added can
+be listed by nft.
+
+B) What options are available?
+
+The script offers the following options:
+
+* Execute test files:
+
+./nft-test.py                           # Run all test files
+./nft-test.py path/file.t               # Run this test file
+
+If there is a problem, it shows the differences between the rule that
+is added and the rule that is listed by nft.
+
+In case you hit an error, the script doesn't keep testing for more
+families. Unless you specify the --force-family option.
+
+* Execute broken tests:
+
+./nft-test.py -e
+
+This runs tests for rules that need a fix: This mode runs the lines that
+that start with a "-" symbol.
+
+* Debugging:
+
+./nft-test.py -d
+
+This shows all the commands that the script executes, so you can watch
+its internal behaviour.
+
+* Keep testing all families on error.
+
+./nft-test.py -f
+
+Don't stop testing for more families in case of error.
+
+C) What is the structure of the test file?
+
+A test file contains a set of rules that are added in the system.
+
+Here, an example of a test file:
+
+   :input;type filter hook input priority 0    # line 1
+
+   *ip;test-ipv4;input                         # line 2
+   *ip6;test-ipv6;input                        # line 3
+   *inet;test-inet;input                       # line 4
+
+   ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23   # line 5
+   - tcp dport != {22-25}                                         # line 6
+
+   !set1 ipv4_addr;ok                          # line 7
+   ?set1 192.168.3.8 192.168.3.9;ok            # line 8
+   # This is a commented-line.                 # line 9
+
+Line 1 defines a chain. The name of this chain is "input". The type is "filter",
+the hook is "input" and the priority is 0.
+
+Line 2 defines a table. The name of the table is 'test-ipv4', the family is ip
+and the chain to be added to it is 'input'. Lines 3 and 4 defines more tables for
+different families so the rules in this test file are also tested there.
+
+Line 5 defines the rule, the ";" character is used as separator of several
+parts:
+
+* Part 1: "ah hdrlength != 11-23" is the rule to check.
+* Part 2: "ok" is the result expected with the execute of this rule.
+* Part 3: "ah hdrlength < 11 ah hdrlength > 23". This is the expected
+  output. You can leave this empty if the output is the same as the
+  input.
+
+Line 6 is a marked line. This means that this rule is tested if
+'-e' is passed as argument to nft-test.py.
+
+Line 7 adds a new set. The name of this set is "set1" and the type
+of this set is "ipv4_addr".
+
+Line 8 adds two elements into the 'set1' set: "192.168.3.8" and
+"192.168.3.9". A whitespace separates the elements of the set.
+
+Line 9 uses the "#" symbol that means that this line is commented out.
+
+D) What is a payload file?
+
+A payload file contains info about the netlink message exchanged to achieve the
+transaction.
+
+The output can be generated in two ways. Let's see an example via socket
+matching.
+
+   # generate an empty payload file
+   $ touch inet/socket.t.payload
+
+   $ ./nft-test.py inet/socket.t # this will generate inet/socket.t.payload.got
+
+   $ mv inet/socket.t.payload.got inet/socket.t.payload
+
+The other way is using nft --debug=netlink. This has a drawback over the former
+option, as rules has to be run one by one and also a comment has to be added
+before every rule in the payload file.
+
+   $  nft --debug=netlink add rule ip sockip4 sockchain socket exists
+   ip sockip4 sockchain
+     [ match name socket rev 3 ]
+
+E) The test folders
+
+The test files are divided in several directories: ip, ip6, inet, arp,
+bridge and any.
+
+ * "ip" folder contains the test files that are executed in ip and inet
+   table.
+
+ * "ip6" folder contains the test files that are executed in ip6 and inet
+   table.
+
+ * "inet" folder contains the test files that are executed in the ip, ip6
+    and inet table.
+
+ * "arp" folder contains the test files that are executed in the arp
+   table.
+
+ * "bridge" folder: Here are the test files are executed in bridge
+   tables.
+
+ * "any" folder: Here are the test files are executed in ip, ip6, inet,
+   arp and bridge tables.
+
+F) Meaning of messages:
+
+* A warning message means the rule input and output of nft mismatches.
+* An error message means the nft-tool shows an error when we add it or
+  the listing is broken after the rule is added.
+* An info message means something that is not necessarily related to any test
+  case and does not indicate faulty behaviour.
+
+G) Acknowledgements
+
+Thanks to the Outreach Program for Women (OPW) for sponsoring this test
+infrastructure and my mentor Pablo Neira.
+
+H) JSON (-j) Mode
+
+This mode is supposed to repeat the same tests using JSON syntax. For each test
+file example.t, there is supposed to be a file example.t.json holding the JSON
+equivalents of each rule in example.t. The file's syntax is similar to payload
+files: An initial comment identifies the rule belonging to the following JSON
+equivalent. Pairs of comment and JSON are separated by a single blank line.
+
+If the example.t.json file does not exist, the test script will warn and create
+(or append to) example.t.json.got. The JSON equivalent written is generated by
+applying the rule in standard syntax and listing the ruleset in JSON format.
+After thorough review, it may be renamed to example.t.json.
+
+One common case for editing the content in example.t.json.got is expected
+differences between input and output. The generated content will match the
+output while it is supposed to match the input.
+
+If a rule is expected to differ in output, the expected output must be recorded
+in example.t.json.output. Its syntax is identical to example.t.json, i.e. pairs
+of comment identifying the rule (in standard syntax) and JSON (output) format
+separated by blank lines. Note: the comment states the rule as in input, not
+output.
+
+If the example.t.json.output file does not exist and output differs from input,
+the file example.t.json.output.got is created with the actual output recorded.
+
+JSON mode will also check the payload created for the rule in JSON syntax by
+comparing it to the recorded one in example.t.payload. Should it differ, it
+will be recorded in example.t.json.payload.got. This is always a bug: A rule's
+JSON equivalent must turn into the same bytecode as the rule itself.
+
+-EOF-
diff --git a/tests/py/any/counter.t b/tests/py/any/counter.t
new file mode 100644
index 0000000..1c72742
--- /dev/null
+++ b/tests/py/any/counter.t
@@ -0,0 +1,14 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*arp;test-arp;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress
+
+counter;ok
+counter packets 0 bytes 0;ok;counter
+counter packets 2 bytes 1;ok;counter
+counter bytes 1024 packets 1;ok;counter
diff --git a/tests/py/any/counter.t.json b/tests/py/any/counter.t.json
new file mode 100644
index 0000000..2d1eaa9
--- /dev/null
+++ b/tests/py/any/counter.t.json
@@ -0,0 +1,39 @@
+# counter
+[
+    {
+        "counter": {
+            "bytes": 0,
+            "packets": 0
+        }
+    }
+]
+
+# counter packets 0 bytes 0
+[
+    {
+        "counter": {
+            "bytes": 0,
+            "packets": 0
+        }
+    }
+]
+
+# counter packets 2 bytes 1
+[
+    {
+        "counter": {
+            "bytes": 1,
+            "packets": 2
+        }
+    }
+]
+
+# counter bytes 1024 packets 1
+[
+    {
+        "counter": {
+            "bytes": 1024,
+            "packets": 1
+        }
+    }
+]
diff --git a/tests/py/any/counter.t.json.output b/tests/py/any/counter.t.json.output
new file mode 100644
index 0000000..6a62ffb
--- /dev/null
+++ b/tests/py/any/counter.t.json.output
@@ -0,0 +1,28 @@
+# counter
+[
+    {
+        "counter": null
+    }
+]
+
+# counter packets 0 bytes 0
+[
+    {
+        "counter": null
+    }
+]
+
+# counter packets 2 bytes 1
+[
+    {
+        "counter": null
+    }
+]
+
+# counter bytes 1024 packets 1
+[
+    {
+        "counter": null
+    }
+]
+
diff --git a/tests/py/any/counter.t.payload b/tests/py/any/counter.t.payload
new file mode 100644
index 0000000..23e96ba
--- /dev/null
+++ b/tests/py/any/counter.t.payload
@@ -0,0 +1,15 @@
+# counter
+ip
+  [ counter pkts 0 bytes 0 ]
+
+# counter packets 0 bytes 0
+ip
+  [ counter pkts 0 bytes 0 ]
+
+# counter packets 2 bytes 1
+ip
+  [ counter pkts 2 bytes 1 ]
+
+# counter bytes 1024 packets 1
+ip
+  [ counter pkts 1 bytes 1024 ]
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
new file mode 100644
index 0000000..f73fa4e
--- /dev/null
+++ b/tests/py/any/ct.t
@@ -0,0 +1,149 @@
+:output;type filter hook output priority 0
+
+*ip;test-ip4;output
+*ip6;test-ip6;output
+*inet;test-inet;output
+
+ct state new,established, related, untracked;ok;ct state established,related,new,untracked
+ct state != related;ok
+ct state {new,established, related, untracked};ok
+ct state != {new,established, related, untracked};ok
+ct state invalid drop;ok
+ct state established accept;ok
+ct state 8;ok;ct state new
+ct state xxx;fail
+
+ct direction original;ok
+ct direction != original;ok
+ct direction reply;ok
+ct direction != reply;ok
+ct direction {reply, original};ok
+ct direction != {reply, original};ok
+ct direction xxx;fail
+
+ct status expected;ok
+ct status != expected;ok
+ct status seen-reply;ok
+ct status != seen-reply;ok
+ct status {expected, seen-reply, assured, confirmed, dying};ok
+ct status != {expected, seen-reply, assured, confirmed, dying};ok
+ct status expected,seen-reply,assured,confirmed,snat,dnat,dying;ok
+ct status snat;ok
+ct status dnat;ok
+ct status ! dnat;ok
+ct status xxx;fail
+
+ct mark 0;ok;ct mark 0x00000000
+ct mark or 0x23 == 0x11;ok;ct mark | 0x00000023 == 0x00000011
+ct mark or 0x3 != 0x1;ok;ct mark | 0x00000003 != 0x00000001
+ct mark and 0x23 == 0x11;ok;ct mark & 0x00000023 == 0x00000011
+ct mark and 0x3 != 0x1;ok;ct mark & 0x00000003 != 0x00000001
+ct mark xor 0x23 == 0x11;ok;ct mark 0x00000032
+ct mark xor 0x3 != 0x1;ok;ct mark != 0x00000002
+ct mark set ct mark or 0x00000001;ok;ct mark set ct mark | 0x00000001
+
+ct mark 0x00000032;ok
+ct mark != 0x00000032;ok
+ct mark 0x00000032-0x00000045;ok
+ct mark != 0x00000032-0x00000045;ok
+ct mark {0x32, 0x2222, 0x42de3};ok;ct mark { 0x00042de3, 0x00002222, 0x00000032}
+ct mark {0x32-0x2222, 0x4444-0x42de3};ok;ct mark { 0x00000032-0x00002222, 0x00004444-0x00042de3}
+ct mark != {0x32, 0x2222, 0x42de3};ok;ct mark != { 0x00042de3, 0x00002222, 0x00000032}
+
+# ct mark != {0x32, 0x2222, 0x42de3};ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+ct mark set 0x11 xor 0x1331;ok;ct mark set 0x00001320
+ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011
+ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013
+ct mark set 0x11;ok;ct mark set 0x00000011
+ct mark set mark;ok;ct mark set meta mark
+ct mark set (meta mark | 0x10) << 8;ok;ct mark set (meta mark | 0x00000010) << 8
+ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 };ok;ct mark set meta mark map { 0x00000003 : 0x0000001e, 0x00000002 : 0x00000014, 0x00000001 : 0x0000000a}
+
+ct mark set {0x11333, 0x11};fail
+ct zone set {123, 127};fail
+ct label set {123, 127};fail
+ct event set {new, related, destroy, label};fail
+
+ct expiration 30s;ok
+ct expiration 30000ms;ok;ct expiration 30s
+ct expiration 1m-1h;ok;ct expiration 60s-3600s
+ct expiration 1d-1h;fail
+ct expiration > 4d23h59m59s;ok
+ct expiration != 233;ok;ct expiration != 3m53s
+ct expiration 33-45;ok;ct expiration 33s-45s
+ct expiration != 33-45;ok;ct expiration != 33s-45s
+ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
+ct expiration != {33, 55, 67, 88};ok;ct expiration != { 1m7s, 33s, 55s, 1m28s}
+ct expiration {33-55, 66-88};ok;ct expiration { 33s-55s, 66s-88s}
+ct expiration != {33-55, 66-88};ok;ct expiration != { 33s-55s, 66s-88s}
+
+ct helper "ftp";ok
+ct helper "12345678901234567";fail
+ct helper "";fail
+
+ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634};ok
+ct direction . ct mark { original . 0x12345678, reply . 0x87654321};ok
+ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept};ok
+
+ct original bytes > 100000;ok
+ct reply packets < 100;ok
+ct bytes > 100000;ok
+
+ct avgpkt > 200;ok
+ct original avgpkt < 500;ok
+
+# bogus direction
+ct both bytes gt 1;fail
+# nonsensical
+ct bytes original reply;fail
+
+# missing direction
+ct ip saddr 1.2.3.4;fail
+
+# wrong base (ip6 but ipv4 address given)
+meta nfproto ipv6 ct original ip saddr 1.2.3.4;fail
+
+# direction, but must be used without
+ct original mark 42;fail
+# swapped key and direction
+ct mark original;fail
+
+ct event set new;ok
+ct event set new or related or destroy or foobar;fail
+ct event set new | related | destroy | label;ok;ct event set new,related,destroy,label
+ct event set new,related,destroy,label;ok
+ct event set new,destroy;ok
+ct event set 1;ok;ct event set new
+ct event set 0x0;ok
+
+ct label 127;ok
+ct label set 127;ok
+ct label 128;fail
+
+ct zone 0;ok
+ct zone 23;ok
+ct zone 65536;fail
+ct both zone 1;fail
+ct original zone 1;ok
+ct reply zone 1;ok
+
+ct id 12345;ok
+
+ct zone set 1;ok
+ct original zone set 1;ok
+ct reply zone set 1;ok
+ct zone set mark map { 1 : 1,  2 : 2 };ok;ct zone set meta mark map { 0x00000001 : 1, 0x00000002 : 2}
+ct both zone set 1;fail
+
+ct invalid;fail
+ct invalid original;fail
+ct set invalid original 42;fail
+ct set invalid 42;fail
+
+notrack;ok
+
+ct count 3;ok
+ct count over 3;ok
diff --git a/tests/py/any/ct.t.json b/tests/py/any/ct.t.json
new file mode 100644
index 0000000..a2a0602
--- /dev/null
+++ b/tests/py/any/ct.t.json
@@ -0,0 +1,1523 @@
+# ct state new,established, related, untracked
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": [
+                "new",
+                "established",
+                "related",
+                "untracked"
+            ]
+        }
+    }
+]
+
+# ct state != related
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+            "op": "!=",
+            "right": "related"
+        }
+    }
+]
+
+# ct state {new,established, related, untracked}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": {
+                "set": [
+                    "new",
+                    "established",
+                    "related",
+                    "untracked"
+                ]
+            }
+        }
+    }
+]
+
+# ct state != {new,established, related, untracked}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "new",
+                    "established",
+                    "related",
+                    "untracked"
+                ]
+            }
+        }
+    }
+]
+
+# ct state invalid drop
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": "invalid"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ct state established accept
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": "established"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ct state 8
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": 8
+        }
+    }
+]
+
+# ct direction original
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+	    "op": "==",
+            "right": "original"
+        }
+    }
+]
+
+# ct direction != original
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+            "op": "!=",
+            "right": "original"
+        }
+    }
+]
+
+# ct direction reply
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+	    "op": "==",
+            "right": "reply"
+        }
+    }
+]
+
+# ct direction != reply
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+            "op": "!=",
+            "right": "reply"
+        }
+    }
+]
+
+# ct direction {reply, original}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+	    "op": "in",
+            "right": {
+                "set": [
+                    "reply",
+                    "original"
+                ]
+            }
+        }
+    }
+]
+
+# ct direction != {reply, original}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "reply",
+                    "original"
+                ]
+            }
+        }
+    }
+]
+
+# ct status expected
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+	    "op": "in",
+            "right": "expected"
+        }
+    }
+]
+
+# ct status != expected
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+            "op": "!=",
+            "right": "expected"
+        }
+    }
+]
+
+# ct status seen-reply
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+	    "op": "in",
+            "right": "seen-reply"
+        }
+    }
+]
+
+# ct status != seen-reply
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+            "op": "!=",
+            "right": "seen-reply"
+        }
+    }
+]
+
+# ct status {expected, seen-reply, assured, confirmed, dying}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "expected",
+                    "seen-reply",
+                    "assured",
+                    "confirmed",
+                    "dying"
+                ]
+            }
+        }
+    }
+]
+
+# ct status != {expected, seen-reply, assured, confirmed, dying}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+	    "op": "!=",
+            "right": {
+                "set": [
+                    "expected",
+                    "seen-reply",
+                    "assured",
+                    "confirmed",
+                    "dying"
+                ]
+            }
+        }
+    }
+]
+
+# ct status expected,seen-reply,assured,confirmed,snat,dnat,dying
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+	    "op": "in",
+            "right": [
+                "expected",
+                "seen-reply",
+                "assured",
+                "confirmed",
+                "snat",
+                "dnat",
+                "dying"
+            ]
+        }
+    }
+]
+
+# ct status snat
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+	    "op": "in",
+            "right": "snat"
+        }
+    }
+]
+
+# ct status dnat
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+	    "op": "in",
+            "right": "dnat"
+        }
+    }
+]
+
+# ct status ! dnat
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "status"
+                }
+            },
+            "op": "!",
+            "right": "dnat"
+        }
+    }
+]
+
+# ct mark 0
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# ct mark or 0x23 == 0x11
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    "0x23"
+                ]
+            },
+            "op": "==",
+            "right": "0x11"
+        }
+    }
+]
+
+# ct mark or 0x3 != 0x1
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    "0x3"
+                ]
+            },
+            "op": "!=",
+            "right": "0x1"
+        }
+    }
+]
+
+# ct mark and 0x23 == 0x11
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    "0x23"
+                ]
+            },
+            "op": "==",
+            "right": "0x11"
+        }
+    }
+]
+
+# ct mark and 0x3 != 0x1
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    "0x3"
+                ]
+            },
+            "op": "!=",
+            "right": "0x1"
+        }
+    }
+]
+
+# ct mark xor 0x23 == 0x11
+[
+    {
+        "match": {
+            "left": {
+		"^": [
+		    {
+                        "ct": {
+                            "key": "mark"
+                        }
+		    },
+		    "0x23"
+		]
+            },
+	    "op": "==",
+            "right": "0x11"
+        }
+    }
+]
+
+# ct mark xor 0x3 != 0x1
+[
+    {
+        "match": {
+            "left": {
+		"^": [
+		    {
+                        "ct": {
+                            "key": "mark"
+                        }
+		    },
+		    "0x3"
+		]
+            },
+            "op": "!=",
+            "right": "0x1"
+        }
+    }
+]
+
+# ct mark set ct mark or 0x00000001
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    1
+                ]
+            }
+        }
+    }
+]
+
+# ct mark 0x00000032
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": "0x00000032"
+        }
+    }
+]
+
+# ct mark != 0x00000032
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "!=",
+            "right": "0x00000032"
+        }
+    }
+]
+
+# ct mark 0x00000032-0x00000045
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [ "0x00000032", "0x00000045" ]
+            }
+        }
+    }
+]
+
+# ct mark != 0x00000032-0x00000045
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "0x00000032", "0x00000045" ]
+            }
+        }
+    }
+]
+
+# ct mark {0x32, 0x2222, 0x42de3}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "in",
+            "right": {
+                "set": [
+                    "0x32",
+                    "0x2222",
+                    "0x42de3"
+                ]
+            }
+        }
+    }
+]
+
+# ct mark {0x32-0x2222, 0x4444-0x42de3}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "in",
+            "right": {
+                "set": [
+                    {
+                        "range": [ "0x32", "0x2222" ]
+                    },
+                    {
+                        "range": [ "0x4444", "0x42de3" ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ct mark != {0x32, 0x2222, 0x42de3}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "0x32",
+                    "0x2222",
+                    "0x42de3"
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set 0x11 xor 0x1331
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": { "^": [ "0x11", "0x1331" ] }
+        }
+    }
+]
+
+# ct mark set 0x11333 and 0x11
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": { "&": [ "0x11333", "0x11" ] }
+        }
+    }
+]
+
+# ct mark set 0x12 or 0x11
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": { "|": [ "0x12", "0x11" ] }
+        }
+    }
+]
+
+# ct mark set 0x11
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": "0x11"
+        }
+    }
+]
+
+# ct mark set mark
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "meta": { "key": "mark" }
+            }
+        }
+    }
+]
+
+# ct mark set (meta mark | 0x10) << 8
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "<<": [
+                    {
+                        "|": [
+                            {
+                                "meta": {
+                                    "key": "mark"
+                                }
+                            },
+                            16
+                        ]
+                    },
+                    8
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "meta": { "key": "mark" }
+                    },
+                    "data": {
+                        "set": [
+                            [ 1, 10 ],
+                            [ 2, 20 ],
+                            [ 3, 30 ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# ct expiration 30s
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": "30s"
+        }
+    }
+]
+
+# ct expiration 30000ms
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": "30000ms"
+        }
+    }
+]
+
+# ct expiration 1m-1h
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [ "1m", "1h" ]
+            }
+        }
+    }
+]
+
+# ct expiration > 4d23h59m59s
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+	    "op": ">",
+            "right": "4d23h59m59s"
+        }
+    }
+]
+
+# ct expiration != 233
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ct expiration 33-45
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ct expiration != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ct expiration {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ct expiration != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ct expiration {33-55, 66-88}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] },
+                    { "range": [ 66, 88 ] }
+                ]
+            }
+        }
+    }
+]
+
+# ct expiration != {33-55, 66-88}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] },
+                    { "range": [ 66, 88 ] }
+                ]
+            }
+        }
+    }
+]
+
+# ct helper "ftp"
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "helper"
+                }
+            },
+            "op": "==",
+            "right": "ftp"
+        }
+    }
+]
+
+# ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634}
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "ct": {
+                            "key": "state"
+                        }
+                    },
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "concat": [ "new", "0x12345678" ] },
+                    { "concat": [ "new", "0x34127856" ] },
+                    { "concat": [ "established", "0x12785634" ] }
+                ]
+            }
+        }
+    }
+]
+
+# ct direction . ct mark { original . 0x12345678, reply . 0x87654321}
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "ct": {
+                            "key": "direction"
+                        }
+                    },
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "original",
+                            "0x12345678"
+                        ]
+                    },
+                    {
+                        "concat": [
+                            "reply",
+                            "0x87654321"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "concat": [
+                    {
+                        "ct": {
+                            "key": "state"
+                        }
+                    },
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "data": {
+                "set": [
+                    [
+                        {
+                            "concat": [
+                                "new",
+                                "0x12345678"
+                            ]
+                        },
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        {
+                            "concat": [
+                                "established",
+                                "0x87654321"
+                            ]
+                        },
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ct original bytes > 100000
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "bytes"
+                }
+            },
+            "op": ">",
+            "right": 100000
+        }
+    }
+]
+
+# ct reply packets < 100
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "packets"
+                }
+            },
+            "op": "<",
+            "right": 100
+        }
+    }
+]
+
+# ct bytes > 100000
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "bytes"
+                }
+            },
+            "op": ">",
+            "right": 100000
+        }
+    }
+]
+
+# ct avgpkt > 200
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "avgpkt"
+                }
+            },
+            "op": ">",
+            "right": 200
+        }
+    }
+]
+
+# ct original avgpkt < 500
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "avgpkt"
+                }
+            },
+            "op": "<",
+            "right": 500
+        }
+    }
+]
+
+# ct event set new
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": "new"
+        }
+    }
+]
+
+# ct event set new | related | destroy | label
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": [
+                "new",
+                "related",
+                "destroy",
+                "label"
+            ]
+        }
+    }
+]
+
+# ct event set new,related,destroy,label
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": [
+                "new",
+                "related",
+                "destroy",
+                "label"
+            ]
+        }
+    }
+]
+
+# ct event set new,destroy
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": [
+                "new",
+                "destroy"
+            ]
+        }
+    }
+]
+
+# ct event set 1
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": 1
+        }
+    }
+]
+
+# ct event set 0x0
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": "0x0"
+        }
+    }
+]
+
+# ct label 127
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "label"
+                }
+            },
+            "op": "in",
+            "right": 127
+        }
+    }
+]
+
+# ct label set 127
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "label"
+                }
+            },
+            "value": 127
+        }
+    }
+]
+
+# ct zone 0
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "zone"
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# ct zone 23
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "zone"
+                }
+            },
+            "op": "==",
+            "right": 23
+        }
+    }
+]
+
+# ct original zone 1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "zone"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ct reply zone 1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "zone"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ct zone set 1
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "zone"
+                }
+            },
+            "value": 1
+        }
+    }
+]
+
+# ct original zone set 1
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "dir": "original",
+                    "key": "zone"
+                }
+            },
+            "value": 1
+        }
+    }
+]
+
+# ct reply zone set 1
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "zone"
+                }
+            },
+            "value": 1
+        }
+    }
+]
+
+# ct id 12345
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "id"
+                }
+            },
+            "op": "==",
+            "right": 12345
+        }
+    }
+]
+
+# ct zone set mark map { 1 : 1,  2 : 2 }
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "zone"
+                }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "meta": { "key": "mark" }
+                    },
+                    "data": {
+                        "set": [
+                            [ 1, 1 ],
+                            [ 2, 2 ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# notrack
+[
+    {
+        "notrack": null
+    }
+]
+
+# ct count 3
+[
+    {
+        "ct count": {
+            "val": 3
+        }
+    }
+]
+
+# ct count over 3
+[
+    {
+        "ct count": {
+            "inv": true,
+            "val": 3
+        }
+    }
+]
+
diff --git a/tests/py/any/ct.t.json.output b/tests/py/any/ct.t.json.output
new file mode 100644
index 0000000..70ade7e
--- /dev/null
+++ b/tests/py/any/ct.t.json.output
@@ -0,0 +1,666 @@
+# ct state new,established, related, untracked
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+            "op": "in",
+            "right": [
+                "established",
+                "related",
+                "new",
+                "untracked"
+            ]
+        }
+    }
+]
+
+# ct state {new,established, related, untracked}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "established",
+                    "related",
+                    "new",
+                    "untracked"
+                ]
+            }
+        }
+    }
+]
+
+# ct state != {new,established, related, untracked}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "established",
+                    "related",
+                    "new",
+                    "untracked"
+                ]
+            }
+        }
+    }
+]
+
+# ct state 8
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+            "op": "in",
+            "right": "new"
+        }
+    }
+]
+
+# ct direction {reply, original}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "original",
+                    "reply"
+                ]
+            }
+        }
+    }
+]
+
+# ct direction != {reply, original}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "direction"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "original",
+                    "reply"
+                ]
+            }
+        }
+    }
+]
+
+# ct mark or 0x23 == 0x11
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    35
+                ]
+            },
+            "op": "==",
+            "right": 17
+        }
+    }
+]
+
+# ct mark or 0x3 != 0x1
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    3
+                ]
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# ct mark and 0x23 == 0x11
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    35
+                ]
+            },
+            "op": "==",
+            "right": 17
+        }
+    }
+]
+
+# ct mark and 0x3 != 0x1
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    3
+                ]
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# ct mark xor 0x23 == 0x11
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": 50
+        }
+    }
+]
+
+# ct mark xor 0x3 != 0x1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "!=",
+            "right": 2
+        }
+    }
+]
+
+# ct mark 0x00000032
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": 50
+        }
+    }
+]
+
+# ct mark != 0x00000032
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "!=",
+            "right": 50
+        }
+    }
+]
+
+# ct mark 0x00000032-0x00000045
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 50, 69 ]
+            }
+        }
+    }
+]
+
+# ct mark != 0x00000032-0x00000045
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 50, 69 ]
+            }
+        }
+    }
+]
+
+# ct mark {0x32, 0x2222, 0x42de3}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    50,
+                    8738,
+                    273891
+                ]
+            }
+        }
+    }
+]
+
+# ct mark {0x32-0x2222, 0x4444-0x42de3}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 50, 8738 ] },
+                    { "range": [ 17476, 273891 ] }
+                ]
+            }
+        }
+    }
+]
+
+# ct mark != {0x32, 0x2222, 0x42de3}
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    50,
+                    8738,
+                    273891
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set 0x11 xor 0x1331
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": 4896
+        }
+    }
+]
+
+# ct mark set 0x11333 and 0x11
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": 17
+        }
+    }
+]
+
+# ct mark set 0x12 or 0x11
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": 19
+        }
+    }
+]
+
+# ct mark set 0x11
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": 17
+        }
+    }
+]
+
+# ct expiration 30s
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": 30
+        }
+    }
+]
+
+# ct expiration 30000ms
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": 30
+        }
+    }
+]
+
+# ct expiration 1m-1h
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 60, 3600 ]
+            }
+        }
+    }
+]
+
+# ct expiration > 4d23h59m59s
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "expiration"
+                }
+            },
+	    "op": ">",
+            "right": 431999
+        }
+    }
+]
+
+# ct state . ct mark { new . 0x12345678}
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "ct": {
+                            "key": "state"
+                        }
+                    },
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "new",
+                            305419896
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634}
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "ct": {
+                            "key": "state"
+                        }
+                    },
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "new",
+                            305419896
+                        ]
+                    },
+                    {
+                        "concat": [
+                            "established",
+                            309876276
+                        ]
+                    },
+                    {
+                        "concat": [
+                            "new",
+                            873625686
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ct direction . ct mark { original . 0x12345678, reply . 0x87654321}
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "ct": {
+                            "key": "direction"
+                        }
+                    },
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "original",
+                            305419896
+                        ]
+                    },
+                    {
+                        "concat": [
+                            "reply",
+                            2271560481
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "concat": [
+                    {
+                        "ct": {
+                            "key": "state"
+                        }
+                    },
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "data": {
+                "set": [
+                    [
+                        {
+                            "concat": [
+                                "new",
+                                305419896
+                            ]
+                        },
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        {
+                            "concat": [
+                                "established",
+                                2271560481
+                            ]
+                        },
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ct event set 1
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": "new"
+        }
+    }
+]
+
+# ct event set 0x0
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "event"
+                }
+            },
+            "value": 0
+        }
+    }
+]
+
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
new file mode 100644
index 0000000..ed868e5
--- /dev/null
+++ b/tests/py/any/ct.t.payload
@@ -0,0 +1,518 @@
+# ct state new,established, related, untracked
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000004e ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct state != related
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ cmp neq reg 1 0x00000004 ]
+
+# ct state {new,established, related, untracked}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000040  : 0 [end]
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct state != {new,established, related, untracked}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000040  : 0 [end]
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ct state invalid drop
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ immediate reg 0 drop ]
+
+# ct state established accept
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ immediate reg 0 accept ]
+
+# ct state 8
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000008 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct direction original
+ip test-ip4 output
+  [ ct load direction => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ct direction != original
+ip test-ip4 output
+  [ ct load direction => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct direction reply
+ip test-ip4 output
+  [ ct load direction => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ct direction != reply
+ip test-ip4 output
+  [ ct load direction => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# ct direction {reply, original}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 output
+  [ ct load direction => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct direction != {reply, original}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 output
+  [ ct load direction => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ct status expected
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct status != expected
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# ct status seen-reply
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct status != seen-reply
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# ct status {expected, seen-reply, assured, confirmed, dying}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000008  : 0 [end]	element 00000200  : 0 [end]
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct status != {expected, seen-reply, assured, confirmed, dying}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000008  : 0 [end]	element 00000200  : 0 [end]
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ct mark 0
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ct mark or 0x23 == 0x11
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffdc ) ^ 0x00000023 ]
+  [ cmp eq reg 1 0x00000011 ]
+
+# ct mark or 0x3 != 0x1
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000003 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# ct mark and 0x23 == 0x11
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000023 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000011 ]
+
+# ct mark and 0x3 != 0x1
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# ct mark xor 0x23 == 0x11
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# ct mark xor 0x3 != 0x1
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# ct mark 0x00000032
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# ct mark != 0x00000032
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ cmp neq reg 1 0x00000032 ]
+
+# ct mark 0x00000032-0x00000045
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0x32000000 ]
+  [ cmp lte reg 1 0x45000000 ]
+
+# ct mark != 0x00000032-0x00000045
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0x32000000 0x45000000 ]
+
+# ct mark {0x32, 0x2222, 0x42de3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000032  : 0 [end]	element 00002222  : 0 [end]	element 00042de3  : 0 [end]
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct mark {0x32-0x2222, 0x4444-0x42de3}
+__set%d test-ip4 7
+__set%d test-ip4 0
+        element 00000000  : 1 [end]     element 32000000  : 0 [end]     element 23220000  : 1 [end]     element 44440000  : 0 [end]     element e42d0400  : 1 [end]
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# ct mark != {0x32, 0x2222, 0x42de3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000032  : 0 [end]	element 00002222  : 0 [end]	element 00042de3  : 0 [end]
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ct mark set 0x11 xor 0x1331
+ip test-ip4 output
+  [ immediate reg 1 0x00001320 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set 0x11333 and 0x11
+ip test-ip4 output
+  [ immediate reg 1 0x00000011 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set 0x12 or 0x11
+ip test-ip4 output
+  [ immediate reg 1 0x00000013 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set 0x11
+ip test-ip4 output
+  [ immediate reg 1 0x00000011 ]
+  [ ct set mark with reg 1 ]
+
+# ct expiration 30s
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ cmp eq reg 1 0x00007530 ]
+
+# ct expiration 30000ms
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ cmp eq reg 1 0x00007530 ]
+
+# ct expiration 1m-1h
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0x60ea0000 ]
+  [ cmp lte reg 1 0x80ee3600 ]
+
+# ct expiration > 4d23h59m59s
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gt reg 1 0x18c8bf19 ]
+
+# ct expiration != 233
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ cmp neq reg 1 0x00038e28 ]
+
+# ct expiration 33-45
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0xe8800000 ]
+  [ cmp lte reg 1 0xc8af0000 ]
+
+# ct expiration != 33-45
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0xe8800000 0xc8af0000 ]
+
+# ct expiration {33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 000080e8  : 0 [end]	element 0000d6d8  : 0 [end]	element 000105b8  : 0 [end]	element 000157c0  : 0 [end]
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct expiration != {33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 000080e8  : 0 [end]	element 0000d6d8  : 0 [end]	element 000105b8  : 0 [end]	element 000157c0  : 0 [end]
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ct expiration {33-55, 66-88}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element e8800000  : 0 [end]	element d9d60000  : 1 [end]	element d0010100  : 0 [end]	element c1570100  : 1 [end]
+ip test-ip4 output 
+  [ ct load expiration => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# ct expiration != {33-55, 66-88}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element e8800000  : 0 [end]	element d9d60000  : 1 [end]	element d0010100  : 0 [end]	element c1570100  : 1 [end]
+ip test-ip4 output 
+  [ ct load expiration => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ct helper "ftp"
+ip test-ip4 output
+  [ ct load helper => reg 1 ]
+  [ cmp eq reg 1 0x00707466 0x00000000 0x00000000 0x00000000 ]
+
+# ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008 12345678  : 0 [end]	element 00000008 34127856  : 0 [end]	element 00000002 12785634  : 0 [end]
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ ct load mark => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct mark set mark
+ip test-ip4 output
+  [ meta load mark => reg 1 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set (meta mark | 0x10) << 8
+inet test-inet output
+  [ meta load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ bitwise reg 1 = ( reg 1 << 0x00000008 ) ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 00000001  : 0000000a 0 [end]    element 00000002  : 00000014 0 [end]    element 00000003  : 0000001e 0 [end]
+ip test-ip4 output
+  [ meta load mark => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ ct set mark with reg 1 ]
+
+# ct original bytes > 100000
+ip test-ip4 output
+  [ ct load bytes => reg 1 , dir original ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0x00000000 0xa0860100 ]
+
+# ct reply packets < 100
+ip test-ip4 output
+  [ ct load packets => reg 1 , dir reply ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp lt reg 1 0x00000000 0x64000000 ]
+
+# ct bytes > 100000
+ip test-ip4 output
+  [ ct load bytes => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0x00000000 0xa0860100 ]
+
+# ct avgpkt > 200
+ip test-ip4 output
+  [ ct load avgpkt => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0x00000000 0xc8000000 ]
+
+# ct original avgpkt < 500
+ip test-ip4 output
+  [ ct load avgpkt => reg 1 , dir original ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp lt reg 1 0x00000000 0xf4010000 ]
+
+# ct status expected,seen-reply,assured,confirmed,snat,dnat,dying
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000023f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct status snat
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct status dnat
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ct event set new
+ip test-ip4 output
+  [ immediate reg 1 0x00000001 ]
+  [ ct set event with reg 1 ]
+
+# ct event set new | related | destroy | label
+ip test-ip4 output
+  [ immediate reg 1 0x00000407 ]
+  [ ct set event with reg 1 ]
+
+# ct event set new,related,destroy,label
+ip test-ip4 output
+  [ immediate reg 1 0x00000407 ]
+  [ ct set event with reg 1 ]
+
+# ct event set new,destroy
+ip test-ip4 output
+  [ immediate reg 1 0x00000005 ]
+  [ ct set event with reg 1 ]
+
+# ct event set 1
+ip test-ip4 output
+  [ immediate reg 1 0x00000001 ]
+  [ ct set event with reg 1 ]
+
+# ct event set 0x0
+ip test-ip4 output
+  [ immediate reg 1 0x00000000 ]
+  [ ct set event with reg 1 ]
+
+# ct label 127
+ip test-ip4 output
+  [ ct load label => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000000 0x00000000 0x00000000 0x80000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
+
+# ct label set 127
+ip test-ip4 output
+  [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x80000000 ]
+  [ ct set label with reg 1 ]
+
+# ct zone 0
+ip test-ip4 output
+  [ ct load zone => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ct zone 23
+ip test-ip4 output
+  [ ct load zone => reg 1 ]
+  [ cmp eq reg 1 0x00000017 ]
+
+# ct original zone 1
+ip test-ip4 output
+  [ ct load zone => reg 1 , dir original ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ct reply zone 1
+ip test-ip4 output
+  [ ct load zone => reg 1 , dir reply ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ct zone set 1
+ip test-ip4 output
+  [ immediate reg 1 0x00000001 ]
+  [ ct set zone with reg 1 ]
+
+# ct original zone set 1
+ip test-ip4 output
+  [ immediate reg 1 0x00000001 ]
+  [ ct set zone with reg 1 , dir original ]
+
+# ct reply zone set 1
+ip test-ip4 output
+  [ immediate reg 1 0x00000001 ]
+  [ ct set zone with reg 1 , dir reply ]
+
+# ct zone set mark map { 1 : 1,  2 : 2 }
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 00000001  : 00000001 0 [end]    element 00000002  : 00000002 0 [end]
+ip test-ip4 output
+  [ meta load mark => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ ct set zone with reg 1 ]
+
+# notrack
+ip test-ip4 output
+  [ notrack ]
+
+# ct direction . ct mark { original . 0x12345678, reply . 0x87654321}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+	element 00000000 12345678  : 0 [end]	element 00000001 87654321  : 0 [end]
+ip test-ip4 output 
+  [ ct load direction => reg 1 ]
+  [ ct load mark => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct state . ct mark vmap { new . 0x12345678 : drop, established . 0x87654321 : accept}
+__map%d test-ip4 b size 2
+__map%d test-ip4 0
+	element 00000008 12345678  : drop 0 [end]	element 00000002 87654321  : accept 0 [end]
+ip test-ip4 output 
+  [ ct load state => reg 1 ]
+  [ ct load mark => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ct mark set ct mark or 0x00000001
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffe ) ^ 0x00000001 ]
+  [ ct set mark with reg 1 ]
+
+# ct id 12345
+ip test-ip4 output
+  [ ct load unknown => reg 1 ]
+  [ cmp eq reg 1 0x39300000 ]
+
+# ct status ! dnat
+ip6
+  [ ct load status => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ct count 3
+ip test-ip4 output
+  [ connlimit count 3 flags 0 ]
+
+# ct count over 3
+ip test-ip4 output
+  [ connlimit count 3 flags 1 ]
+
diff --git a/tests/py/any/icmpX.t.netdev b/tests/py/any/icmpX.t.netdev
new file mode 100644
index 0000000..cf40242
--- /dev/null
+++ b/tests/py/any/icmpX.t.netdev
@@ -0,0 +1,9 @@
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*netdev;test-netdev;ingress,egress
+
+ip protocol icmp icmp type echo-request;ok;icmp type echo-request
+icmp type echo-request;ok
+ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;icmpv6 type echo-request
+icmpv6 type echo-request;ok
diff --git a/tests/py/any/icmpX.t.netdev.payload b/tests/py/any/icmpX.t.netdev.payload
new file mode 100644
index 0000000..8b8107c
--- /dev/null
+++ b/tests/py/any/icmpX.t.netdev.payload
@@ -0,0 +1,36 @@
+# ip protocol icmp icmp type echo-request
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# icmp type echo-request
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# icmpv6 type echo-request
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
diff --git a/tests/py/any/last.t b/tests/py/any/last.t
new file mode 100644
index 0000000..5c53046
--- /dev/null
+++ b/tests/py/any/last.t
@@ -0,0 +1,13 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*arp;test-arp;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress
+
+last;ok
+last used 300s;ok;last
+last used foo;fail
diff --git a/tests/py/any/last.t.json b/tests/py/any/last.t.json
new file mode 100644
index 0000000..2a2b9e7
--- /dev/null
+++ b/tests/py/any/last.t.json
@@ -0,0 +1,16 @@
+# last
+[
+    {
+        "last": null
+    }
+]
+
+# last used 300s
+[
+    {
+        "last": {
+		"used": 300000
+	}
+    }
+]
+
diff --git a/tests/py/any/last.t.json.output b/tests/py/any/last.t.json.output
new file mode 100644
index 0000000..b8a977e
--- /dev/null
+++ b/tests/py/any/last.t.json.output
@@ -0,0 +1,14 @@
+# last
+[
+    {
+        "last": null
+    }
+]
+
+# last used 300s
+[
+    {
+        "last": null
+    }
+]
+
diff --git a/tests/py/any/last.t.payload b/tests/py/any/last.t.payload
new file mode 100644
index 0000000..ed47d0f
--- /dev/null
+++ b/tests/py/any/last.t.payload
@@ -0,0 +1,8 @@
+# last
+ip
+  [ last never ]
+
+# last used 300s
+ip
+  [ last 300000 ]
+
diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t
new file mode 100644
index 0000000..a04ef42
--- /dev/null
+++ b/tests/py/any/limit.t
@@ -0,0 +1,55 @@
+:output;type filter hook output priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;output
+*ip6;test-ip6;output
+*inet;test-inet;output
+*arp;test-arp;output
+*bridge;test-bridge;output
+*netdev;test-netdev;ingress,egress
+
+limit rate 400/minute;ok;limit rate 400/minute burst 5 packets
+limit rate 20/second;ok;limit rate 20/second burst 5 packets
+limit rate 400/hour;ok;limit rate 400/hour burst 5 packets
+limit rate 40/day;ok;limit rate 40/day burst 5 packets
+limit rate 400/week;ok;limit rate 400/week burst 5 packets
+limit rate 1023/second burst 10 packets;ok
+limit rate 1023/second burst 10 bytes;fail
+
+limit rate 1 kbytes/second;ok
+limit rate 2 kbytes/second;ok
+limit rate 1025 kbytes/second;ok
+limit rate 1023 mbytes/second;ok
+limit rate 10230 mbytes/second;ok
+limit rate 1023000 mbytes/second;ok
+limit rate 512 kbytes/second burst 5 packets;fail
+
+limit rate 1 bytes / second;ok;limit rate 1 bytes/second
+limit rate 1 kbytes / second;ok;limit rate 1 kbytes/second
+limit rate 1 mbytes / second;ok;limit rate 1 mbytes/second
+limit rate 1 gbytes / second;fail
+
+limit rate 1025 bytes/second burst 512 bytes;ok
+limit rate 1025 kbytes/second burst 1023 kbytes;ok
+limit rate 1025 mbytes/second burst 1025 kbytes;ok
+limit rate 1025000 mbytes/second burst 1023 mbytes;ok
+
+limit rate over 400/minute;ok;limit rate over 400/minute burst 5 packets
+limit rate over 20/second;ok;limit rate over 20/second burst 5 packets
+limit rate over 400/hour;ok;limit rate over 400/hour burst 5 packets
+limit rate over 40/day;ok;limit rate over 40/day burst 5 packets
+limit rate over 400/week;ok;limit rate over 400/week burst 5 packets
+limit rate over 1023/second burst 10 packets;ok
+
+limit rate over 1 kbytes/second;ok
+limit rate over 2 kbytes/second;ok
+limit rate over 1025 kbytes/second;ok
+limit rate over 1023 mbytes/second;ok
+limit rate over 10230 mbytes/second;ok
+limit rate over 1023000 mbytes/second;ok
+
+limit rate over 1025 bytes/second burst 512 bytes;ok
+limit rate over 1025 kbytes/second burst 1023 kbytes;ok
+limit rate over 1025 mbytes/second burst 1025 kbytes;ok
+limit rate over 1025000 mbytes/second burst 1023 mbytes;ok
diff --git a/tests/py/any/limit.t.json b/tests/py/any/limit.t.json
new file mode 100644
index 0000000..e001ba0
--- /dev/null
+++ b/tests/py/any/limit.t.json
@@ -0,0 +1,413 @@
+# limit rate 400/minute
+[
+    {
+        "limit": {
+            "per": "minute",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate 20/second
+[
+    {
+        "limit": {
+            "per": "second",
+            "rate": 20
+        }
+    }
+]
+
+# limit rate 400/hour
+[
+    {
+        "limit": {
+            "per": "hour",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate 40/day
+[
+    {
+        "limit": {
+            "per": "day",
+            "rate": 40
+        }
+    }
+]
+
+# limit rate 400/week
+[
+    {
+        "limit": {
+            "per": "week",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate 1023/second burst 10 packets
+[
+    {
+        "limit": {
+            "burst": 10,
+            "per": "second",
+            "rate": 1023
+        }
+    }
+]
+
+# limit rate 1 kbytes/second
+[
+    {
+        "limit": {
+            "per": "second",
+            "rate": 1,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 2 kbytes/second
+[
+    {
+        "limit": {
+            "per": "second",
+            "rate": 2,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 1025 kbytes/second
+[
+    {
+        "limit": {
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 1023 mbytes/second
+[
+    {
+        "limit": {
+            "per": "second",
+            "rate": 1023,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate 10230 mbytes/second
+[
+    {
+        "limit": {
+            "per": "second",
+            "rate": 10230,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate 1023000 mbytes/second
+[
+    {
+        "limit": {
+            "per": "second",
+            "rate": 1023000,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate 1 bytes / second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1,
+            "rate_unit": "bytes"
+        }
+    }
+]
+
+# limit rate 1 kbytes / second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 1 mbytes / second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate 1025 bytes/second burst 512 bytes
+[
+    {
+        "limit": {
+            "burst": 512,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "bytes"
+        }
+    }
+]
+
+# limit rate 1025 kbytes/second burst 1023 kbytes
+[
+    {
+        "limit": {
+            "burst": 1023,
+            "burst_unit": "kbytes",
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 1025 mbytes/second burst 1025 kbytes
+[
+    {
+        "limit": {
+            "burst": 1025,
+            "burst_unit": "kbytes",
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate 1025000 mbytes/second burst 1023 mbytes
+[
+    {
+        "limit": {
+            "burst": 1023,
+            "burst_unit": "mbytes",
+            "per": "second",
+            "rate": 1025000,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 400/minute
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "minute",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate over 20/second
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "second",
+            "rate": 20
+        }
+    }
+]
+
+# limit rate over 400/hour
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "hour",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate over 40/day
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "day",
+            "rate": 40
+        }
+    }
+]
+
+# limit rate over 400/week
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "week",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate over 1023/second burst 10 packets
+[
+    {
+        "limit": {
+            "burst": 10,
+            "inv": true,
+            "per": "second",
+            "rate": 1023
+        }
+    }
+]
+
+# limit rate over 1 kbytes/second
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "second",
+            "rate": 1,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate over 2 kbytes/second
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "second",
+            "rate": 2,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate over 1025 kbytes/second
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate over 1023 mbytes/second
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "second",
+            "rate": 1023,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 10230 mbytes/second
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "second",
+            "rate": 10230,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 1023000 mbytes/second
+[
+    {
+        "limit": {
+            "inv": true,
+            "per": "second",
+            "rate": 1023000,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 1025 bytes/second burst 512 bytes
+[
+    {
+        "limit": {
+            "burst": 512,
+            "burst_unit": "bytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "bytes"
+        }
+    }
+]
+
+# limit rate over 1025 kbytes/second burst 1023 kbytes
+[
+    {
+        "limit": {
+            "burst": 1023,
+            "burst_unit": "kbytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate over 1025 mbytes/second burst 1025 kbytes
+[
+    {
+        "limit": {
+            "burst": 1025,
+            "burst_unit": "kbytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 1025000 mbytes/second burst 1023 mbytes
+[
+    {
+        "limit": {
+            "burst": 1023,
+            "burst_unit": "mbytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1025000,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
diff --git a/tests/py/any/limit.t.json.output b/tests/py/any/limit.t.json.output
new file mode 100644
index 0000000..5a95f5e
--- /dev/null
+++ b/tests/py/any/limit.t.json.output
@@ -0,0 +1,277 @@
+# limit rate 400/minute
+[
+    {
+        "limit": {
+            "burst": 5,
+            "per": "minute",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate 20/second
+[
+    {
+        "limit": {
+            "burst": 5,
+            "per": "second",
+            "rate": 20
+        }
+    }
+]
+
+# limit rate 400/hour
+[
+    {
+        "limit": {
+            "burst": 5,
+            "per": "hour",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate 40/day
+[
+    {
+        "limit": {
+            "burst": 5,
+            "per": "day",
+            "rate": 40
+        }
+    }
+]
+
+# limit rate 400/week
+[
+    {
+        "limit": {
+            "burst": 5,
+            "per": "week",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate 1 kbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 2 kbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 2,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 1025 kbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate 1023 mbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1023,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate 10230 mbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 10230,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate 1023000 mbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "per": "second",
+            "rate": 1023000,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 400/minute
+[
+    {
+        "limit": {
+            "burst": 5,
+            "inv": true,
+            "per": "minute",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate over 20/second
+[
+    {
+        "limit": {
+            "burst": 5,
+            "inv": true,
+            "per": "second",
+            "rate": 20
+        }
+    }
+]
+
+# limit rate over 400/hour
+[
+    {
+        "limit": {
+            "burst": 5,
+            "inv": true,
+            "per": "hour",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate over 40/day
+[
+    {
+        "limit": {
+            "burst": 5,
+            "inv": true,
+            "per": "day",
+            "rate": 40
+        }
+    }
+]
+
+# limit rate over 400/week
+[
+    {
+        "limit": {
+            "burst": 5,
+            "inv": true,
+            "per": "week",
+            "rate": 400
+        }
+    }
+]
+
+# limit rate over 1 kbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate over 2 kbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "inv": true,
+            "per": "second",
+            "rate": 2,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate over 1025 kbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1025,
+            "rate_unit": "kbytes"
+        }
+    }
+]
+
+# limit rate over 1023 mbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1023,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 10230 mbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "inv": true,
+            "per": "second",
+            "rate": 10230,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
+# limit rate over 1023000 mbytes/second
+[
+    {
+        "limit": {
+            "burst": 0,
+            "burst_unit": "bytes",
+            "inv": true,
+            "per": "second",
+            "rate": 1023000,
+            "rate_unit": "mbytes"
+        }
+    }
+]
+
diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload
new file mode 100644
index 0000000..0c7ee94
--- /dev/null
+++ b/tests/py/any/limit.t.payload
@@ -0,0 +1,141 @@
+# limit rate 400/minute
+ip test-ip4 output
+  [ limit rate 400/minute burst 5 type packets flags 0x0 ]
+
+# limit rate 20/second
+ip test-ip4 output
+  [ limit rate 20/second burst 5 type packets flags 0x0 ]
+
+# limit rate 400/hour
+ip test-ip4 output
+  [ limit rate 400/hour burst 5 type packets flags 0x0 ]
+
+# limit rate 400/week
+ip test-ip4 output
+  [ limit rate 400/week burst 5 type packets flags 0x0 ]
+
+# limit rate 40/day
+ip test-ip4 output
+  [ limit rate 40/day burst 5 type packets flags 0x0 ]
+
+# limit rate 1023/second burst 10 packets
+ip test-ip4 output
+  [ limit rate 1023/second burst 10 type packets flags 0x0 ]
+
+# limit rate 1 kbytes/second
+ip test-ip4 output
+  [ limit rate 1024/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 2 kbytes/second
+ip test-ip4 output
+  [ limit rate 2048/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 1025 kbytes/second
+ip test-ip4 output
+  [ limit rate 1049600/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 1023 mbytes/second
+ip test-ip4 output
+  [ limit rate 1072693248/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 10230 mbytes/second
+ip test-ip4 output
+  [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 1023000 mbytes/second
+ip test-ip4 output
+  [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 1 bytes / second
+ip
+  [ limit rate 1/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 1 kbytes / second
+ip
+  [ limit rate 1024/second burst 0 type bytes flags 0x0 ]
+
+# limit rate 1 mbytes / second
+ip
+  [ limit rate 1048576/second burst 0 type bytes flags 0x0 ]
+
+
+# limit rate 1025 bytes/second burst 512 bytes
+ip test-ip4 output
+  [ limit rate 1025/second burst 512 type bytes flags 0x0 ]
+
+# limit rate 1025 kbytes/second burst 1023 kbytes
+ip test-ip4 output
+  [ limit rate 1049600/second burst 1047552 type bytes flags 0x0 ]
+
+# limit rate 1025 mbytes/second burst 1025 kbytes
+ip test-ip4 output
+  [ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ]
+
+# limit rate 1025000 mbytes/second burst 1023 mbytes
+ip test-ip4 output
+  [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ]
+
+# limit rate over 400/minute
+ip test-ip4 output
+  [ limit rate 400/minute burst 5 type packets flags 0x1 ]
+
+# limit rate over 20/second
+ip test-ip4 output
+  [ limit rate 20/second burst 5 type packets flags 0x1 ]
+
+# limit rate over 400/hour
+ip test-ip4 output
+  [ limit rate 400/hour burst 5 type packets flags 0x1 ]
+
+# limit rate over 400/week
+ip test-ip4 output
+  [ limit rate 400/week burst 5 type packets flags 0x1 ]
+
+# limit rate over 40/day
+ip test-ip4 output
+  [ limit rate 40/day burst 5 type packets flags 0x1 ]
+
+# limit rate over 1023/second burst 10 packets
+ip test-ip4 output
+  [ limit rate 1023/second burst 10 type packets flags 0x1 ]
+
+# limit rate over 1 kbytes/second
+ip test-ip4 output
+  [ limit rate 1024/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 2 kbytes/second
+ip test-ip4 output
+  [ limit rate 2048/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1025 kbytes/second
+ip test-ip4 output
+  [ limit rate 1049600/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1023 mbytes/second
+ip test-ip4 output
+  [ limit rate 1072693248/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 10230 mbytes/second
+ip test-ip4 output
+  [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1023000 mbytes/second
+ip test-ip4 output
+  [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1025 bytes/second burst 512 bytes
+ip test-ip4 output
+  [ limit rate 1025/second burst 512 type bytes flags 0x1 ]
+
+# limit rate over 1025 kbytes/second burst 1023 kbytes
+ip test-ip4 output
+  [ limit rate 1049600/second burst 1047552 type bytes flags 0x1 ]
+
+# limit rate over 1025 mbytes/second burst 1025 kbytes
+ip test-ip4 output
+  [ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ]
+
+# limit rate over 1025000 mbytes/second burst 1023 mbytes
+ip test-ip4 output
+  [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ]
+
diff --git a/tests/py/any/log.t b/tests/py/any/log.t
new file mode 100644
index 0000000..f4ccaf0
--- /dev/null
+++ b/tests/py/any/log.t
@@ -0,0 +1,41 @@
+:output;type filter hook output priority 0
+
+*ip;test-ip4;output
+*ip6;test-ip6;output
+*inet;test-inet;output
+*arp;test-arp;output
+*bridge;test-bridge;output
+
+log;ok
+log level emerg;ok
+log level alert;ok
+log level crit;ok
+log level err;ok
+log level warn;ok;log
+log level notice;ok
+log level info;ok
+log level debug;ok
+log level audit;ok
+
+log level emerg group 2;fail
+log level alert group 2 prefix "log test2";fail
+
+# log level audit must reject all other parameters
+log level audit prefix "foo";fail
+log level audit group 42;fail
+log level audit snaplen 23;fail
+log level audit queue-threshold 1337;fail
+log level audit flags all;fail
+
+log prefix aaaaa-aaaaaa group 2 snaplen 33;ok;log prefix "aaaaa-aaaaaa" group 2 snaplen 33
+# TODO: Add an exception: 'queue-threshold' attribute needs 'group' attribute
+# The correct rule is log group 2 queue-threshold 2
+log group 2 queue-threshold 2;ok
+log group 2 snaplen 33;ok
+log group 2 prefix "nft-test: ";ok;log prefix "nft-test: " group 2
+
+log flags all;ok
+log level debug flags ip options flags skuid;ok
+log flags tcp sequence,options;ok
+log flags ip options flags ether flags skuid flags tcp sequence,options;ok;log flags all
+log flags all group 2;fail
diff --git a/tests/py/any/log.t.json b/tests/py/any/log.t.json
new file mode 100644
index 0000000..7bcc20e
--- /dev/null
+++ b/tests/py/any/log.t.json
@@ -0,0 +1,178 @@
+# log
+[
+    {
+        "log": null
+    }
+]
+
+# log level emerg
+[
+    {
+        "log": {
+            "level": "emerg"
+        }
+    }
+]
+
+# log level alert
+[
+    {
+        "log": {
+            "level": "alert"
+        }
+    }
+]
+
+# log level crit
+[
+    {
+        "log": {
+            "level": "crit"
+        }
+    }
+]
+
+# log level err
+[
+    {
+        "log": {
+            "level": "err"
+        }
+    }
+]
+
+# log level warn
+[
+    {
+        "log": {
+            "level": "warn"
+	}
+    }
+]
+
+# log level notice
+[
+    {
+        "log": {
+            "level": "notice"
+        }
+    }
+]
+
+# log level info
+[
+    {
+        "log": {
+            "level": "info"
+        }
+    }
+]
+
+# log level debug
+[
+    {
+        "log": {
+            "level": "debug"
+        }
+    }
+]
+
+# log level audit
+[
+    {
+        "log": {
+            "level": "audit"
+        }
+    }
+]
+
+# log prefix aaaaa-aaaaaa group 2 snaplen 33
+[
+    {
+        "log": {
+            "group": 2,
+            "prefix": "aaaaa-aaaaaa",
+            "snaplen": 33
+        }
+    }
+]
+
+# log group 2 queue-threshold 2
+[
+    {
+        "log": {
+            "group": 2,
+            "queue-threshold": 2
+        }
+    }
+]
+
+# log group 2 snaplen 33
+[
+    {
+        "log": {
+            "group": 2,
+            "snaplen": 33
+        }
+    }
+]
+
+# log group 2 prefix "nft-test: "
+[
+    {
+        "log": {
+            "group": 2,
+            "prefix": "nft-test: "
+        }
+    }
+]
+
+# log flags all
+[
+    {
+        "log": {
+            "flags": "all"
+        }
+    }
+]
+
+# log level debug flags ip options flags skuid
+[
+    {
+        "log": {
+            "flags": [
+                "ip options",
+                "skuid"
+            ],
+            "level": "debug"
+        }
+    }
+]
+
+# log flags tcp sequence,options
+[
+    {
+        "log": {
+            "flags": [
+                "tcp sequence",
+                "tcp options"
+            ]
+        }
+    }
+]
+
+# log flags ip options flags ether flags skuid flags tcp sequence,options
+[
+    {
+        "log": {
+            "flags": [
+                "ip options",
+                "ether",
+                "skuid",
+                "tcp sequence",
+                "tcp options"
+            ]
+        }
+    }
+]
+
diff --git a/tests/py/any/log.t.json.output b/tests/py/any/log.t.json.output
new file mode 100644
index 0000000..051c448
--- /dev/null
+++ b/tests/py/any/log.t.json.output
@@ -0,0 +1,16 @@
+# log level warn
+[
+    {
+        "log": null
+    }
+]
+
+# log flags ip options flags ether flags skuid flags tcp sequence,options
+[
+    {
+        "log": {
+            "flags": "all"
+        }
+    }
+]
+
diff --git a/tests/py/any/log.t.payload b/tests/py/any/log.t.payload
new file mode 100644
index 0000000..1330445
--- /dev/null
+++ b/tests/py/any/log.t.payload
@@ -0,0 +1,71 @@
+# log
+ip test-ip4 output
+  [ log ]
+
+# log level emerg
+ip test-ip4 output
+  [ log level 0 ]
+
+# log level alert
+ip test-ip4 output
+  [ log level 1 ]
+
+# log level crit
+ip test-ip4 output
+  [ log level 2 ]
+
+# log level err
+ip test-ip4 output
+  [ log level 3 ]
+
+# log level warn
+ip test-ip4 output
+  [ log level 4 ]
+
+# log level notice
+ip test-ip4 output
+  [ log level 5 ]
+
+# log level info
+ip test-ip4 output
+  [ log level 6 ]
+
+# log level debug
+ip test-ip4 output
+  [ log level 7 ]
+
+# log level audit
+ip test-ip4 output
+  [ log level 8 ]
+
+# log prefix aaaaa-aaaaaa group 2 snaplen 33
+ip test-ip4 output
+  [ log prefix aaaaa-aaaaaa group 2 snaplen 33 qthreshold 0 ]
+
+# log group 2 queue-threshold 2
+ip test-ip4 output
+  [ log group 2 snaplen 0 qthreshold 2 ]
+
+# log group 2 snaplen 33
+ip test-ip4 output
+  [ log group 2 snaplen 33 qthreshold 0 ]
+
+# log group 2 prefix "nft-test: "
+ip test-ip4 output
+  [ log prefix nft-test:  group 2 snaplen 0 qthreshold 0 ]
+
+# log flags all
+ip test-ip4 output
+  [ log tcpseq tcpopt ipopt uid macdecode ]
+
+# log level debug flags ip options flags skuid
+ip test-ip4 output
+  [ log level 7 ipopt uid ]
+
+# log flags tcp sequence,options
+ip test-ip4 output
+  [ log tcpseq tcpopt ]
+
+# log flags ip options flags ether flags skuid flags tcp sequence,options
+ip test-ip4 output
+  [ log tcpseq tcpopt ipopt uid macdecode ]
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
new file mode 100644
index 0000000..12fabb7
--- /dev/null
+++ b/tests/py/any/meta.t
@@ -0,0 +1,226 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*arp;test-arp;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+meta length 1000;ok
+meta length 22;ok
+meta length != 233;ok
+meta length 33-45;ok
+meta length != 33-45;ok
+meta length { 33, 55, 67, 88};ok
+meta length { 33-55, 67-88};ok
+meta length { 33-55, 56-88, 100-120};ok;meta length { 33-88, 100-120}
+meta length != { 33, 55, 67, 88};ok
+meta length { 33-55, 66-88};ok
+meta length != { 33-55, 66-88};ok
+
+meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, 8021q, arp}
+meta protocol != {ip, arp, ip6, 8021q};ok
+meta protocol ip;ok
+meta protocol != ip;ok
+
+meta l4proto 22;ok
+meta l4proto != 233;ok
+meta l4proto 33-45;ok
+meta l4proto != 33-45;ok
+meta l4proto { 33, 55, 67, 88};ok
+meta l4proto != { 33, 55, 67, 88};ok
+meta l4proto { 33-55, 66-88};ok
+meta l4proto != { 33-55, 66-88};ok
+
+meta priority root;ok
+meta priority none;ok
+meta priority 0x87654321;ok;meta priority 8765:4321
+meta priority 2271560481;ok;meta priority 8765:4321
+meta priority 1:1234;ok
+meta priority bcad:dadc;ok
+meta priority aabb:0;ok
+meta priority != bcad:dadc;ok
+meta priority != aabb:0;ok
+meta priority bcad:dada-bcad:dadc;ok
+meta priority != bcad:dada-bcad:dadc;ok
+meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok
+meta priority set cafe:beef;ok
+meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok
+
+meta mark 0x4;ok;meta mark 0x00000004
+meta mark 0x32;ok;meta mark 0x00000032
+meta mark and 0x03 == 0x01;ok;meta mark & 0x00000003 == 0x00000001
+meta mark and 0x03 != 0x01;ok;meta mark & 0x00000003 != 0x00000001
+meta mark 0x10;ok;meta mark 0x00000010
+meta mark != 0x10;ok;meta mark != 0x00000010
+meta mark 0xffffff00/24;ok
+
+meta mark or 0x03 == 0x01;ok;meta mark | 0x00000003 == 0x00000001
+meta mark or 0x03 != 0x01;ok;meta mark | 0x00000003 != 0x00000001
+meta mark xor 0x03 == 0x01;ok;meta mark 0x00000002
+meta mark xor 0x03 != 0x01;ok;meta mark != 0x00000002
+
+meta iif "lo" accept;ok;iif "lo" accept
+meta iif != "lo" accept;ok;iif != "lo" accept
+
+meta iifname "dummy0";ok;iifname "dummy0"
+meta iifname != "dummy0";ok;iifname != "dummy0"
+meta iifname {"dummy0", "lo"};ok;iifname {"dummy0", "lo"}
+meta iifname != {"dummy0", "lo"};ok;iifname != {"dummy0", "lo"}
+meta iifname "dummy*";ok;iifname "dummy*"
+meta iifname "dummy\*";ok;iifname "dummy\*"
+meta iifname "";fail
+
+meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta iiftype != ether;ok
+meta iiftype ether;ok
+meta iiftype != ppp;ok
+meta iiftype ppp;ok
+
+meta oif "lo" accept;ok;oif "lo" accept
+meta oif != "lo" accept;ok;oif != "lo" accept
+
+meta oifname "dummy0";ok;oifname "dummy0"
+meta oifname != "dummy0";ok;oifname != "dummy0"
+meta oifname { "dummy0", "lo"};ok;oifname { "dummy0", "lo"}
+meta oifname "dummy*";ok;oifname "dummy*"
+meta oifname "dummy\*";ok;oifname "dummy\*"
+meta oifname "";fail
+
+meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta oiftype != ether;ok
+meta oiftype ether;ok
+
+meta skuid {"bin", "root", "daemon"} accept;ok;meta skuid { 0, 1, 2} accept
+meta skuid != {"bin", "root", "daemon"} accept;ok;meta skuid != { 1, 0, 2} accept
+meta skuid "root";ok;meta skuid 0
+meta skuid != "root";ok;meta skuid != 0
+meta skuid lt 3000 accept;ok;meta skuid < 3000 accept
+meta skuid gt 3000 accept;ok;meta skuid > 3000 accept
+meta skuid eq 3000 accept;ok;meta skuid 3000 accept
+meta skuid 3001-3005 accept;ok
+meta skuid != 2001-2005 accept;ok
+meta skuid { 2001-2005, 3001-3005} accept;ok
+meta skuid != { 2001-2005, 3001-3005} accept;ok
+
+meta skgid {"bin", "root", "daemon"} accept;ok;meta skgid { 0, 1, 2} accept
+meta skgid != {"bin", "root", "daemon"} accept;ok;meta skgid != { 1, 0, 2} accept
+meta skgid "root";ok;meta skgid 0
+meta skgid != "root";ok;meta skgid != 0
+meta skgid lt 3000 accept;ok;meta skgid < 3000 accept
+meta skgid gt 3000 accept;ok;meta skgid > 3000 accept
+meta skgid eq 3000 accept;ok;meta skgid 3000 accept
+meta skgid 2001-2005 accept;ok
+meta skgid != 2001-2005 accept;ok
+
+# BUG: meta nftrace 2 and meta nftrace 1
+# $ sudo nft add rule ip test input meta nftrace 2
+# <cmdline>:1:37-37: Error: Value 2 exceeds valid range 0-1
+# add rule ip test input meta nftrace 2
+#                                    ^
+# $ sudo nft add rule ip test input meta nftrace 1
+# <cmdline>:1:1-37: Error: Could not process rule: Operation not supported
+# add rule ip test input meta nftrace 1
+# -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+meta mark set 0xffffffc8 xor 0x16;ok;meta mark set 0xffffffde
+meta mark set 0x16 and 0x16;ok;meta mark set 0x00000016
+meta mark set 0xffffffe9 or 0x16;ok;meta mark set 0xffffffff
+meta mark set 0xffffffde and 0x16;ok;meta mark set 0x00000016
+meta mark set 0xf045ffde or 0x10;ok;meta mark set 0xf045ffde
+meta mark set 0xffffffde or 0x16;ok;meta mark set 0xffffffde
+meta mark set 0x32 or 0xfffff;ok;meta mark set 0x000fffff
+meta mark set 0xfffe xor 0x16;ok;meta mark set 0x0000ffe8
+
+meta mark set {0xffff, 0xcc};fail
+meta pkttype set {unicast, multicast, broadcast};fail
+
+meta iif "lo";ok;iif "lo"
+meta oif "lo";ok;oif "lo"
+meta oifname "dummy2" accept;ok;oifname "dummy2" accept
+meta skuid 3000;ok
+meta skgid 3000;ok
+# BUG:  meta nftrace 1;ok
+# <cmdline>:1:1-37: Error: Could not process rule: Operation not supported
+- meta nftrace 1;ok
+meta rtclassid "cosmos";ok
+
+meta pkttype broadcast;ok
+meta pkttype host;ok
+meta pkttype multicast;ok
+meta pkttype != broadcast;ok
+meta pkttype != host;ok
+meta pkttype != multicast;ok
+meta pkttype broadcastttt;fail
+pkttype { broadcast, multicast} accept;ok;meta pkttype { broadcast, multicast} accept
+
+meta cpu 1;ok
+meta cpu != 1;ok
+meta cpu 1-3;ok
+meta cpu != 1-2;ok
+meta cpu { 2,3};ok
+meta cpu { 2-3, 5-7};ok
+meta cpu != { 2,3};ok
+
+meta iifgroup 0;ok;iifgroup "default"
+meta iifgroup != 0;ok;iifgroup != "default"
+meta iifgroup "default";ok;iifgroup "default"
+meta iifgroup != "default";ok;iifgroup != "default"
+meta iifgroup {"default", 11};ok;iifgroup {"default", 11}
+meta iifgroup != {"default", 11};ok;iifgroup != {"default", 11}
+meta iifgroup { 11,33};ok;iifgroup { 11,33}
+meta iifgroup {11-33, 44-55};ok;iifgroup {11-33, 44-55}
+meta iifgroup != { 11,33};ok;iifgroup != { 11,33}
+meta iifgroup != {11-33, 44-55};ok;iifgroup != {11-33, 44-55}
+meta oifgroup 0;ok;oifgroup "default"
+meta oifgroup != 0;ok;oifgroup != "default"
+meta oifgroup "default";ok;oifgroup "default"
+meta oifgroup != "default";ok;oifgroup != "default"
+meta oifgroup {"default", 11};ok;oifgroup {"default", 11}
+meta oifgroup != {"default", 11};ok;oifgroup != {"default", 11}
+meta oifgroup { 11,33};ok;oifgroup { 11,33}
+meta oifgroup {11-33, 44-55};ok;oifgroup {11-33, 44-55}
+meta oifgroup != { 11,33};ok;oifgroup != { 11,33}
+meta oifgroup != {11-33, 44-55};ok;oifgroup != {11-33, 44-55}
+
+meta cgroup 1048577;ok
+meta cgroup != 1048577;ok
+meta cgroup { 1048577, 1048578 };ok
+meta cgroup != { 1048577, 1048578};ok
+meta cgroup 1048577-1048578;ok
+meta cgroup != 1048577-1048578;ok
+
+meta iif . meta oif { "lo" . "lo" };ok;iif . oif { "lo" . "lo" }
+meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok;iif . oif . meta mark { "lo" . "lo" . 0x0000000a }
+meta iif . meta oif vmap { "lo" . "lo" : drop };ok;iif . oif vmap { "lo" . "lo" : drop }
+
+meta random eq 1;ok;meta random 1
+meta random gt 1000000;ok;meta random > 1000000
+
+meta time "1970-05-23 21:07:14" drop;ok
+meta time 12341234 drop;ok;meta time "1970-05-23 22:07:14" drop
+meta time "2019-06-21 17:00:00" drop;ok
+meta time "2019-07-01 00:00:00" drop;ok
+meta time "2019-07-01 00:01:00" drop;ok
+meta time "2019-07-01 00:00:01" drop;ok
+meta time < "2022-07-01 11:00:00" accept;ok
+meta time > "2022-07-01 11:00:00" accept;ok
+meta day "Saturday" drop;ok
+meta day 6 drop;ok;meta day "Saturday" drop
+meta day "Satturday" drop;fail
+meta hour "17:00" drop;ok
+meta hour "17:00:00" drop;ok;meta hour "17:00" drop
+meta hour "17:00:01" drop;ok
+meta hour "00:00" drop;ok
+meta hour "00:01" drop;ok
+time < "2022-07-01 11:00:00" accept;ok;meta time < "2022-07-01 11:00:00" accept
+time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept
+
+meta time "meh";fail
+meta hour "24:00" drop;fail
+meta day 7 drop;fail
diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json
new file mode 100644
index 0000000..4734bbf
--- /dev/null
+++ b/tests/py/any/meta.t.json
@@ -0,0 +1,2760 @@
+# meta length 1000
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "==",
+            "right": 1000
+        }
+    }
+]
+
+# meta length 22
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# meta length != 233
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# meta length 33-45
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# meta length != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# meta length { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# meta length { 33-55, 67-88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] },
+                    { "range": [ 67, 88 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta length { 33-55, 56-88, 100-120}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 88 ] },
+                    { "range": [ 100, 120 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta length != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# meta length { 33-55, 66-88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] },
+		    { "range": [ 66, 88 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta length != { 33-55, 66-88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "length" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] },
+		    { "range": [ 66, 88 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta protocol { ip, arp, ip6, vlan }
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "protocol" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "ip",
+                    "arp",
+                    "ip6",
+                    "vlan"
+                ]
+            }
+        }
+    }
+]
+
+# meta protocol != {ip, arp, ip6, 8021q}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "protocol" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "ip",
+                    "arp",
+                    "ip6",
+                    "8021q"
+                ]
+            }
+        }
+    }
+]
+
+# meta protocol ip
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "protocol" }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    }
+]
+
+# meta protocol != ip
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "protocol" }
+            },
+            "op": "!=",
+            "right": "ip"
+        }
+    }
+]
+
+# meta l4proto 22
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# meta l4proto != 233
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# meta l4proto 33-45
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# meta l4proto != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# meta l4proto { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# meta l4proto != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# meta l4proto { 33-55, 66-88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] },
+                    { "range": [ 66, 88 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta l4proto != { 33-55, 66-88}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] },
+                    { "range": [ 66, 88 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta priority root
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": "root"
+        }
+    }
+]
+
+# meta priority none
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": "none"
+        }
+    }
+]
+
+# meta priority 0x87654321
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": "0x87654321"
+        }
+    }
+]
+
+# meta priority 2271560481
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": 2271560481
+        }
+    }
+]
+
+# meta priority 1:1234
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": "1:1234"
+        }
+    }
+]
+
+# meta priority bcad:dadc
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": "bcad:dadc"
+        }
+    }
+]
+
+# meta priority aabb:0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": "aabb:0"
+        }
+    }
+]
+
+# meta priority != bcad:dadc
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "!=",
+            "right": "bcad:dadc"
+        }
+    }
+]
+
+# meta priority != aabb:0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "!=",
+            "right": "aabb:0"
+        }
+    }
+]
+
+# meta priority bcad:dada-bcad:dadc
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": {
+                "range": [ "bcad:dada", "bcad:dadc" ]
+            }
+        }
+    }
+]
+
+# meta priority != bcad:dada-bcad:dadc
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "bcad:dada", "bcad:dadc" ]
+            }
+        }
+    }
+]
+
+# meta priority {bcad:dada, bcad:dadc, aaaa:bbbb}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "bcad:dada",
+                    "bcad:dadc",
+                    "aaaa:bbbb"
+                ]
+            }
+        }
+    }
+]
+
+# meta priority set cafe:beef
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "priority" }
+            },
+            "value": "cafe:beef"
+        }
+    }
+]
+
+# meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "aaaa:bbbb",
+                    "bcad:dada",
+                    "bcad:dadc"
+                ]
+            }
+        }
+    }
+]
+
+# meta mark 0x4
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+            "op": "==",
+            "right": "0x4"
+        }
+    }
+]
+
+# meta mark 0x32
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+            "op": "==",
+            "right": "0x32"
+        }
+    }
+]
+
+# meta mark and 0x03 == 0x01
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    "0x03"
+                ]
+            },
+            "op": "==",
+            "right": "0x01"
+        }
+    }
+]
+
+# meta mark and 0x03 != 0x01
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    "0x03"
+                ]
+            },
+            "op": "!=",
+            "right": "0x01"
+        }
+    }
+]
+
+# meta mark 0x10
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+            "op": "==",
+            "right": "0x10"
+        }
+    }
+]
+
+# meta mark != 0x10
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+            "op": "!=",
+            "right": "0x10"
+        }
+    }
+]
+
+# meta mark 0xffffff00/24
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": 4294967040,
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# meta mark or 0x03 == 0x01
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    "0x03"
+                ]
+            },
+            "op": "==",
+            "right": "0x01"
+        }
+    }
+]
+
+# meta mark or 0x03 != 0x01
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    "0x03"
+                ]
+            },
+            "op": "!=",
+            "right": "0x01"
+        }
+    }
+]
+
+# meta mark xor 0x03 == 0x01
+[
+    {
+        "match": {
+            "left": {
+                "^": [
+		    {
+                        "meta": { "key": "mark" }
+                    },
+		    "0x03"
+                ]
+            },
+	    "op": "==",
+            "right": "0x01"
+        }
+    }
+]
+
+# meta mark xor 0x03 != 0x01
+[
+    {
+        "match": {
+            "left": {
+                "^": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    "0x03"
+                ]
+            },
+            "op": "!=",
+            "right": "0x01"
+        }
+    }
+]
+
+# meta iif "lo" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+            "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta iif != "lo" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+            "op": "!=",
+            "right": "lo"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta iifname "dummy0"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+            "op": "==",
+            "right": "dummy0"
+        }
+    }
+]
+
+# meta iifname != "dummy0"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+            "op": "!=",
+            "right": "dummy0"
+        }
+    }
+]
+
+# meta iifname {"dummy0", "lo"}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "dummy0",
+                    "lo"
+                ]
+            }
+        }
+    }
+]
+
+# meta iifname != {"dummy0", "lo"}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "dummy0",
+                    "lo"
+                ]
+            }
+        }
+    }
+]
+
+# meta iifname "dummy*"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+            "op": "==",
+            "right": "dummy*"
+        }
+    }
+]
+
+# meta iifname "dummy\*"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+            "op": "==",
+            "right": "dummy\\*"
+        }
+    }
+]
+
+# meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "ether",
+                    "ppp",
+                    "ipip",
+                    "ipip6",
+                    "loopback",
+                    "sit",
+                    "ipgre"
+                ]
+            }
+        }
+    }
+]
+
+# meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "ether",
+                    "ppp",
+                    "ipip",
+                    "ipip6",
+                    "loopback",
+                    "sit",
+                    "ipgre"
+                ]
+            }
+        }
+    }
+]
+
+# meta iiftype != ether
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+            "op": "!=",
+            "right": "ether"
+        }
+    }
+]
+
+# meta iiftype ether
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+            "op": "==",
+            "right": "ether"
+        }
+    }
+]
+
+# meta iiftype != ppp
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+            "op": "!=",
+            "right": "ppp"
+        }
+    }
+]
+
+# meta iiftype ppp
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+            "op": "==",
+            "right": "ppp"
+        }
+    }
+]
+
+# meta oif "lo" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oif" }
+            },
+            "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta oif != "lo" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oif" }
+            },
+            "op": "!=",
+            "right": "lo"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta oifname "dummy0"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifname" }
+            },
+            "op": "==",
+            "right": "dummy0"
+        }
+    }
+]
+
+# meta oifname != "dummy0"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifname" }
+            },
+            "op": "!=",
+            "right": "dummy0"
+        }
+    }
+]
+
+# meta oifname { "dummy0", "lo"}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifname" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "dummy0",
+                    "lo"
+                ]
+            }
+        }
+    }
+]
+
+# meta oifname "dummy*"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifname" }
+            },
+            "op": "==",
+            "right": "dummy*"
+        }
+    }
+]
+
+# meta oifname "dummy\*"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifname" }
+            },
+            "op": "==",
+            "right": "dummy\\*"
+        }
+    }
+]
+
+# meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oiftype" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "ether",
+                    "ppp",
+                    "ipip",
+                    "ipip6",
+                    "loopback",
+                    "sit",
+                    "ipgre"
+                ]
+            }
+        }
+    }
+]
+
+# meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oiftype" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "ether",
+                    "ppp",
+                    "ipip",
+                    "ipip6",
+                    "loopback",
+                    "sit",
+                    "ipgre"
+                ]
+            }
+        }
+    }
+]
+
+# meta oiftype != ether
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oiftype" }
+            },
+            "op": "!=",
+            "right": "ether"
+        }
+    }
+]
+
+# meta oiftype ether
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oiftype" }
+            },
+            "op": "==",
+            "right": "ether"
+        }
+    }
+]
+
+# meta skuid {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "bin",
+                    "root",
+                    "daemon"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid != {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "bin",
+                    "root",
+                    "daemon"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "==",
+            "right": "root"
+        }
+    }
+]
+
+# meta skuid != "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "!=",
+            "right": "root"
+        }
+    }
+]
+
+# meta skuid lt 3000 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "<",
+            "right": 3000
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid gt 3000 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": ">",
+            "right": 3000
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid eq 3000 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "==",
+            "right": 3000
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid 3001-3005 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 3001, 3005 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid != 2001-2005 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 2001, 2005 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid { 2001-2005, 3001-3005} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 2001, 2005 ] },
+                    { "range": [ 3001, 3005 ] }
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid != { 2001-2005, 3001-3005} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 2001, 2005 ] },
+                    { "range": [ 3001, 3005 ] }
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "bin",
+                    "root",
+                    "daemon"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid != {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "bin",
+                    "root",
+                    "daemon"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "==",
+            "right": "root"
+        }
+    }
+]
+
+# meta skgid != "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "!=",
+            "right": "root"
+        }
+    }
+]
+
+# meta skgid lt 3000 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "<",
+            "right": 3000
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid gt 3000 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": ">",
+            "right": 3000
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid eq 3000 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "==",
+            "right": 3000
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid 2001-2005 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 2001, 2005 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid != 2001-2005 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 2001, 2005 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta mark set 0xffffffc8 xor 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "^": [ "0xffffffc8", "0x16" ] }
+        }
+    }
+]
+
+# meta mark set 0x16 and 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "&": [ "0x16", "0x16" ] }
+        }
+    }
+]
+
+# meta mark set 0xffffffe9 or 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "|": [ "0xffffffe9", "0x16" ] }
+        }
+    }
+]
+
+# meta mark set 0xffffffde and 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "&": [ "0xffffffde", "0x16" ] }
+        }
+    }
+]
+
+# meta mark set 0xf045ffde or 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "|": [ "0xf045ffde", "0x10" ] }
+        }
+    }
+]
+
+# meta mark set 0xffffffde or 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "|": [ "0xffffffde", "0x16" ] }
+        }
+    }
+]
+
+# meta mark set 0x32 or 0xfffff
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "|": [ "0x32", "0xfffff" ] }
+        }
+    }
+]
+
+# meta mark set 0xfffe xor 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": { "^": [ "0xfffe", "0x16" ] }
+        }
+    }
+]
+
+# meta iif "lo"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+            "op": "==",
+            "right": "lo"
+        }
+    }
+]
+
+# meta oif "lo"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oif" }
+            },
+            "op": "==",
+            "right": "lo"
+        }
+    }
+]
+
+# meta oifname "dummy2" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifname" }
+            },
+            "op": "==",
+            "right": "dummy2"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid 3000
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "==",
+            "right": 3000
+        }
+    }
+]
+
+# meta skgid 3000
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "==",
+            "right": 3000
+        }
+    }
+]
+
+# meta rtclassid "cosmos"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "rtclassid" }
+            },
+            "op": "==",
+            "right": "cosmos"
+        }
+    }
+]
+
+# meta pkttype broadcast
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "pkttype" }
+            },
+            "op": "==",
+            "right": "broadcast"
+        }
+    }
+]
+
+# meta pkttype host
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "pkttype" }
+            },
+            "op": "==",
+            "right": "host"
+        }
+    }
+]
+
+# meta pkttype multicast
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "pkttype" }
+            },
+            "op": "==",
+            "right": "multicast"
+        }
+    }
+]
+
+# meta pkttype != broadcast
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "pkttype" }
+            },
+            "op": "!=",
+            "right": "broadcast"
+        }
+    }
+]
+
+# meta pkttype != host
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "pkttype" }
+            },
+            "op": "!=",
+            "right": "host"
+        }
+    }
+]
+
+# meta pkttype != multicast
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "pkttype" }
+            },
+            "op": "!=",
+            "right": "multicast"
+        }
+    }
+]
+
+# pkttype { broadcast, multicast} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "pkttype" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "broadcast",
+                    "multicast"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta cpu 1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cpu" }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# meta cpu != 1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cpu" }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# meta cpu 1-3
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cpu" }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 1, 3 ]
+            }
+        }
+    }
+]
+
+# meta cpu != 1-2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cpu" }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 1, 2 ]
+            }
+        }
+    }
+]
+
+# meta cpu { 2,3}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cpu" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    2,
+                    3
+                ]
+            }
+        }
+    }
+]
+
+# meta cpu { 2-3, 5-7}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cpu" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 2, 3 ] },
+                    { "range": [ 5, 7 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta cpu != { 2,3}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cpu" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    2,
+                    3
+                ]
+            }
+        }
+    }
+]
+
+# meta iifgroup 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# meta iifgroup != 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# meta iifgroup "default"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "==",
+            "right": "default"
+        }
+    }
+]
+
+# meta iifgroup != "default"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "!=",
+            "right": "default"
+        }
+    }
+]
+
+# meta iifgroup {"default", 11}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "default",
+		    11
+                ]
+            }
+        }
+    }
+]
+
+# meta iifgroup != {"default", 11}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "default",
+		    11
+                ]
+            }
+        }
+    }
+]
+
+# meta iifgroup { 11,33}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    11,
+                    33
+                ]
+            }
+        }
+    }
+]
+
+# meta iifgroup {11-33, 44-55}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 11, 33 ] },
+                    { "range": [ 44, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta iifgroup != { 11,33}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    11,
+                    33
+                ]
+            }
+        }
+    }
+]
+
+# meta iifgroup != {11-33, 44-55}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 11, 33 ] },
+                    { "range": [ 44, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta oifgroup 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# meta oifgroup != 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# meta oifgroup "default"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "==",
+            "right": "default"
+        }
+    }
+]
+
+# meta oifgroup != "default"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "!=",
+            "right": "default"
+        }
+    }
+]
+
+# meta oifgroup {"default", 11}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "default",
+		    11
+                ]
+            }
+        }
+    }
+]
+
+# meta oifgroup != {"default", 11}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "default",
+		    11
+                ]
+            }
+        }
+    }
+]
+
+# meta oifgroup { 11,33}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    11,
+                    33
+                ]
+            }
+        }
+    }
+]
+
+# meta oifgroup {11-33, 44-55}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 11, 33 ] },
+                    { "range": [ 44, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta oifgroup != { 11,33}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    11,
+                    33
+                ]
+            }
+        }
+    }
+]
+
+# meta oifgroup != {11-33, 44-55}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 11, 33 ] },
+                    { "range": [ 44, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# meta cgroup 1048577
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "==",
+            "right": 1048577
+        }
+    }
+]
+
+# meta cgroup != 1048577
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "!=",
+            "right": 1048577
+        }
+    }
+]
+
+# meta cgroup { 1048577, 1048578 }
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    1048577,
+                    1048578
+                ]
+            }
+        }
+    }
+]
+
+# meta cgroup != { 1048577, 1048578}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    1048577,
+                    1048578
+                ]
+            }
+        }
+    }
+]
+
+# meta cgroup 1048577-1048578
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "==",
+            "right": {
+                "range": [ 1048577, 1048578 ]
+            }
+        }
+    }
+]
+
+# meta cgroup != 1048577-1048578
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 1048577, 1048578 ]
+            }
+        }
+    }
+]
+
+# meta cgroup {1048577-1048578}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "range": [ 1048577, 1048578 ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# meta cgroup != { 1048577-1048578}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "cgroup" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    {
+                        "range": [ 1048577, 1048578 ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# meta iif . meta oif { "lo" . "lo" }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "meta": { "key": "iif" }
+                    },
+                    {
+                        "meta": { "key": "oif" }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "lo",
+                            "lo"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "meta": { "key": "iif" }
+                    },
+                    {
+                        "meta": { "key": "oif" }
+                    },
+                    {
+                        "meta": { "key": "mark" }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "lo",
+                            "lo",
+                            "0x0000000a"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# meta iif . meta oif vmap { "lo" . "lo" : drop }
+[
+    {
+        "vmap": {
+            "key": {
+                "concat": [
+                    {
+                        "meta": { "key": "iif" }
+                    },
+                    {
+                        "meta": { "key": "oif" }
+                    }
+                ]
+            },
+            "data": {
+                "set": [
+                    [
+                        {
+                            "concat": [
+                                "lo",
+                                "lo"
+                            ]
+                        },
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# meta random eq 1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "random" }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# meta random gt 1000000
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "random" }
+            },
+            "op": ">",
+            "right": 1000000
+        }
+    }
+]
+
+# meta time "1970-05-23 21:07:14" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "1970-05-23 21:07:14"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time 12341234 drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "12341234"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-06-21 17:00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-06-21 17:00:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-07-01 00:00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-07-01 00:00:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-07-01 00:01:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-07-01 00:01:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-07-01 00:00:01" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-07-01 00:00:01"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time < "2022-07-01 11:00:00" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "<",
+            "right": "2022-07-01 11:00:00"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta time > "2022-07-01 11:00:00" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": ">",
+            "right": "2022-07-01 11:00:00"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta day "Saturday" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "day"
+                }
+            },
+            "op": "==",
+            "right": "Saturday"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta day 6 drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "day"
+                }
+            },
+            "op": "==",
+            "right": "6"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "17:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "17:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "17:00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "17:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "17:00:01" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "17:00:01"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "00:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "00:01" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "00:01"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# time < "2022-07-01 11:00:00" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "<",
+            "right": "2022-07-01 11:00:00"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# time > "2022-07-01 11:00:00" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": ">",
+            "right": "2022-07-01 11:00:00"
+        }
+    },
+    {
+        "accept": null
+    }
+]
diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output
new file mode 100644
index 0000000..4e9e669
--- /dev/null
+++ b/tests/py/any/meta.t.json.output
@@ -0,0 +1,828 @@
+# meta protocol { ip, arp, ip6, vlan }
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "protocol" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "ip",
+                    "arp",
+                    "8021q",
+                    "ip6"
+                ]
+            }
+        }
+    }
+]
+
+# meta protocol != {ip, arp, ip6, 8021q}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "protocol" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "ip",
+                    "arp",
+                    "8021q",
+                    "ip6"
+                ]
+            }
+        }
+    }
+]
+
+# meta priority 0x87654321
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+	    "op": "==",
+            "right": "8765:4321"
+        }
+    }
+]
+
+# meta priority 2271560481
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+	    "op": "==",
+            "right": "8765:4321"
+        }
+    }
+]
+
+# meta priority {bcad:dada, bcad:dadc, aaaa:bbbb}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "priority" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "aaaa:bbbb",
+                    "bcad:dada",
+                    "bcad:dadc"
+                ]
+            }
+        }
+    }
+]
+
+# meta mark 0x4
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 4
+        }
+    }
+]
+
+# meta mark 0x32
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 50
+        }
+    }
+]
+
+# meta mark and 0x03 == 0x01
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    3
+                ]
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# meta mark and 0x03 != 0x01
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    3
+                ]
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# meta mark 0x10
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 16
+        }
+    }
+]
+
+# meta mark != 0x10
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+            "op": "!=",
+            "right": 16
+        }
+    }
+]
+
+# meta mark or 0x03 == 0x01
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    3
+                ]
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# meta mark or 0x03 != 0x01
+[
+    {
+        "match": {
+            "left": {
+                "|": [
+                    {
+                        "meta": { "key": "mark" }
+                    },
+                    3
+                ]
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# meta mark xor 0x03 == 0x01
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# meta mark xor 0x03 != 0x01
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+            "op": "!=",
+            "right": 2
+        }
+    }
+]
+
+# meta iifname {"dummy0", "lo"}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "lo",
+                    "dummy0"
+                ]
+            }
+        }
+    }
+]
+
+# meta iifname != {"dummy0", "lo"}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "lo",
+                    "dummy0"
+                ]
+            }
+        }
+    }
+]
+
+# meta oifname { "dummy0", "lo"}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifname" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "lo",
+                    "dummy0"
+                ]
+            }
+        }
+    }
+]
+
+# meta skuid {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [ 0, 1, 2 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid != {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [ 0, 1, 2 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skuid "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# meta skuid != "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skuid" }
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# meta skgid {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [ 0, 1, 2 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid != {"bin", "root", "daemon"} accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [ 0, 1, 2 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta skgid "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# meta skgid != "root"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "skgid" }
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# meta mark set 0xffffffc8 xor 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 4294967262
+        }
+    }
+]
+
+# meta mark set 0x16 and 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 22
+        }
+    }
+]
+
+# meta mark set 0xffffffe9 or 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 4294967295
+        }
+    }
+]
+
+# meta mark set 0xffffffde and 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 22
+        }
+    }
+]
+
+# meta mark set 0xf045ffde or 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 4031119326
+        }
+    }
+]
+
+# meta mark set 0xffffffde or 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 4294967262
+        }
+    }
+]
+
+# meta mark set 0x32 or 0xfffff
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 1048575
+        }
+    }
+]
+
+# meta mark set 0xfffe xor 0x16
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 65512
+        }
+    }
+]
+
+# meta iifgroup 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+	    "op": "==",
+            "right": "default"
+        }
+    }
+]
+
+# meta iifgroup != 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifgroup" }
+            },
+            "op": "!=",
+            "right": "default"
+        }
+    }
+]
+
+# meta oifgroup 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+	    "op": "==",
+            "right": "default"
+        }
+    }
+]
+
+# meta oifgroup != 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "oifgroup" }
+            },
+            "op": "!=",
+            "right": "default"
+        }
+    }
+]
+
+# meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "meta": { "key": "iif" }
+                    },
+                    {
+                        "meta": { "key": "oif" }
+                    },
+                    {
+                        "meta": { "key": "mark" }
+                    }
+                ]
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "lo",
+                            "lo",
+                            10
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# meta time "1970-05-23 21:07:14" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "1970-05-23 21:07:14"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time 12341234 drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "1970-05-23 22:07:14"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-06-21 17:00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-06-21 17:00:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-07-01 00:00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-07-01 00:00:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-07-01 00:01:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-07-01 00:01:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta time "2019-07-01 00:00:01" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "time"
+                }
+            },
+            "op": "==",
+            "right": "2019-07-01 00:00:01"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta day "Saturday" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "day"
+                }
+            },
+            "op": "==",
+            "right": "Saturday"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta day 6 drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "day"
+                }
+            },
+            "op": "==",
+            "right": "Saturday"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "17:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "17:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "17:00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "17:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "17:00:01" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "17:00:01"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "00:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "00:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "00:01" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "00:01"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
new file mode 100644
index 0000000..16dc121
--- /dev/null
+++ b/tests/py/any/meta.t.payload
@@ -0,0 +1,1074 @@
+# meta length 1000
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ cmp eq reg 1 0x000003e8 ]
+
+# meta length 22
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# meta length != 233
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# meta length 33-45
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# meta length != 33-45
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# meta length { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta length { 33-55, 67-88}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]	element 43000000  : 0 [end]	element 59000000  : 1 [end]
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# meta length { 33-55, 56-88, 100-120}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 59000000  : 1 [end]	element 64000000  : 0 [end]	element 79000000  : 1 [end]
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# meta length != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta protocol { ip, arp, ip6, vlan }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000608  : 0 [end]	element 0000dd86  : 0 [end]	element 00000081  : 0 [end]
+ip test-ip4 input
+  [ meta load protocol => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta protocol != {ip, arp, ip6, 8021q}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000608  : 0 [end]	element 0000dd86  : 0 [end]	element 00000081  : 0 [end]
+ip test-ip4 input
+  [ meta load protocol => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta protocol ip
+ip test-ip4 input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta protocol != ip
+ip test-ip4 input
+  [ meta load protocol => reg 1 ]
+  [ cmp neq reg 1 0x00000008 ]
+
+# meta l4proto 22
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# meta l4proto != 233
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# meta l4proto 33-45
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# meta l4proto != 33-45
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# meta l4proto { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta l4proto != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta mark 0x4
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000004 ]
+
+# meta mark 0x32
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# meta mark and 0x03 == 0x01
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta mark and 0x03 != 0x01
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# meta mark 0x10
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# meta mark != 0x10
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ cmp neq reg 1 0x00000010 ]
+
+# meta mark 0xffffff00/24
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffff00 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0xffffff00 ]
+
+# meta mark or 0x03 == 0x01
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000003 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta mark or 0x03 != 0x01
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffc ) ^ 0x00000003 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# meta mark xor 0x03 == 0x01
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# meta mark xor 0x03 != 0x01
+ip test-ip4 input
+  [ meta load mark => reg 1 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# meta iif "lo" accept
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# meta iif != "lo" accept
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# meta iifname "dummy0"
+ip test-ip4 input
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x6d6d7564 0x00003079 0x00000000 0x00000000 ]
+
+# meta iifname != "dummy0"
+ip test-ip4 input
+  [ meta load iifname => reg 1 ]
+  [ cmp neq reg 1 0x6d6d7564 0x00003079 0x00000000 0x00000000 ]
+
+# meta iifname {"dummy0", "lo"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 6d6d7564 00003079 00000000 00000000  : 0 [end]	element 00006f6c 00000000 00000000 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load iifname => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta iifname != {"dummy0", "lo"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 6d6d7564 00003079 00000000 00000000  : 0 [end]	element 00006f6c 00000000 00000000 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load iifname => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta iifname "dummy*"
+ip test-ip4 input
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x6d6d7564 0x00000079 ]
+
+# meta iifname "dummy\*"
+ip test-ip4 input
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x6d6d7564 0x00002a79 0x00000000 0x00000000 ]
+
+# meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000301  : 0 [end]	element 00000304  : 0 [end]	element 00000308  : 0 [end]	element 0000030a  : 0 [end]
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000301  : 0 [end]	element 00000304  : 0 [end]	element 00000308  : 0 [end]	element 0000030a  : 0 [end]
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta iiftype != ether
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# meta iiftype ether
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta iiftype != ppp
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp neq reg 1 0x00000200 ]
+
+# meta iiftype ppp
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000200 ]
+
+# meta oif "lo" accept
+ip test-ip4 input
+  [ meta load oif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# meta oif != "lo" accept
+ip test-ip4 input
+  [ meta load oif => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# meta oifname "dummy0"
+ip test-ip4 input
+  [ meta load oifname => reg 1 ]
+  [ cmp eq reg 1 0x6d6d7564 0x00003079 0x00000000 0x00000000 ]
+
+# meta oifname != "dummy0"
+ip test-ip4 input
+  [ meta load oifname => reg 1 ]
+  [ cmp neq reg 1 0x6d6d7564 0x00003079 0x00000000 0x00000000 ]
+
+# meta oifname { "dummy0", "lo"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 6d6d7564 00003079 00000000 00000000  : 0 [end]	element 00006f6c 00000000 00000000 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load oifname => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta oifname "dummy*"
+ip test-ip4 input
+  [ meta load oifname => reg 1 ]
+  [ cmp eq reg 1 0x6d6d7564 0x00000079 ]
+
+# meta oifname "dummy\*"
+ip test-ip4 input
+  [ meta load oifname => reg 1 ]
+  [ cmp eq reg 1 0x6d6d7564 0x00002a79 0x00000000 0x00000000 ]
+
+# meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000301  : 0 [end]	element 00000304  : 0 [end]	element 00000308  : 0 [end]	element 0000030a  : 0 [end]
+ip test-ip4 input
+  [ meta load oiftype => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000301  : 0 [end]	element 00000304  : 0 [end]	element 00000308  : 0 [end]	element 0000030a  : 0 [end]
+ip test-ip4 input
+  [ meta load oiftype => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta oiftype != ether
+ip test-ip4 input
+  [ meta load oiftype => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# meta oiftype ether
+ip test-ip4 input
+  [ meta load oiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta skuid {"bin", "root", "daemon"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# meta skuid != {"bin", "root", "daemon"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# meta skuid "root"
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta skuid != "root"
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# meta skuid lt 3000 accept
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp lt reg 1 0xb80b0000 ]
+  [ immediate reg 0 accept ]
+
+# meta skuid gt 3000 accept
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gt reg 1 0xb80b0000 ]
+  [ immediate reg 0 accept ]
+
+# meta skuid eq 3000 accept
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ cmp eq reg 1 0x00000bb8 ]
+  [ immediate reg 0 accept ]
+
+# meta skuid 3001-3005 accept
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0xb90b0000 ]
+  [ cmp lte reg 1 0xbd0b0000 ]
+  [ immediate reg 0 accept ]
+
+# meta skuid != 2001-2005 accept
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0xd1070000 0xd5070000 ]
+  [ immediate reg 0 accept ]
+
+# meta skgid {"bin", "root", "daemon"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# meta skgid != {"bin", "root", "daemon"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# meta skgid "root"
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta skgid != "root"
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# meta skgid lt 3000 accept
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp lt reg 1 0xb80b0000 ]
+  [ immediate reg 0 accept ]
+
+# meta skgid gt 3000 accept
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gt reg 1 0xb80b0000 ]
+  [ immediate reg 0 accept ]
+
+# meta skgid eq 3000 accept
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ cmp eq reg 1 0x00000bb8 ]
+  [ immediate reg 0 accept ]
+
+# meta skgid 2001-2005 accept
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0xd1070000 ]
+  [ cmp lte reg 1 0xd5070000 ]
+  [ immediate reg 0 accept ]
+
+# meta skgid != 2001-2005 accept
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0xd1070000 0xd5070000 ]
+  [ immediate reg 0 accept ]
+
+# meta mark set 0xffffffc8 xor 0x16
+ip test-ip4 input
+  [ immediate reg 1 0xffffffde ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set 0x16 and 0x16
+ip test-ip4 input
+  [ immediate reg 1 0x00000016 ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set 0xffffffe9 or 0x16
+ip test-ip4 input
+  [ immediate reg 1 0xffffffff ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set 0xffffffde and 0x16
+ip test-ip4 input
+  [ immediate reg 1 0x00000016 ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set 0xf045ffde or 0x10
+ip test-ip4 input
+  [ immediate reg 1 0xf045ffde ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set 0xffffffde or 0x16
+ip test-ip4 input
+  [ immediate reg 1 0xffffffde ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set 0x32 or 0xfffff
+ip test-ip4 input
+  [ immediate reg 1 0x000fffff ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set 0xfffe xor 0x16
+ip test-ip4 input
+  [ immediate reg 1 0x0000ffe8 ]
+  [ meta set mark with reg 1 ]
+
+# meta iif "lo"
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta oif "lo"
+ip test-ip4 input
+  [ meta load oif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta oifname "dummy2" accept
+ip test-ip4 input
+  [ meta load oifname => reg 1 ]
+  [ cmp eq reg 1 0x6d6d7564 0x00003279 0x00000000 0x00000000 ]
+  [ immediate reg 0 accept ]
+
+# meta skuid 3000
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ cmp eq reg 1 0x00000bb8 ]
+
+# meta skgid 3000
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ cmp eq reg 1 0x00000bb8 ]
+
+# meta rtclassid "cosmos"
+ip test-ip4 input
+  [ meta load rtclassid => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta pkttype broadcast
+ip test-ip4 input
+  [ meta load pkttype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta pkttype host
+ip test-ip4 input
+  [ meta load pkttype => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta pkttype multicast
+ip test-ip4 input
+  [ meta load pkttype => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# meta pkttype != broadcast
+ip test-ip4 input
+  [ meta load pkttype => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# meta pkttype != host
+ip test-ip4 input
+  [ meta load pkttype => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# meta pkttype != multicast
+ip test-ip4 input
+  [ meta load pkttype => reg 1 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# pkttype { broadcast, multicast} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000002  : 0 [end]
+ip test-ip4 input
+  [ meta load pkttype => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# meta cpu 1
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta cpu != 1
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# meta cpu 1-3
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0x01000000 ]
+  [ cmp lte reg 1 0x03000000 ]
+
+# meta cpu != 1-2
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0x01000000 0x02000000 ]
+
+# meta cpu { 2,3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 00000003  : 0 [end]
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta cpu != { 2,3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 00000003  : 0 [end]
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta cpu { 2-3, 5-7}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 02000000  : 0 [end]	element 04000000  : 1 [end]	element 05000000  : 0 [end]	element 08000000  : 1 [end]
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# meta iifgroup 0
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta iifgroup != 0
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# meta iifgroup "default"
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta iifgroup != "default"
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# meta iifgroup { 11,33}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000000b  : 0 [end]	element 00000021  : 0 [end]
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta oifgroup 0
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta oifgroup != 0
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# meta oifgroup "default"
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta oifgroup != "default"
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# meta oifgroup { 11,33}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000000b  : 0 [end]	element 00000021  : 0 [end]
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta cgroup 1048577
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ cmp eq reg 1 0x00100001 ]
+
+# meta cgroup != 1048577
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ cmp neq reg 1 0x00100001 ]
+
+# meta cgroup { 1048577, 1048578 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00100001  : 0 [end]	element 00100002  : 0 [end]
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta cgroup != { 1048577, 1048578}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00100001  : 0 [end]	element 00100002  : 0 [end]
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta cgroup 1048577-1048578
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0x01001000 ]
+  [ cmp lte reg 1 0x02001000 ]
+
+# meta cgroup != 1048577-1048578
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0x01001000 0x02001000 ]
+
+# meta iif . meta oif { "lo" . "lo" }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001 00000001  : 0 [end]
+ip test-ip4 output
+  [ meta load iif => reg 1 ]
+  [ meta load oif => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001 00000001 0000000a  : 0 [end]
+ip test-ip4 output
+  [ meta load iif => reg 1 ]
+  [ meta load oif => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta iif . meta oif vmap { "lo" . "lo" : drop }
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 00000001 00000001  : drop 0 [end]
+ip test-ip4 output
+  [ meta load iif => reg 1 ]
+  [ meta load oif => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# meta random eq 1
+ip test-ip4 input
+  [ meta load prandom => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# meta random gt 1000000
+ip test-ip4 input
+  [ meta load prandom => reg 1 ]
+  [ cmp gt reg 1 0x40420f00 ]
+
+# meta priority root
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0xffffffff ]
+
+# meta priority none
+netdev test-netdev ingress
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta priority 1:1234
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x00011234 ]
+
+# meta priority bcad:dadc
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0xbcaddadc ]
+
+# meta priority aabb:0
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0xaabb0000 ]
+
+# meta priority != bcad:dadc
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp neq reg 1 0xbcaddadc ]
+
+# meta priority != aabb:0
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp neq reg 1 0xaabb0000 ]
+
+# meta priority bcad:dada-bcad:dadc
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0xdadaadbc ]
+  [ cmp lte reg 1 0xdcdaadbc ]
+
+# meta priority != bcad:dada-bcad:dadc
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0xdadaadbc 0xdcdaadbc ]
+
+# meta priority {bcad:dada, bcad:dadc, aaaa:bbbb}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element bcaddada  : 0 [end]	element bcaddadc  : 0 [end]	element aaaabbbb  : 0 [end]
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta priority set cafe:beef
+ip test-ip4 input
+  [ immediate reg 1 0xcafebeef ]
+  [ meta set priority with reg 1 ]
+
+# meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element bcaddada  : 0 [end]	element bcaddadc  : 0 [end]	element aaaabbbb  : 0 [end]
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta priority 0x87654321
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x87654321 ]
+
+# meta priority 2271560481
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ cmp eq reg 1 0x87654321 ]
+
+# meta length { 33-55, 66-88}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]	element 42000000  : 0 [end]	element 59000000  : 1 [end]
+ip test-ip4 input 
+  [ meta load len => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# meta length != { 33-55, 66-88}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]	element 42000000  : 0 [end]	element 59000000  : 1 [end]
+ip test-ip4 input 
+  [ meta load len => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta l4proto { 33-55, 66-88}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]	element 00000042  : 0 [end]	element 00000059  : 1 [end]
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta l4proto != { 33-55, 66-88}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]	element 00000042  : 0 [end]	element 00000059  : 1 [end]
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta skuid { 2001-2005, 3001-3005} accept
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element d1070000  : 0 [end]	element d6070000  : 1 [end]	element b90b0000  : 0 [end]	element be0b0000  : 1 [end]
+ip test-ip4 input 
+  [ meta load skuid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# meta iifgroup {"default", 11}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 0000000b  : 0 [end]
+ip test-ip4 input 
+  [ meta load iifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta iifgroup != {"default", 11}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 0000000b  : 0 [end]
+ip test-ip4 input 
+  [ meta load iifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta iifgroup {11-33, 44-55}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0b000000  : 0 [end]	element 22000000  : 1 [end]	element 2c000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input 
+  [ meta load iifgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# meta iifgroup != { 11,33}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+	element 0000000b  : 0 [end]	element 00000021  : 0 [end]
+ip test-ip4 input 
+  [ meta load iifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta iifgroup != {11-33, 44-55}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0b000000  : 0 [end]	element 22000000  : 1 [end]	element 2c000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input 
+  [ meta load iifgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta oifgroup {"default", 11}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 0000000b  : 0 [end]
+ip test-ip4 input 
+  [ meta load oifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta oifgroup {11-33, 44-55}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0b000000  : 0 [end]	element 22000000  : 1 [end]	element 2c000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input 
+  [ meta load oifgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# meta oifgroup != { 11,33}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+	element 0000000b  : 0 [end]	element 00000021  : 0 [end]
+ip test-ip4 input 
+  [ meta load oifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta oifgroup != {11-33, 44-55}
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0b000000  : 0 [end]	element 22000000  : 1 [end]	element 2c000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input 
+  [ meta load oifgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta skuid != { 2001-2005, 3001-3005} accept
+__set%d test-ip4 7 size 5
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element d1070000  : 0 [end]	element d6070000  : 1 [end]	element b90b0000  : 0 [end]	element be0b0000  : 1 [end]
+ip test-ip4 input 
+  [ meta load skuid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# meta oifgroup != {"default", 11}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 0000000b  : 0 [end]
+ip test-ip4 input 
+  [ meta load oifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta time "1970-05-23 21:07:14" drop
+ip meta-test input
+  [ meta load time => reg 1 ]
+  [ cmp eq reg 1 0x43f05400 0x002bd503 ]
+  [ immediate reg 0 drop ]
+
+# meta time 12341234 drop
+ip meta-test input
+  [ meta load time => reg 1 ]
+  [ cmp eq reg 1 0x74a8f400 0x002bd849 ]
+  [ immediate reg 0 drop ]
+
+# meta time "2019-06-21 17:00:00" drop
+ip meta-test input
+  [ meta load time => reg 1 ]
+  [ cmp eq reg 1 0x767d6000 0x15aa3ebc ]
+  [ immediate reg 0 drop ]
+
+# meta time "2019-07-01 00:00:00" drop
+ip meta-test input
+  [ meta load time => reg 1 ]
+  [ cmp eq reg 1 0xe750c000 0x15ad18e0 ]
+  [ immediate reg 0 drop ]
+
+# meta time "2019-07-01 00:01:00" drop
+ip meta-test input
+  [ meta load time => reg 1 ]
+  [ cmp eq reg 1 0xdf981800 0x15ad18ee ]
+  [ immediate reg 0 drop ]
+
+# meta time "2019-07-01 00:00:01" drop
+ip meta-test input
+  [ meta load time => reg 1 ]
+  [ cmp eq reg 1 0x22eb8a00 0x15ad18e1 ]
+  [ immediate reg 0 drop ]
+
+# meta time < "2022-07-01 11:00:00" accept
+ip test-ip4 input
+  [ meta load time => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp lt reg 1 0xf3a8fd16 0x00a07719 ]
+  [ immediate reg 0 accept ]
+
+# meta time > "2022-07-01 11:00:00" accept
+ip test-ip4 input
+  [ meta load time => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0xf3a8fd16 0x00a07719 ]
+  [ immediate reg 0 accept ]
+
+# meta day "Saturday" drop
+ip test-ip4 input
+  [ meta load day => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 0 drop ]
+
+# meta day 6 drop
+ip test-ip4 input
+  [ meta load day => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "17:00" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x0000d2f0 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "17:00:00" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x0000d2f0 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "17:00:01" drop
+ip meta-test input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x0000d2f1 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "00:00" drop
+ip meta-test input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x00013560 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "00:01" drop
+ip meta-test input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x0001359c ]
+  [ immediate reg 0 drop ]
+
+# time < "2022-07-01 11:00:00" accept
+ip test-ip4 input
+  [ meta load time => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp lt reg 1 0xf3a8fd16 0x00a07719 ]
+  [ immediate reg 0 accept ]
+
+# time > "2022-07-01 11:00:00" accept
+ip test-ip4 input
+  [ meta load time => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0xf3a8fd16 0x00a07719 ]
+  [ immediate reg 0 accept ]
diff --git a/tests/py/any/objects.t b/tests/py/any/objects.t
new file mode 100644
index 0000000..7b51f91
--- /dev/null
+++ b/tests/py/any/objects.t
@@ -0,0 +1,16 @@
+:output;type filter hook output priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;output
+*ip6;test-ip6;output
+*inet;test-inet;output
+*arp;test-arp;output
+*bridge;test-bridge;output
+*netdev;test-netdev;ingress,egress
+
+%cnt1 type counter;ok
+%qt1 type quota 25 mbytes;ok
+%qt2 type quota over 1 kbytes;ok
+%lim0 type limit rate 400/minute;ok
+%lim2 type limit rate over 1024 bytes/second burst 512 bytes;ok
diff --git a/tests/py/any/queue.t b/tests/py/any/queue.t
new file mode 100644
index 0000000..2e51136
--- /dev/null
+++ b/tests/py/any/queue.t
@@ -0,0 +1,33 @@
+:output;type filter hook output priority 0
+
+*ip;test-ip4;output
+*ip6;test-ip6;output
+*inet;test-inet;output
+*bridge;test-bridge;output
+
+queue;ok;queue to 0
+queue num 2;ok;queue to 2
+queue num 65535;ok;queue to 65535
+queue num 65536;fail
+queue num 2-3;ok;queue to 2-3
+queue num 1-65535;ok;queue to 1-65535
+queue num 4-5 fanout bypass;ok;queue flags bypass,fanout to 4-5
+queue num 4-5 fanout;ok;queue flags fanout to 4-5
+queue num 4-5 bypass;ok;queue flags bypass to 4-5
+
+queue to symhash mod 2 offset 65536;fail
+queue num symhash mod 65536;fail
+queue to symhash mod 65536;ok
+queue flags fanout to symhash mod 65536;fail
+queue flags bypass,fanout to symhash mod 65536;fail
+queue flags bypass to numgen inc mod 65536;ok
+queue to jhash oif . meta mark mod 32;ok
+queue to 2;ok
+queue to 65535;ok
+queue flags bypass to 65535;ok
+queue flags bypass to 1-65535;ok
+queue flags bypass,fanout to 1-65535;ok
+queue to 1-65535;ok
+queue to oif;fail
+queue num oif;fail
+queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 };ok
diff --git a/tests/py/any/queue.t.json b/tests/py/any/queue.t.json
new file mode 100644
index 0000000..5f7f901
--- /dev/null
+++ b/tests/py/any/queue.t.json
@@ -0,0 +1,251 @@
+# queue
+[
+    {
+        "queue": null
+    }
+]
+
+# queue num 2
+[
+    {
+        "queue": {
+            "num": 2
+        }
+    }
+]
+
+# queue num 65535
+[
+    {
+        "queue": {
+            "num": 65535
+        }
+    }
+]
+
+# queue num 2-3
+[
+    {
+        "queue": {
+            "num": {
+                "range": [ 2, 3 ]
+            }
+        }
+    }
+]
+
+# queue num 1-65535
+[
+    {
+        "queue": {
+            "num": {
+                "range": [ 1, 65535 ]
+            }
+        }
+    }
+]
+
+# queue num 4-5 fanout bypass
+[
+    {
+        "queue": {
+            "flags": [
+                "bypass",
+                "fanout"
+            ],
+            "num": {
+                "range": [ 4, 5 ]
+            }
+        }
+    }
+]
+
+# queue num 4-5 fanout
+[
+    {
+        "queue": {
+            "flags": "fanout",
+            "num": {
+                "range": [ 4, 5 ]
+            }
+        }
+    }
+]
+
+# queue num 4-5 bypass
+[
+    {
+        "queue": {
+            "flags": "bypass",
+            "num": {
+                "range": [ 4, 5 ]
+            }
+        }
+    }
+]
+
+# queue to symhash mod 65536
+[
+    {
+        "queue": {
+            "num": {
+                "symhash": {
+                    "mod": 65536
+                }
+            }
+        }
+    }
+]
+
+# queue flags bypass to numgen inc mod 65536
+[
+    {
+        "queue": {
+            "flags": "bypass",
+            "num": {
+                "numgen": {
+                    "mod": 65536,
+                    "mode": "inc",
+                    "offset": 0
+                }
+            }
+        }
+    }
+]
+
+# queue to jhash oif . meta mark mod 32
+[
+    {
+        "queue": {
+            "num": {
+                "jhash": {
+                    "expr": {
+                        "concat": [
+                            {
+                                "meta": {
+                                    "key": "oif"
+                                }
+                            },
+                            {
+                                "meta": {
+                                    "key": "mark"
+                                }
+                            }
+                        ]
+                    },
+                    "mod": 32
+                }
+            }
+        }
+    }
+]
+
+# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
+[
+    {
+        "queue": {
+            "flags": "bypass",
+            "num": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "eth0",
+                                0
+                            ],
+                            [
+                                "ppp0",
+                                2
+                            ],
+                            [
+                                "eth1",
+                                2
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "meta": {
+                            "key": "oifname"
+                        }
+                    }
+                }
+            }
+        }
+    }
+]
+
+# queue to 2
+[
+    {
+        "queue": {
+            "num": 2
+        }
+    }
+]
+
+# queue to 65535
+[
+    {
+        "queue": {
+            "num": 65535
+        }
+    }
+]
+
+# queue flags bypass to 65535
+[
+    {
+        "queue": {
+            "flags": "bypass",
+            "num": 65535
+        }
+    }
+]
+
+# queue flags bypass to 1-65535
+[
+    {
+        "queue": {
+            "flags": "bypass",
+            "num": {
+                "range": [
+                    1,
+                    65535
+                ]
+            }
+        }
+    }
+]
+
+# queue flags bypass,fanout to 1-65535
+[
+    {
+        "queue": {
+            "flags": [
+                "bypass",
+                "fanout"
+            ],
+            "num": {
+                "range": [
+                    1,
+                    65535
+                ]
+            }
+        }
+    }
+]
+
+# queue to 1-65535
+[
+    {
+        "queue": {
+            "num": {
+                "range": [
+                    1,
+                    65535
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/any/queue.t.json.output b/tests/py/any/queue.t.json.output
new file mode 100644
index 0000000..1104d76
--- /dev/null
+++ b/tests/py/any/queue.t.json.output
@@ -0,0 +1,9 @@
+# queue
+[
+    {
+        "queue": {
+            "num": 0
+        }
+    }
+]
+
diff --git a/tests/py/any/queue.t.payload b/tests/py/any/queue.t.payload
new file mode 100644
index 0000000..2f22193
--- /dev/null
+++ b/tests/py/any/queue.t.payload
@@ -0,0 +1,81 @@
+# queue
+ip test-ip4 output
+  [ queue num 0 ]
+
+# queue num 2
+ip test-ip4 output
+  [ queue num 2 ]
+
+# queue num 65535
+ip test-ip4 output
+  [ queue num 65535 ]
+
+# queue num 2-3
+ip test-ip4 output
+  [ queue num 2-3 ]
+
+# queue num 1-65535
+ip test-ip4 output
+  [ queue num 1-65535 ]
+
+# queue num 4-5 fanout bypass
+ip test-ip4 output
+  [ queue num 4-5 bypass fanout ]
+
+# queue num 4-5 fanout
+ip test-ip4 output
+  [ queue num 4-5 fanout ]
+
+# queue num 4-5 bypass
+ip test-ip4 output
+  [ queue num 4-5 bypass ]
+
+# queue to symhash mod 65536
+ip
+  [ hash reg 1 = symhash() % mod 65536 ]
+  [ queue sreg_qnum 1 ]
+
+# queue to jhash oif . meta mark mod 32
+ip
+  [ meta load oif => reg 2 ]
+  [ meta load mark => reg 13 ]
+  [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 32 ]
+  [ queue sreg_qnum 1 ]
+
+# queue flags bypass to numgen inc mod 65536
+ip
+  [ numgen reg 1 = inc mod 65536 ]
+  [ queue sreg_qnum 1 bypass ]
+
+# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
+__map%d test-ip4 b size 3
+__map%d test-ip4 0
+	element 30687465 00000000 00000000 00000000  : 00000000 0 [end]	element 30707070 00000000 00000000 00000000  : 00000002 0 [end]	element 31687465 00000000 00000000 00000000  : 00000002 0 [end]
+ip
+  [ meta load oifname => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ queue sreg_qnum 1 bypass ]
+
+# queue to 2
+ip
+  [ queue num 2 ]
+
+# queue to 65535
+ip
+  [ queue num 65535 ]
+
+# queue flags bypass to 65535
+ip
+  [ queue num 65535 bypass ]
+
+# queue flags bypass to 1-65535
+ip
+  [ queue num 1-65535 bypass ]
+
+# queue flags bypass,fanout to 1-65535
+ip
+  [ queue num 1-65535 bypass fanout ]
+
+# queue to 1-65535
+ip
+  [ queue num 1-65535 ]
diff --git a/tests/py/any/quota.t b/tests/py/any/quota.t
new file mode 100644
index 0000000..79dd765
--- /dev/null
+++ b/tests/py/any/quota.t
@@ -0,0 +1,25 @@
+:output;type filter hook output priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;output
+*ip6;test-ip6;output
+*inet;test-inet;output
+*arp;test-arp;output
+*bridge;test-bridge;output
+*netdev;test-netdev;ingress,egress
+
+quota 1025 bytes;ok
+quota 1 kbytes;ok
+quota 2 kbytes;ok
+quota 1025 kbytes;ok
+quota 1023 mbytes;ok
+quota 10230 mbytes;ok
+quota 1023000 mbytes;ok
+
+quota over 1 kbytes;ok
+quota over 2 kbytes;ok
+quota over 1025 kbytes;ok
+quota over 1023 mbytes;ok
+quota over 10230 mbytes;ok
+quota over 1023000 mbytes;ok
diff --git a/tests/py/any/quota.t.json b/tests/py/any/quota.t.json
new file mode 100644
index 0000000..59ccc72
--- /dev/null
+++ b/tests/py/any/quota.t.json
@@ -0,0 +1,136 @@
+# quota 1025 bytes
+[
+    {
+        "quota": {
+            "val": 1025,
+            "val_unit": "bytes"
+        }
+    }
+]
+
+# quota 1 kbytes
+[
+    {
+        "quota": {
+            "val": 1,
+            "val_unit": "kbytes"
+        }
+    }
+]
+
+# quota 2 kbytes
+[
+    {
+        "quota": {
+            "val": 2,
+            "val_unit": "kbytes"
+        }
+    }
+]
+
+# quota 1025 kbytes
+[
+    {
+        "quota": {
+            "val": 1025,
+            "val_unit": "kbytes"
+        }
+    }
+]
+
+# quota 1023 mbytes
+[
+    {
+        "quota": {
+            "val": 1023,
+            "val_unit": "mbytes"
+        }
+    }
+]
+
+# quota 10230 mbytes
+[
+    {
+        "quota": {
+            "val": 10230,
+            "val_unit": "mbytes"
+        }
+    }
+]
+
+# quota 1023000 mbytes
+[
+    {
+        "quota": {
+            "val": 1023000,
+            "val_unit": "mbytes"
+        }
+    }
+]
+
+# quota over 1 kbytes
+[
+    {
+        "quota": {
+            "inv": true,
+            "val": 1,
+            "val_unit": "kbytes"
+        }
+    }
+]
+
+# quota over 2 kbytes
+[
+    {
+        "quota": {
+            "inv": true,
+            "val": 2,
+            "val_unit": "kbytes"
+        }
+    }
+]
+
+# quota over 1025 kbytes
+[
+    {
+        "quota": {
+            "inv": true,
+            "val": 1025,
+            "val_unit": "kbytes"
+        }
+    }
+]
+
+# quota over 1023 mbytes
+[
+    {
+        "quota": {
+            "inv": true,
+            "val": 1023,
+            "val_unit": "mbytes"
+        }
+    }
+]
+
+# quota over 10230 mbytes
+[
+    {
+        "quota": {
+            "inv": true,
+            "val": 10230,
+            "val_unit": "mbytes"
+        }
+    }
+]
+
+# quota over 1023000 mbytes
+[
+    {
+        "quota": {
+            "inv": true,
+            "val": 1023000,
+            "val_unit": "mbytes"
+        }
+    }
+]
+
diff --git a/tests/py/any/quota.t.payload b/tests/py/any/quota.t.payload
new file mode 100644
index 0000000..31cfccb
--- /dev/null
+++ b/tests/py/any/quota.t.payload
@@ -0,0 +1,52 @@
+# quota 1025 bytes
+ip test-ip4 output 
+  [ quota bytes 1025 consumed 0 flags 0 ]
+
+# quota 1 kbytes
+ip test-ip4 output 
+  [ quota bytes 1024 consumed 0 flags 0 ]
+
+# quota 2 kbytes
+ip test-ip4 output 
+  [ quota bytes 2048 consumed 0 flags 0 ]
+
+# quota 1025 kbytes
+ip test-ip4 output 
+  [ quota bytes 1049600 consumed 0 flags 0 ]
+
+# quota 1023 mbytes
+ip test-ip4 output 
+  [ quota bytes 1072693248 consumed 0 flags 0 ]
+
+# quota 10230 mbytes
+ip test-ip4 output 
+  [ quota bytes 10726932480 consumed 0 flags 0 ]
+
+# quota 1023000 mbytes
+ip test-ip4 output 
+  [ quota bytes 1072693248000 consumed 0 flags 0 ]
+
+# quota over 1 kbytes
+ip test-ip4 output 
+  [ quota bytes 1024 consumed 0 flags 1 ]
+
+# quota over 2 kbytes
+ip test-ip4 output 
+  [ quota bytes 2048 consumed 0 flags 1 ]
+
+# quota over 1025 kbytes
+ip test-ip4 output 
+  [ quota bytes 1049600 consumed 0 flags 1 ]
+
+# quota over 1023 mbytes
+ip test-ip4 output 
+  [ quota bytes 1072693248 consumed 0 flags 1 ]
+
+# quota over 10230 mbytes
+ip test-ip4 output 
+  [ quota bytes 10726932480 consumed 0 flags 1 ]
+
+# quota over 1023000 mbytes
+ip test-ip4 output 
+  [ quota bytes 1072693248000 consumed 0 flags 1 ]
+
diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t
new file mode 100644
index 0000000..5bc9d35
--- /dev/null
+++ b/tests/py/any/rawpayload.t
@@ -0,0 +1,24 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 };ok;meta l4proto { 6, 17, 132} th dport { 22, 23, 80}
+meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80}
+@nh,8,8 0xff;ok
+@nh,8,16 0x0;ok
+
+# out of range (0-1)
+@th,16,1 2;fail
+
+@ll,0,0 2;fail
+@ll,0,1;fail
+@ll,0,1 1;ok;@ll,0,8 & 0x80 == 0x80
+@ll,0,8 & 0x80 == 0x80;ok
+@ll,0,128 0xfedcba987654321001234567890abcde;ok
+
+meta l4proto 91 @th,400,16 0x0 accept;ok
+
+@ih,32,32 0x14000000;ok
diff --git a/tests/py/any/rawpayload.t.json b/tests/py/any/rawpayload.t.json
new file mode 100644
index 0000000..4cae4d4
--- /dev/null
+++ b/tests/py/any/rawpayload.t.json
@@ -0,0 +1,206 @@
+# meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 }
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "tcp",
+                    "udp",
+                    "sctp"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "th",
+                    "len": 16,
+                    "offset": 16
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    23,
+                    80
+                ]
+            }
+        }
+    }
+]
+
+# meta l4proto tcp @th,16,16 { 22, 23, 80}
+[
+    {
+        "match": {
+	    "left": { "meta": { "key": "l4proto" } },
+	    "op": "==",
+	    "right": "tcp"
+	}
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "th",
+		    "len": 16,
+		    "offset": 16
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    23,
+                    80
+                ]
+            }
+        }
+    }
+]
+
+# @nh,8,8 0xff
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "nh",
+                    "len": 8,
+                    "offset": 8
+                }
+            },
+	    "op": "==",
+            "right": "0xff"
+        }
+    }
+]
+
+# @nh,8,16 0x0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "nh",
+                    "len": 16,
+                    "offset": 8
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# @ll,0,1 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "ll",
+                    "len": 1,
+                    "offset": 0
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# @ll,0,8 & 0x80 == 0x80
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "base": "ll",
+                            "len": 8,
+                            "offset": 0
+                        }
+                    },
+                    "0x80"
+                ]
+            },
+            "op": "==",
+            "right": "0x80"
+        }
+    }
+]
+
+# @ll,0,128 0xfedcba987654321001234567890abcde
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "ll",
+                    "len": 128,
+                    "offset": 0
+                }
+            },
+	    "op": "==",
+            "right": "0xfedcba987654321001234567890abcde"
+        }
+    }
+]
+
+# meta l4proto 91 @th,400,16 0x0 accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 91
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "th",
+                    "len": 16,
+                    "offset": 400
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# @ih,32,32 0x14000000
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "ih",
+                    "len": 32,
+                    "offset": 32
+                }
+            },
+            "op": "==",
+            "right": 335544320
+        }
+    }
+]
+
diff --git a/tests/py/any/rawpayload.t.json.output b/tests/py/any/rawpayload.t.json.output
new file mode 100644
index 0000000..291b237
--- /dev/null
+++ b/tests/py/any/rawpayload.t.json.output
@@ -0,0 +1,119 @@
+# meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 }
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    132
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "th"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    23,
+                    80
+                ]
+            }
+        }
+    }
+]
+
+# meta l4proto tcp @th,16,16 { 22, 23, 80}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    23,
+                    80
+                ]
+            }
+        }
+    }
+]
+
+# @ll,0,1 1
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "base": "ll",
+                            "len": 8,
+                            "offset": 0
+                        }
+                    },
+                    128
+                ]
+            },
+            "op": "==",
+            "right": 128
+        }
+    }
+]
+
+# @ll,0,8 & 0x80 == 0x80
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "base": "ll",
+                            "len": 8,
+                            "offset": 0
+                        }
+                    },
+                    128
+                ]
+            },
+            "op": "==",
+            "right": 128
+        }
+    }
+]
+
+# @nh,8,8 0xff
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "nh",
+                    "len": 8,
+                    "offset": 8
+                }
+            },
+            "op": "==",
+            "right": 255
+        }
+    }
+]
diff --git a/tests/py/any/rawpayload.t.payload b/tests/py/any/rawpayload.t.payload
new file mode 100644
index 0000000..fe2377e
--- /dev/null
+++ b/tests/py/any/rawpayload.t.payload
@@ -0,0 +1,63 @@
+# meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 }
+__set%d test-inet 3 size 3
+__set%d test-inet 0
+	element 00000006  : 0 [end]	element 00000011  : 0 [end]	element 00000084  : 0 [end]
+__set%d test-inet 3 size 3
+__set%d test-inet 0
+	element 00001600  : 0 [end]	element 00001700  : 0 [end]	element 00005000  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta l4proto tcp @th,16,16 { 22, 23, 80}
+__set%d test-inet 3 size 3
+__set%d test-inet 0
+	element 00001600  : 0 [end]	element 00001700  : 0 [end]	element 00005000  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# @nh,8,8 0xff
+inet test-inet input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ cmp eq reg 1 0x000000ff ]
+
+# @nh,8,16 0x0
+inet test-inet input
+  [ payload load 2b @ network header + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# @ll,0,1 1
+inet test-inet input
+  [ payload load 1b @ link header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# @ll,0,8 & 0x80 == 0x80
+inet test-inet input
+  [ payload load 1b @ link header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# @ll,0,128 0xfedcba987654321001234567890abcde
+inet test-inet input
+  [ payload load 16b @ link header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x98badcfe 0x10325476 0x67452301 0xdebc0a89 ]
+
+# meta l4proto 91 @th,400,16 0x0 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000005b ]
+  [ payload load 2b @ transport header + 50 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 accept ]
+
+# @ih,32,32 0x14000000
+inet test-inet input
+  [ payload load 4b @ inner header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000014 ]
+
diff --git a/tests/py/any/rt.t b/tests/py/any/rt.t
new file mode 100644
index 0000000..3ce57e0
--- /dev/null
+++ b/tests/py/any/rt.t
@@ -0,0 +1,9 @@
+:output;type filter hook input priority 0
+
+*ip;test-ip4;output
+*ip6;test-ip6;output
+*inet;test-inet;output
+
+rt classid "cosmos";ok
+rt ipsec exists;ok
+rt ipsec missing;ok
diff --git a/tests/py/any/rt.t.json b/tests/py/any/rt.t.json
new file mode 100644
index 0000000..2ca6fe0
--- /dev/null
+++ b/tests/py/any/rt.t.json
@@ -0,0 +1,45 @@
+# rt classid "cosmos"
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "classid"
+                }
+            },
+	    "op": "==",
+            "right": "cosmos"
+        }
+    }
+]
+
+# rt ipsec exists
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# rt ipsec missing
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": false
+        }
+    }
+]
+
diff --git a/tests/py/any/rt.t.payload b/tests/py/any/rt.t.payload
new file mode 100644
index 0000000..e1ecb28
--- /dev/null
+++ b/tests/py/any/rt.t.payload
@@ -0,0 +1,15 @@
+# rt classid "cosmos"
+ip test-ip4 input
+  [ rt load classid => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# rt ipsec exists
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt ipsec missing
+ip test-ip4 input
+  [ rt load ipsec => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
diff --git a/tests/py/any/tcpopt.t b/tests/py/any/tcpopt.t
new file mode 100644
index 0000000..177f01c
--- /dev/null
+++ b/tests/py/any/tcpopt.t
@@ -0,0 +1,62 @@
+:input;type filter hook input priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+
+tcp option eol exists;ok
+tcp option nop exists;ok
+tcp option maxseg exists;ok
+tcp option maxseg length 1;ok
+tcp option maxseg size 1;ok
+tcp option window length 1;ok
+tcp option window count 1;ok
+tcp option sack-perm exists;ok
+tcp option sack-perm length 1;ok
+tcp option sack exists;ok
+tcp option sack length 1;ok
+tcp option sack left 1;ok
+tcp option sack0 left 1;ok;tcp option sack left 1
+tcp option sack1 left 1;ok
+tcp option sack2 left 1;ok
+tcp option sack3 left 1;ok
+tcp option sack right 1;ok
+tcp option sack0 right 1;ok;tcp option sack right 1
+tcp option sack1 right 1;ok
+tcp option sack2 right 1;ok
+tcp option sack3 right 1;ok
+tcp option timestamp exists;ok
+tcp option timestamp length 1;ok
+tcp option timestamp tsval 1;ok
+tcp option timestamp tsecr 1;ok
+tcp option 255 missing;ok
+tcp option 6 exists;ok
+tcp option @255,8,8 255;ok
+
+tcp option foobar;fail
+tcp option foo bar;fail
+tcp option eol left;fail
+tcp option eol left 1;fail
+tcp option sack window;fail
+tcp option sack window 1;fail
+tcp option 256 exists;fail
+tcp option @255,8,8 256;fail
+
+tcp option window exists;ok
+tcp option window missing;ok
+
+tcp option maxseg size set 1360;ok
+
+tcp option md5sig exists;ok
+tcp option fastopen exists;ok
+tcp option mptcp exists;ok
+
+tcp option mptcp subtype 0;ok
+tcp option mptcp subtype 1;ok
+tcp option mptcp subtype { 0, 2};ok
+
+reset tcp option mptcp;ok
+reset tcp option 2;ok;reset tcp option maxseg
+reset tcp option 123;ok
+reset tcp option meh;fail
+reset tcp option 256;fail
diff --git a/tests/py/any/tcpopt.t.json b/tests/py/any/tcpopt.t.json
new file mode 100644
index 0000000..4466f14
--- /dev/null
+++ b/tests/py/any/tcpopt.t.json
@@ -0,0 +1,622 @@
+# tcp option eol exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "eol"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option nop exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "nop"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option maxseg exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "maxseg"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option maxseg length 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "length",
+                    "name": "maxseg"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option maxseg size 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "size",
+                    "name": "maxseg"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option window length 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "length",
+                    "name": "window"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option window count 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "count",
+                    "name": "window"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack-perm exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "sack-perm"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option sack-perm length 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "length",
+                    "name": "sack-perm"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option sack length 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "length",
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack left 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "left",
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack0 left 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "left",
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack1 left 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "left",
+                    "name": "sack1"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack2 left 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "left",
+                    "name": "sack2"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack3 left 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "left",
+                    "name": "sack3"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack right 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "right",
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack0 right 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "right",
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack1 right 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "right",
+                    "name": "sack1"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack2 right 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "right",
+                    "name": "sack2"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack3 right 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "right",
+                    "name": "sack3"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option timestamp exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "timestamp"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option timestamp length 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "length",
+                    "name": "timestamp"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option timestamp tsval 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "tsval",
+                    "name": "timestamp"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option timestamp tsecr 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "tsecr",
+                    "name": "timestamp"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option 255 missing
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "base": 255,
+                    "len": 8,
+                    "offset": 0
+                }
+            },
+            "op": "==",
+            "right": false
+        }
+    }
+]
+
+# tcp option 6 exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "base": 6,
+                    "len": 8,
+                    "offset": 0
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option @255,8,8 255
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "base": 255,
+                    "len": 8,
+                    "offset": 8
+                }
+            },
+            "op": "==",
+            "right": 255
+        }
+    }
+]
+
+# tcp option window exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "window"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option window missing
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "window"
+                }
+            },
+            "op": "==",
+            "right": false
+        }
+    }
+]
+
+# tcp option maxseg size set 1360
+[
+    {
+        "mangle": {
+            "key": {
+                "tcp option": {
+                    "field": "size",
+                    "name": "maxseg"
+                }
+            },
+            "value": 1360
+        }
+    }
+]
+
+# tcp option md5sig exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "md5sig"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option fastopen exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "fastopen"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option mptcp exists
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "name": "mptcp"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# tcp option mptcp subtype 0
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "subtype",
+                    "name": "mptcp"
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# tcp option mptcp subtype 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "subtype",
+                    "name": "mptcp"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option mptcp subtype { 0, 2}
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "subtype",
+                    "name": "mptcp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    0,
+                    2
+                ]
+            }
+        }
+   }
+]
+
+# reset tcp option mptcp
+[
+    {
+        "reset": {
+            "tcp option": {
+                "name": "mptcp"
+            }
+        }
+    }
+]
+
+# reset tcp option 2
+[
+    {
+        "reset": {
+            "tcp option": {
+                "name": "maxseg"
+            }
+        }
+    }
+]
+
+# reset tcp option 123
+[
+    {
+        "reset": {
+            "tcp option": {
+                "base": 123,
+                "len": 0,
+                "offset": 0
+            }
+        }
+    }
+]
diff --git a/tests/py/any/tcpopt.t.json.output b/tests/py/any/tcpopt.t.json.output
new file mode 100644
index 0000000..ad0d25f
--- /dev/null
+++ b/tests/py/any/tcpopt.t.json.output
@@ -0,0 +1,32 @@
+# tcp option sack0 left 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "left",
+                    "name": "sack"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# tcp option sack0 right 1
+[
+    {
+        "match": {
+            "left": {
+                "tcp option": {
+                    "field": "right",
+                    "name": "sack"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
diff --git a/tests/py/any/tcpopt.t.payload b/tests/py/any/tcpopt.t.payload
new file mode 100644
index 0000000..99b8985
--- /dev/null
+++ b/tests/py/any/tcpopt.t.payload
@@ -0,0 +1,202 @@
+# tcp option eol exists
+inet 
+  [ exthdr load tcpopt 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option nop exists
+inet 
+  [ exthdr load tcpopt 1b @ 1 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option maxseg exists
+inet 
+  [ exthdr load tcpopt 1b @ 2 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option maxseg length 1
+inet 
+  [ exthdr load tcpopt 1b @ 2 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option maxseg size 1
+inet 
+  [ exthdr load tcpopt 2b @ 2 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# tcp option window length 1
+inet 
+  [ exthdr load tcpopt 1b @ 3 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option window count 1
+inet 
+  [ exthdr load tcpopt 1b @ 3 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option sack-perm exists
+inet 
+  [ exthdr load tcpopt 1b @ 4 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option sack-perm length 1
+inet 
+  [ exthdr load tcpopt 1b @ 4 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option sack exists
+inet 
+  [ exthdr load tcpopt 1b @ 5 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option sack length 1
+inet 
+  [ exthdr load tcpopt 1b @ 5 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option sack left 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack0 left 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack1 left 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 10 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack2 left 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 18 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack3 left 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 26 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack right 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack0 right 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 6 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack1 right 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 14 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack2 right 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 22 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option sack3 right 1
+inet 
+  [ exthdr load tcpopt 4b @ 5 + 30 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option timestamp exists
+inet 
+  [ exthdr load tcpopt 1b @ 8 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option timestamp length 1
+inet 
+  [ exthdr load tcpopt 1b @ 8 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option timestamp tsval 1
+inet 
+  [ exthdr load tcpopt 4b @ 8 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option timestamp tsecr 1
+inet 
+  [ exthdr load tcpopt 4b @ 8 + 6 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# tcp option 255 missing
+inet
+  [ exthdr load tcpopt 1b @ 255 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# tcp option 6 exists
+inet
+  [ exthdr load tcpopt 1b @ 6 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option @255,8,8 255
+inet
+  [ exthdr load tcpopt 1b @ 255 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x000000ff ]
+
+# tcp option window exists
+inet 
+  [ exthdr load tcpopt 1b @ 3 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option window missing
+inet 
+  [ exthdr load tcpopt 1b @ 3 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# tcp option maxseg size set 1360
+inet 
+  [ immediate reg 1 0x00005005 ]
+  [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
+
+# tcp option md5sig exists
+inet
+  [ exthdr load tcpopt 1b @ 19 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option fastopen exists
+inet
+  [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option mptcp exists
+inet
+  [ exthdr load tcpopt 1b @ 30 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# tcp option mptcp subtype 0
+inet
+  [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# tcp option mptcp subtype 1
+inet
+  [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# tcp option mptcp subtype { 0, 2}
+__set%d test-inet 3 size 2
+__set%d test-inet 0
+	element 00000000  : 0 [end]	element 00000020  : 0 [end]
+inet
+  [ exthdr load tcpopt 1b @ 30 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# reset tcp option mptcp
+ip test-ip4 input
+  [ exthdr reset tcpopt 30 ]
+
+# reset tcp option 2
+ip test-ip4 input
+  [ exthdr reset tcpopt 2 ]
+
+# reset tcp option 123
+ip test-ip4 input
+  [ exthdr reset tcpopt 123 ]
diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t
new file mode 100644
index 0000000..222b91c
--- /dev/null
+++ b/tests/py/arp/arp.t
@@ -0,0 +1,60 @@
+# filter chains available are: input, output, forward
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*arp;test-arp;input
+*netdev;test-netdev;ingress,egress
+
+arp htype 1;ok
+arp htype != 1;ok
+arp htype 22;ok
+arp htype != 233;ok
+arp htype 33-45;ok
+arp htype != 33-45;ok
+arp htype { 33, 55, 67, 88};ok
+arp htype != { 33, 55, 67, 88};ok
+
+arp ptype 0x0800;ok;arp ptype ip
+
+arp hlen 22;ok
+arp hlen != 233;ok
+arp hlen 33-45;ok
+arp hlen != 33-45;ok
+arp hlen { 33, 55, 67, 88};ok
+arp hlen != { 33, 55, 67, 88};ok
+
+arp plen 22;ok
+arp plen != 233;ok
+arp plen 33-45;ok
+arp plen != 33-45;ok
+arp plen { 33, 55, 67, 88};ok
+arp plen != { 33, 55, 67, 88};ok
+
+arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
+arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
+arp operation 1-2;ok
+arp operation request;ok
+arp operation reply;ok
+arp operation rrequest;ok
+arp operation rreply;ok
+arp operation inrequest;ok
+arp operation inreply;ok
+arp operation nak;ok
+arp operation != request;ok
+arp operation != reply;ok
+arp operation != rrequest;ok
+arp operation != rreply;ok
+arp operation != inrequest;ok
+arp operation != inreply;ok
+arp operation != nak;ok
+
+arp saddr ip 1.2.3.4;ok
+arp daddr ip 4.3.2.1;ok
+arp saddr ether aa:bb:cc:aa:bb:cc;ok
+arp daddr ether aa:bb:cc:aa:bb:cc;ok
+
+arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee;ok
+arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1;ok;arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee
+
+meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566;ok;iifname "invalid" arp htype 1 arp ptype ip arp hlen 6 arp plen 4 arp daddr ip 192.168.143.16 arp daddr ether set 11:22:33:44:55:66
diff --git a/tests/py/arp/arp.t.json b/tests/py/arp/arp.t.json
new file mode 100644
index 0000000..7ce7609
--- /dev/null
+++ b/tests/py/arp/arp.t.json
@@ -0,0 +1,893 @@
+# arp htype 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# arp htype != 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# arp htype 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# arp htype != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# arp htype 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# arp htype != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# arp htype { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# arp htype != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# arp ptype 0x0800
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ptype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "0x0800"
+        }
+    }
+]
+
+# arp hlen 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# arp hlen != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# arp hlen 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# arp hlen != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# arp hlen { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# arp hlen != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# arp plen 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# arp plen != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# arp plen 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# arp plen != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# arp plen { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# arp plen != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "nak",
+                    "inreply",
+                    "inrequest",
+                    "rreply",
+                    "rrequest",
+                    "reply",
+                    "request"
+                ]
+            }
+        }
+    }
+]
+
+# arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "nak",
+                    "inreply",
+                    "inrequest",
+                    "rreply",
+                    "rrequest",
+                    "reply",
+                    "request"
+                ]
+            }
+        }
+    }
+]
+
+# arp operation 1-2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    "request",
+                    "reply"
+                ]
+            }
+        }
+    }
+]
+
+# arp operation request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "request"
+        }
+    }
+]
+
+# arp operation reply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "reply"
+        }
+    }
+]
+
+# arp operation rrequest
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "rrequest"
+        }
+    }
+]
+
+# arp operation rreply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "rreply"
+        }
+    }
+]
+
+# arp operation inrequest
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "inrequest"
+        }
+    }
+]
+
+# arp operation inreply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "inreply"
+        }
+    }
+]
+
+# arp operation nak
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "nak"
+        }
+    }
+]
+
+# arp operation != request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": "request"
+        }
+    }
+]
+
+# arp operation != reply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": "reply"
+        }
+    }
+]
+
+# arp operation != rrequest
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": "rrequest"
+        }
+    }
+]
+
+# arp operation != rreply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": "rreply"
+        }
+    }
+]
+
+# arp operation != inrequest
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": "inrequest"
+        }
+    }
+]
+
+# arp operation != inreply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": "inreply"
+        }
+    }
+]
+
+# arp operation != nak
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": "nak"
+        }
+    }
+]
+
+# arp saddr ip 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr ip",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
+# arp daddr ip 4.3.2.1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr ip",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "4.3.2.1"
+        }
+    }
+]
+
+# arp saddr ether aa:bb:cc:aa:bb:cc
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr ether",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "aa:bb:cc:aa:bb:cc"
+        }
+    }
+]
+
+# arp daddr ether aa:bb:cc:aa:bb:cc
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr ether",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "aa:bb:cc:aa:bb:cc"
+        }
+    }
+]
+
+# arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr ip",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "192.168.1.1"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr ether",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "fe:ed:00:c0:ff:ee"
+        }
+    }
+]
+
+# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr ether",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "fe:ed:00:c0:ff:ee"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr ip",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "192.168.1.1"
+        }
+    }
+]
+
+# meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "invalid"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ptype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "0x0800"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 4
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "base": "nh",
+                    "len": 32,
+                    "offset": 192
+                }
+            },
+	    "op": "==",
+            "right": "0xc0a88f10"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "base": "nh",
+                    "len": 48,
+                    "offset": 144
+                }
+            },
+            "value": "0x112233445566"
+        }
+    }
+]
+
diff --git a/tests/py/arp/arp.t.json.output b/tests/py/arp/arp.t.json.output
new file mode 100644
index 0000000..afa75b2
--- /dev/null
+++ b/tests/py/arp/arp.t.json.output
@@ -0,0 +1,180 @@
+# arp ptype 0x0800
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ptype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "ip"
+        }
+    }
+]
+
+# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "request",
+                    "reply",
+                    "rrequest",
+                    "rreply",
+                    "inrequest",
+                    "inreply",
+                    "nak"
+                ]
+            }
+        }
+    }
+]
+
+# arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "operation",
+                    "protocol": "arp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "request",
+                    "reply",
+                    "rrequest",
+                    "rreply",
+                    "inrequest",
+                    "inreply",
+                    "nak"
+                ]
+            }
+        }
+    }
+]
+
+# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr ip",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "192.168.1.1"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr ether",
+                    "protocol": "arp"
+                }
+            },
+            "op": "==",
+            "right": "fe:ed:00:c0:ff:ee"
+        }
+    }
+]
+
+# meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "invalid"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "htype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ptype",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hlen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "plen",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": 4
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr ip",
+                    "protocol": "arp"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.143.16"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "daddr ether",
+                    "protocol": "arp"
+                }
+            },
+            "value": "11:22:33:44:55:66"
+        }
+    }
+]
+
diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload
new file mode 100644
index 0000000..d56927b
--- /dev/null
+++ b/tests/py/arp/arp.t.payload
@@ -0,0 +1,261 @@
+# arp htype 1
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# arp htype != 1
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000100 ]
+
+# arp htype 22
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# arp htype != 233
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# arp htype 33-45
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# arp htype != 33-45
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# arp htype { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp htype != { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp ptype 0x0800
+arp test-arp input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# arp hlen 22
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# arp hlen != 233
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# arp hlen 33-45
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# arp hlen != 33-45
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# arp hlen { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp hlen != { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp plen 22
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# arp plen != 233
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# arp plen 33-45
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# arp plen != 33-45
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# arp plen { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp plen != { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000a00  : 0 [end]	element 00000900  : 0 [end]	element 00000800  : 0 [end]	element 00000400  : 0 [end]	element 00000300  : 0 [end]	element 00000200  : 0 [end]	element 00000100  : 0 [end]
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000a00  : 0 [end]	element 00000900  : 0 [end]	element 00000800  : 0 [end]	element 00000400  : 0 [end]	element 00000300  : 0 [end]	element 00000200  : 0 [end]	element 00000100  : 0 [end]
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp operation 1-2
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00000100 ]
+  [ cmp lte reg 1 0x00000200 ]
+
+# arp operation request
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# arp operation reply
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000200 ]
+
+# arp operation rrequest
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000300 ]
+
+# arp operation rreply
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000400 ]
+
+# arp operation inrequest
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000800 ]
+
+# arp operation inreply
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000900 ]
+
+# arp operation nak
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000a00 ]
+
+# arp operation != request
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000100 ]
+
+# arp operation != reply
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000200 ]
+
+# arp operation != rrequest
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000300 ]
+
+# arp operation != rreply
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000400 ]
+
+# arp operation != inrequest
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000800 ]
+
+# arp operation != inreply
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000900 ]
+
+# arp operation != nak
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000a00 ]
+
+# meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
+arp test-arp input
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x61766e69 0x0064696c 0x00000000 0x00000000 ]
+  [ payload load 4b @ network header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00080100 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000406 ]
+  [ payload load 4b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x108fa8c0 ]
+  [ immediate reg 1 0x44332211 0x00006655 ]
+  [ payload write reg 1 => 6b @ network header + 18 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# arp saddr ip 1.2.3.4
+arp test-arp input 
+  [ payload load 4b @ network header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+
+# arp daddr ip 4.3.2.1
+arp test-arp input 
+  [ payload load 4b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x01020304 ]
+
+# arp saddr ether aa:bb:cc:aa:bb:cc
+arp test-arp input 
+  [ payload load 6b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ]
+
+# arp daddr ether aa:bb:cc:aa:bb:cc
+arp test-arp input 
+  [ payload load 6b @ network header + 18 => reg 1 ]
+  [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ]
+
+# arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee
+arp 
+  [ payload load 10b @ network header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ]
+
+# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1
+arp 
+  [ payload load 10b @ network header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ]
+
diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev
new file mode 100644
index 0000000..92df240
--- /dev/null
+++ b/tests/py/arp/arp.t.payload.netdev
@@ -0,0 +1,351 @@
+# arp htype 1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# arp htype != 1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000100 ]
+
+# arp htype 22
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# arp htype != 233
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# arp htype 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# arp htype != 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# arp htype { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp htype != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp ptype 0x0800
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# arp hlen 22
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# arp hlen != 233
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# arp hlen 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# arp hlen != 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# arp hlen { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp hlen != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp plen 22
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# arp plen != 233
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# arp plen 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# arp plen != 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# arp plen { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp plen != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000a00  : 0 [end]	element 00000900  : 0 [end]	element 00000800  : 0 [end]	element 00000400  : 0 [end]	element 00000300  : 0 [end]	element 00000200  : 0 [end]	element 00000100  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000a00  : 0 [end]	element 00000900  : 0 [end]	element 00000800  : 0 [end]	element 00000400  : 0 [end]	element 00000300  : 0 [end]	element 00000200  : 0 [end]	element 00000100  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# arp operation 1-2
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00000100 ]
+  [ cmp lte reg 1 0x00000200 ]
+
+# arp operation request
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# arp operation reply
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000200 ]
+
+# arp operation rrequest
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000300 ]
+
+# arp operation rreply
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000400 ]
+
+# arp operation inrequest
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000800 ]
+
+# arp operation inreply
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000900 ]
+
+# arp operation nak
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000a00 ]
+
+# arp operation != request
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000100 ]
+
+# arp operation != reply
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000200 ]
+
+# arp operation != rrequest
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000300 ]
+
+# arp operation != rreply
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000400 ]
+
+# arp operation != inrequest
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000800 ]
+
+# arp operation != inreply
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000900 ]
+
+# arp operation != nak
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000a00 ]
+
+# meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566
+netdev test-netdev ingress
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x61766e69 0x0064696c 0x00000000 0x00000000 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 4b @ network header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00080100 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000406 ]
+  [ payload load 4b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x108fa8c0 ]
+  [ immediate reg 1 0x44332211 0x00006655 ]
+  [ payload write reg 1 => 6b @ network header + 18 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# arp saddr ip 1.2.3.4
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 4b @ network header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+
+# arp daddr ip 4.3.2.1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 4b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x01020304 ]
+
+# arp saddr ether aa:bb:cc:aa:bb:cc
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 6b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ]
+
+# arp daddr ether aa:bb:cc:aa:bb:cc
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 6b @ network header + 18 => reg 1 ]
+  [ cmp eq reg 1 0xaaccbbaa 0x0000ccbb ]
+
+# arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 10b @ network header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ]
+
+# arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 10b @ network header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ]
+
diff --git a/tests/py/arp/chains.t b/tests/py/arp/chains.t
new file mode 100644
index 0000000..1ea39f7
--- /dev/null
+++ b/tests/py/arp/chains.t
@@ -0,0 +1,5 @@
+# filter chains available are: input, output
+:input;type filter hook input priority 0
+:output;type filter hook output priority 0
+
+*arp;test-arp;input,output
diff --git a/tests/py/arp/chains.t.payload b/tests/py/arp/chains.t.payload
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/py/arp/chains.t.payload
diff --git a/tests/py/bridge/chains.t b/tests/py/bridge/chains.t
new file mode 100644
index 0000000..e071d9a
--- /dev/null
+++ b/tests/py/bridge/chains.t
@@ -0,0 +1,8 @@
+# filter chains available are: prerouting, input, output, forward, postrouting
+:filter-pre;type filter hook prerouting priority 0
+:filter-output;type filter hook output priority 0
+:filter-forward;type filter hook forward priority 0
+:filter-input;type filter hook input priority 0
+:filter-post;type filter hook postrouting priority 0
+
+*bridge;test-bridge;filter-pre,filter-output,filter-forward,filter-input,filter-post
diff --git a/tests/py/bridge/chains.t.payload b/tests/py/bridge/chains.t.payload
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/py/bridge/chains.t.payload
diff --git a/tests/py/bridge/ether.t b/tests/py/bridge/ether.t
new file mode 100644
index 0000000..e4f75d1
--- /dev/null
+++ b/tests/py/bridge/ether.t
@@ -0,0 +1,12 @@
+:input;type filter hook input priority 0
+
+*bridge;test-bridge;input
+
+tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 accept
+tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok
+tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4;ok
+ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept;ok
+
+ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop;ok
+
+ether daddr set {01:00:5e:00:01:01, 01:00:5e:00:02:02};fail
diff --git a/tests/py/bridge/ether.t.json b/tests/py/bridge/ether.t.json
new file mode 100644
index 0000000..485ceee
--- /dev/null
+++ b/tests/py/bridge/ether.t.json
@@ -0,0 +1,193 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+	    "op": "==",
+            "right": "ether"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    }
+]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
+# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:01:02:03:04:05"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+            "value": "ff:fe:dc:ba:98:76"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
diff --git a/tests/py/bridge/ether.t.json.output b/tests/py/bridge/ether.t.json.output
new file mode 100644
index 0000000..5bb2e47
--- /dev/null
+++ b/tests/py/bridge/ether.t.json.output
@@ -0,0 +1,43 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/bridge/ether.t.payload b/tests/py/bridge/ether.t.payload
new file mode 100644
index 0000000..eaff9c3
--- /dev/null
+++ b/tests/py/bridge/ether.t.payload
@@ -0,0 +1,60 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+bridge test-bridge input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+bridge test-bridge input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
+bridge test-bridge input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+
+# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+bridge test-bridge input
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ immediate reg 0 accept ]
+
+# ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop
+bridge test-bridge input
+  [ payload load 6b @ link header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x03020100 0x00000504 ]
+  [ immediate reg 1 0xbadcfeff 0x00007698 ]
+  [ payload write reg 1 => 6b @ link header + 6 csum_type 0 csum_off 0 csum_flags 0x0 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/py/bridge/icmpX.t b/tests/py/bridge/icmpX.t
new file mode 100644
index 0000000..7c35c26
--- /dev/null
+++ b/tests/py/bridge/icmpX.t
@@ -0,0 +1,8 @@
+:input;type filter hook input priority 0
+
+*bridge;test-bridge;input
+
+ip protocol icmp icmp type echo-request;ok;ip protocol 1 icmp type echo-request
+icmp type echo-request;ok
+ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;ip6 nexthdr 58 icmpv6 type echo-request
+icmpv6 type echo-request;ok
diff --git a/tests/py/bridge/icmpX.t.json b/tests/py/bridge/icmpX.t.json
new file mode 100644
index 0000000..2dd341e
--- /dev/null
+++ b/tests/py/bridge/icmpX.t.json
@@ -0,0 +1,88 @@
+# ip protocol icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "icmpv6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
diff --git a/tests/py/bridge/icmpX.t.json.output b/tests/py/bridge/icmpX.t.json.output
new file mode 100644
index 0000000..8cf4679
--- /dev/null
+++ b/tests/py/bridge/icmpX.t.json.output
@@ -0,0 +1,56 @@
+# ip protocol icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": 58
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
diff --git a/tests/py/bridge/icmpX.t.payload b/tests/py/bridge/icmpX.t.payload
new file mode 100644
index 0000000..f9ea7b6
--- /dev/null
+++ b/tests/py/bridge/icmpX.t.payload
@@ -0,0 +1,36 @@
+# ip protocol icmp icmp type echo-request
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# icmp type echo-request
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# icmpv6 type echo-request
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t
new file mode 100644
index 0000000..171aa61
--- /dev/null
+++ b/tests/py/bridge/meta.t
@@ -0,0 +1,13 @@
+:input;type filter hook input priority 0
+
+*bridge;test-bridge;input
+
+meta obrname "br0";ok
+meta ibrname "br0";ok
+meta ibrvproto vlan;ok;meta ibrvproto 8021q
+meta ibrpvid 100;ok
+
+meta protocol ip udp dport 67;ok
+meta protocol ip6 udp dport 67;ok
+
+meta broute set 1;fail
diff --git a/tests/py/bridge/meta.t.json b/tests/py/bridge/meta.t.json
new file mode 100644
index 0000000..d7dc9d7
--- /dev/null
+++ b/tests/py/bridge/meta.t.json
@@ -0,0 +1,105 @@
+# meta obrname "br0"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "obrname" }
+            },
+	    "op": "==",
+            "right": "br0"
+        }
+    }
+]
+
+# meta ibrname "br0"
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "ibrname" }
+            },
+	    "op": "==",
+            "right": "br0"
+        }
+    }
+]
+
+# meta ibrvproto vlan
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "ibrvproto" }
+            },
+	    "op": "==",
+            "right": "8021q"
+        }
+    }
+]
+
+# meta ibrpvid 100
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "ibrpvid" }
+            },
+	    "op": "==",
+            "right": 100
+        }
+    }
+]
+
+# meta protocol ip udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
+
+# meta protocol ip6 udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
diff --git a/tests/py/bridge/meta.t.payload b/tests/py/bridge/meta.t.payload
new file mode 100644
index 0000000..0a39842
--- /dev/null
+++ b/tests/py/bridge/meta.t.payload
@@ -0,0 +1,37 @@
+# meta obrname "br0"
+bridge test-bridge input
+  [ meta load bri_oifname => reg 1 ]
+  [ cmp eq reg 1 0x00307262 0x00000000 0x00000000 0x00000000 ]
+
+# meta ibrname "br0"
+bridge test-bridge input
+  [ meta load bri_iifname => reg 1 ]
+  [ cmp eq reg 1 0x00307262 0x00000000 0x00000000 0x00000000 ]
+
+# meta ibrvproto vlan
+bridge test-bridge input
+  [ meta load bri_iifvproto => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+
+# meta ibrpvid 100
+bridge test-bridge input
+  [ meta load bri_iifpvid => reg 1 ]
+  [ cmp eq reg 1 0x00000064 ]
+
+# meta protocol ip udp dport 67
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00004300 ]
+
+# meta protocol ip6 udp dport 67
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00004300 ]
diff --git a/tests/py/bridge/redirect.t b/tests/py/bridge/redirect.t
new file mode 100644
index 0000000..5181e79
--- /dev/null
+++ b/tests/py/bridge/redirect.t
@@ -0,0 +1,5 @@
+:prerouting;type filter hook prerouting priority 0
+
+*bridge;test-bridge;prerouting
+
+meta broute set 1;ok
diff --git a/tests/py/bridge/redirect.t.json b/tests/py/bridge/redirect.t.json
new file mode 100644
index 0000000..7e32b32
--- /dev/null
+++ b/tests/py/bridge/redirect.t.json
@@ -0,0 +1,12 @@
+# meta broute set 1
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "broute" }
+            },
+            "value": 1
+        }
+    }
+]
+
diff --git a/tests/py/bridge/redirect.t.payload b/tests/py/bridge/redirect.t.payload
new file mode 100644
index 0000000..1fcfa5f
--- /dev/null
+++ b/tests/py/bridge/redirect.t.payload
@@ -0,0 +1,4 @@
+# meta broute set 1
+bridge test-bridge prerouting
+  [ immediate reg 1 0x00000001 ]
+  [ meta set broute with reg 1 ]
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
new file mode 100644
index 0000000..336b51b
--- /dev/null
+++ b/tests/py/bridge/reject.t
@@ -0,0 +1,42 @@
+:input;type filter hook input priority 0
+
+*bridge;test-bridge;input
+
+# The output is specific for bridge family
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
+
+mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset
+
+reject;ok
+ether type ip reject;ok;reject with icmp port-unreachable
+ether type ip6 reject;ok;reject with icmpv6 port-unreachable
+
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
+
+ether type ipv6 reject with icmp host-unreachable;fail
+ether type ip6 reject with icmp host-unreachable;fail
+ether type ip reject with icmpv6 no-route;fail
+ether type vlan reject;ok;ether type 8021q reject
+ether type arp reject;fail
+ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type 8021q reject with tcp reset
+ether type arp reject with tcp reset;fail
+ip protocol udp reject with tcp reset;fail
+
+ether type ip reject with icmpx admin-prohibited;ok
+ether type ip6 reject with icmpx admin-prohibited;ok
+ether type 8021q reject with icmpx admin-prohibited;ok
+ether type arp reject with icmpx admin-prohibited;fail
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
new file mode 100644
index 0000000..9f9e6c1
--- /dev/null
+++ b/tests/py/bridge/reject.t.json
@@ -0,0 +1,341 @@
+# reject with icmp host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-unreachable
+[
+    {
+        "reject": {
+            "expr": "net-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp prot-unreachable
+[
+    {
+        "reject": {
+            "expr": "prot-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-prohibited
+[
+    {
+        "reject": {
+            "expr": "net-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp host-prohibited
+[
+    {
+        "reject": {
+            "expr": "host-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmpv6 no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 addr-unreachable
+[
+    {
+        "reject": {
+            "expr": "addr-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# mark 12345 ip protocol tcp reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 12345
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
+# reject
+[
+    {
+        "reject": null
+    }
+]
+
+# ether type ip reject
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "reject": null
+    }
+]
+
+# ether type ip6 reject
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "reject": null
+    }
+]
+
+# reject with icmpx host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether type ip reject with icmpx admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether type ip6 reject with icmpx admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether type vlan reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
+# ether type vlan reject
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "vlan"
+        }
+    },
+    {
+        "reject": null
+    }
+]
+
+# ether type 8021q reject with icmpx admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
diff --git a/tests/py/bridge/reject.t.json.output b/tests/py/bridge/reject.t.json.output
new file mode 100644
index 0000000..b8a44f0
--- /dev/null
+++ b/tests/py/bridge/reject.t.json.output
@@ -0,0 +1,83 @@
+# mark 12345 ip protocol tcp reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": 12345
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
+# reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether type ip reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# ether type ip6 reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# ether type vlan reject
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
new file mode 100644
index 0000000..bad9adc
--- /dev/null
+++ b/tests/py/bridge/reject.t.payload
@@ -0,0 +1,140 @@
+# reject with icmp host-unreachable
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 1 ]
+
+# reject with icmp net-unreachable
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 0 ]
+
+# reject with icmp prot-unreachable
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 2 ]
+
+# reject with icmp port-unreachable
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 3 ]
+
+# reject with icmp net-prohibited
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 9 ]
+
+# reject with icmp host-prohibited
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 10 ]
+
+# reject with icmp admin-prohibited
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 13 ]
+
+# reject with icmpv6 no-route
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 0 ]
+
+# reject with icmpv6 admin-prohibited
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 1 ]
+
+# reject with icmpv6 addr-unreachable
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 3 ]
+
+# reject with icmpv6 port-unreachable
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 4 ]
+
+# mark 12345 ip protocol tcp reject with tcp reset
+bridge test-bridge input
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x00003039 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ reject type 1 code 0 ]
+
+# reject
+bridge test-bridge input
+  [ reject type 2 code 1 ]
+
+# ether type ip reject
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 3 ]
+
+# ether type ip6 reject
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 4 ]
+
+# reject with icmpx host-unreachable
+bridge test-bridge input
+  [ reject type 2 code 2 ]
+
+# reject with icmpx no-route
+bridge test-bridge input
+  [ reject type 2 code 0 ]
+
+# reject with icmpx admin-prohibited
+bridge test-bridge input
+  [ reject type 2 code 3 ]
+
+# reject with icmpx port-unreachable
+bridge test-bridge input
+  [ reject type 2 code 1 ]
+
+# ether type ip reject with icmpx admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 2 code 3 ]
+
+# ether type ip6 reject with icmpx admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 2 code 3 ]
+
+# ether type vlan reject
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 2 code 1 ]
+
+# ether type vlan reject with tcp reset
+bridge
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 1 code 0 ]
+
+# ether type 8021q reject with icmpx admin-prohibited
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ reject type 2 code 3 ]
+
diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t
new file mode 100644
index 0000000..8fa90da
--- /dev/null
+++ b/tests/py/bridge/vlan.t
@@ -0,0 +1,56 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+vlan id 4094;ok
+vlan id 0;ok
+# bad vlan id
+vlan id 4096;fail
+vlan id 4094 vlan dei 0;ok
+vlan id 4094 vlan dei 1;ok
+vlan id 4094 vlan dei != 1;ok
+vlan id 4094 vlan cfi 1;ok;vlan id 4094 vlan dei 1
+# bad dei
+vlan id 4094 vlan dei 2;fail
+vlan id 4094 vlan dei 1 vlan pcp 8;fail
+vlan id 4094 vlan dei 1 vlan pcp 7;ok
+vlan id 4094 vlan dei 1 vlan pcp 3;ok
+
+ether type vlan vlan id 4094;ok;vlan id 4094
+ether type vlan vlan id 0;ok;vlan id 0
+ether type vlan vlan id 4094 vlan dei 0;ok;vlan id 4094 vlan dei 0
+ether type vlan vlan id 4094 vlan dei 1;ok;vlan id 4094 vlan dei 1
+ether type vlan vlan id 4094 vlan dei 2;fail
+
+vlan id 4094 tcp dport 22;ok
+vlan id 1 ip saddr 10.0.0.1;ok
+vlan id 1 ip saddr 10.0.0.0/23;ok
+vlan id 1 ip saddr 10.0.0.0/23 udp dport 53;ok
+ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53;ok;vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+
+vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3;ok
+vlan id { 1, 2, 4, 100, 4096 };fail
+
+ether type vlan ip protocol 1 accept;ok;ether type 8021q ip protocol 1 accept
+
+# IEEE 802.1AD
+ether type 8021ad vlan id 1 ip protocol 6 accept;ok
+ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter;ok
+ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6;ok;ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 ip protocol 6
+
+# illegal dependencies
+ether type ip vlan id 1;fail
+ether type ip vlan id 1 ip saddr 10.0.0.1;fail
+
+# mangling
+vlan id 1 vlan id set 2;ok
+
+ether saddr 00:01:02:03:04:05 vlan id 1;ok
+vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2
+
+ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok
+
+ether saddr 00:11:22:33:44:55 counter ether type 8021q;ok
diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json
new file mode 100644
index 0000000..7dfcdb4
--- /dev/null
+++ b/tests/py/bridge/vlan.t.json
@@ -0,0 +1,894 @@
+# vlan id 4094
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    }
+]
+
+# vlan id 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# vlan id 4094 vlan dei 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# vlan id 4094 vlan dei 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# vlan id 4094 vlan dei != 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# vlan id 4094 vlan cfi 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# vlan id 4094 vlan dei 1 vlan pcp 7
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "pcp",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 7
+        }
+    }
+]
+
+# vlan id 4094 vlan dei 1 vlan pcp 3
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "pcp",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 3
+        }
+    }
+]
+
+# ether type vlan vlan id 4094
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    }
+]
+
+# ether type vlan vlan id 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# ether type vlan vlan id 4094 vlan dei 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# ether type vlan vlan id 4094 vlan dei 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dei",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# vlan id 4094 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 4094
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# vlan id 1 ip saddr 10.0.0.1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "10.0.0.1"
+        }
+    }
+]
+
+# vlan id 1 ip saddr 10.0.0.0/23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "10.0.0.0",
+                    "len": 23
+                }
+            }
+        }
+    }
+]
+
+# vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "10.0.0.0",
+                    "len": 23
+                }
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    }
+]
+
+# ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "10.0.0.0",
+                    "len": 23
+                }
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    }
+]
+
+# vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1,
+                    2,
+                    4,
+                    100,
+                    4095
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "pcp",
+                    "protocol": "vlan"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 1, 3 ]
+            }
+        }
+    }
+]
+
+# ether type vlan ip protocol 1 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "vlan"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "icmp"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021ad"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021ad"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "counter": {
+            "bytes": 0,
+            "packets": 0
+        }
+    }
+]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021ad"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "tcp"
+        }
+    }
+]
+
+# vlan id 1 vlan id set 2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "value": 2
+        }
+    }
+]
+
+# ether saddr 00:01:02:03:04:05 vlan id 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "00:01:02:03:04:05"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# vlan id 2 ether saddr 0:1:2:3:4:6
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "00:01:02:03:04:06"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ether"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "id",
+                            "protocol": "vlan"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "0a:0b:0c:0d:0e:0f",
+                            42
+                        ]
+                    },
+                    {
+                        "concat": [
+                            "0a:0b:0c:0d:0e:0f",
+                            4095
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ether saddr 00:11:22:33:44:55 counter ether type 8021q
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "00:11:22:33:44:55"
+        }
+    },
+    {
+        "counter": {
+            "bytes": 0,
+            "packets": 0
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    }
+]
diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output
new file mode 100644
index 0000000..2f90c8f
--- /dev/null
+++ b/tests/py/bridge/vlan.t.json.output
@@ -0,0 +1,204 @@
+# ether type vlan ip protocol 1 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021ad"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021ad"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "counter": null
+    }
+]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "8021ad"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": "8021q"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    }
+]
diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
new file mode 100644
index 0000000..2592bb9
--- /dev/null
+++ b/tests/py/bridge/vlan.t.payload
@@ -0,0 +1,314 @@
+# vlan id 4094
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+
+# vlan id 0
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# vlan id 4094 vlan cfi 1
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# vlan id 4094 vlan dei 0
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# vlan id 4094 vlan dei != 1
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000010 ]
+
+# vlan id 4094 vlan dei 1
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# ether type vlan vlan id 4094
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+
+# ether type vlan vlan id 0
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ether type vlan vlan id 4094 vlan dei 0
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ether type vlan vlan id 4094 vlan dei 1
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# vlan id 4094 tcp dport 22
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# vlan id 1 ip saddr 10.0.0.1
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0100000a ]
+
+# vlan id 1 ip saddr 10.0.0.0/23
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000a ]
+
+# vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+
+# ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+
+# vlan id 4094 vlan dei 1 vlan pcp 7
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x000000e0 ]
+
+# vlan id 4094 vlan dei 1 vlan pcp 3
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000060 ]
+
+# vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3
+__set%d test-bridge 3
+__set%d test-bridge 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000400  : 0 [end]	element 00006400  : 0 [end]	element 0000ff0f  : 0 [end]
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
+  [ cmp gte reg 1 0x00000020 ]
+  [ cmp lte reg 1 0x00000060 ]
+
+# ether type vlan ip protocol 1 accept
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000a888 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 0 accept ]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000a888 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 18 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+  [ payload load 2b @ link header + 20 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000a888 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 18 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+  [ payload load 2b @ link header + 20 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# vlan id 1 vlan id set 2
+bridge
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ]
+  [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# ether saddr 00:01:02:03:04:05 vlan id 1
+bridge test-bridge input
+  [ payload load 8b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x03020100 0x00810504 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# vlan id 2 ether saddr 0:1:2:3:4:6
+bridge test-bridge input
+  [ payload load 8b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x03020100 0x00810604 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+
+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }
+__set%d test-bridge 3 size 2
+__set%d test-bridge 0
+	element 0d0c0b0a 00000f0e 00002a00  : 0 [end]	element 0d0c0b0a 00000f0e 0000ff0f  : 0 [end]
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ payload load 2b @ link header + 14 => reg 10 ]
+  [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ether saddr 00:11:22:33:44:55 counter ether type 8021q
+bridge test-bridge input
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x33221100 0x00005544 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
new file mode 100644
index 0000000..f334194
--- /dev/null
+++ b/tests/py/bridge/vlan.t.payload.netdev
@@ -0,0 +1,368 @@
+# vlan id 4094
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+
+# vlan id 0
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# vlan id 4094 vlan dei 0
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# vlan id 4094 vlan dei != 1
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000010 ]
+
+# vlan id 4094 vlan cfi 1
+netdev
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# vlan id 4094 vlan dei 1
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# ether type vlan vlan id 4094
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+
+# ether type vlan vlan id 0
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ether type vlan vlan id 4094 vlan dei 0
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ether type vlan vlan id 4094 vlan dei 1
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+
+# vlan id 4094 tcp dport 22
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# vlan id 1 ip saddr 10.0.0.1
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0100000a ]
+
+# vlan id 1 ip saddr 10.0.0.0/23
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000a ]
+
+# vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+
+# ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00feffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+
+# vlan id 4094 vlan dei 1 vlan pcp 7
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x000000e0 ]
+
+# vlan id 4094 vlan dei 1 vlan pcp 3
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000fe0f ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000010 ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000060 ]
+
+# vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000400  : 0 [end]	element 00006400  : 0 [end]	element 0000ff0f  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 1b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
+  [ cmp gte reg 1 0x00000020 ]
+  [ cmp lte reg 1 0x00000060 ]
+
+# ether type vlan ip protocol 1 accept
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# ether type 8021ad vlan id 1 ip protocol 6 accept
+netdev
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000a888 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 0 accept ]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
+netdev
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000a888 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 18 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+  [ payload load 2b @ link header + 20 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6
+netdev
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000a888 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 18 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+  [ payload load 2b @ link header + 20 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# vlan id 1 vlan id set 2
+netdev
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ]
+  [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# vlan id 2 ether saddr 0:1:2:3:4:6
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 8b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x03020100 0x00810604 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+
+# ether saddr 00:01:02:03:04:05 vlan id 1
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 8b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x03020100 0x00810504 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }
+__set%d test-netdev 3 size 2
+__set%d test-netdev 0
+	element 0d0c0b0a 00000f0e 00002a00  : 0 [end]	element 0d0c0b0a 00000f0e 0000ff0f  : 0 [end]
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ payload load 2b @ link header + 14 => reg 10 ]
+  [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ether saddr 00:11:22:33:44:55 counter ether type 8021q
+bridge test-bridge input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x33221100 0x00005544 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t
new file mode 100644
index 0000000..83b6202
--- /dev/null
+++ b/tests/py/inet/ah.t
@@ -0,0 +1,47 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+- ah nexthdr esp;ok
+- ah nexthdr ah;ok
+- ah nexthdr comp;ok
+- ah nexthdr udp;ok
+- ah nexthdr udplite;ok
+- ah nexthdr tcp;ok
+- ah nexthdr dccp;ok
+- ah nexthdr sctp;ok
+
+- ah nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;ah nexthdr { 6, 132, 50, 17, 136, 33, 51, 108}
+- ah nexthdr != { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+
+ah hdrlength 11-23;ok
+ah hdrlength != 11-23;ok
+ah hdrlength {11, 23, 44 };ok
+ah hdrlength != {11, 23, 44 };ok
+
+ah reserved 22;ok
+ah reserved != 233;ok
+ah reserved 33-45;ok
+ah reserved != 33-45;ok
+ah reserved {23, 100};ok
+ah reserved != {23, 100};ok
+
+ah spi 111;ok
+ah spi != 111;ok
+ah spi 111-222;ok
+ah spi != 111-222;ok
+ah spi {111, 122};ok
+ah spi != {111, 122};ok
+
+# sequence
+ah sequence 123;ok
+ah sequence != 123;ok
+ah sequence {23, 25, 33};ok
+ah sequence != {23, 25, 33};ok
+ah sequence 23-33;ok
+ah sequence != 23-33;ok
diff --git a/tests/py/inet/ah.t.json b/tests/py/inet/ah.t.json
new file mode 100644
index 0000000..217280b
--- /dev/null
+++ b/tests/py/inet/ah.t.json
@@ -0,0 +1,412 @@
+# ah hdrlength 11-23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 11, 23 ]
+            }
+        }
+    }
+]
+
+# ah hdrlength != 11-23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 11, 23 ]
+            }
+        }
+    }
+]
+
+# ah hdrlength {11, 23, 44 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    11,
+                    23,
+                    44
+                ]
+            }
+        }
+    }
+]
+
+# ah hdrlength != {11, 23, 44 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    11,
+                    23,
+                    44
+                ]
+            }
+        }
+    }
+]
+
+# ah reserved 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "reserved",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ah reserved != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "reserved",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ah reserved 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "reserved",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ah reserved != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "reserved",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ah reserved {23, 100}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "reserved",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    100
+                ]
+            }
+        }
+    }
+]
+
+# ah reserved != {23, 100}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "reserved",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    100
+                ]
+            }
+        }
+    }
+]
+
+# ah spi 111
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": 111
+        }
+    }
+]
+
+# ah spi != 111
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": 111
+        }
+    }
+]
+
+# ah spi 111-222
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 111, 222 ]
+            }
+        }
+    }
+]
+
+# ah spi != 111-222
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 111, 222 ]
+            }
+        }
+    }
+]
+
+# ah spi {111, 122}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    111,
+                    122
+                ]
+            }
+        }
+    }
+]
+
+# ah spi != {111, 122}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    111,
+                    122
+                ]
+            }
+        }
+    }
+]
+
+# ah sequence 123
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": 123
+        }
+    }
+]
+
+# ah sequence != 123
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": 123
+        }
+    }
+]
+
+# ah sequence {23, 25, 33}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    25,
+                    33
+                ]
+            }
+        }
+    }
+]
+
+# ah sequence != {23, 25, 33}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    25,
+                    33
+                ]
+            }
+        }
+    }
+]
+
+# ah sequence 23-33
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "ah"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 23, 33 ]
+            }
+        }
+    }
+]
+
+# ah sequence != 23-33
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "ah"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 23, 33 ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload
new file mode 100644
index 0000000..7ddd72d
--- /dev/null
+++ b/tests/py/inet/ah.t.payload
@@ -0,0 +1,182 @@
+# ah hdrlength 11-23
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp gte reg 1 0x0000000b ]
+  [ cmp lte reg 1 0x00000017 ]
+
+# ah hdrlength != 11-23
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ range neq reg 1 0x0000000b 0x00000017 ]
+
+# ah hdrlength {11, 23, 44 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000000b  : 0 [end]	element 00000017  : 0 [end]	element 0000002c  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ah hdrlength != {11, 23, 44 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000000b  : 0 [end]	element 00000017  : 0 [end]	element 0000002c  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ah reserved 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ah reserved != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ah reserved 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ah reserved != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ah reserved {23, 100}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00006400  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ah reserved != {23, 100}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00006400  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ah spi 111
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x6f000000 ]
+
+# ah spi != 111
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x6f000000 ]
+
+# ah spi 111-222
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x6f000000 ]
+  [ cmp lte reg 1 0xde000000 ]
+
+# ah spi != 111-222
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x6f000000 0xde000000 ]
+
+# ah spi {111, 122}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 6f000000  : 0 [end]	element 7a000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ah spi != {111, 122}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 6f000000  : 0 [end]	element 7a000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ah sequence 123
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x7b000000 ]
+
+# ah sequence != 123
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp neq reg 1 0x7b000000 ]
+
+# ah sequence {23, 25, 33}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 17000000  : 0 [end]	element 19000000  : 0 [end]	element 21000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ah sequence != {23, 25, 33}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 17000000  : 0 [end]	element 19000000  : 0 [end]	element 21000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ah sequence 23-33
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x17000000 ]
+  [ cmp lte reg 1 0x21000000 ]
+
+# ah sequence != 23-33
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ range neq reg 1 0x17000000 0x21000000 ]
+
diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t
new file mode 100644
index 0000000..2ef5382
--- /dev/null
+++ b/tests/py/inet/comp.t
@@ -0,0 +1,30 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+# BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
+- comp nexthdr esp;ok;comp nexthdr 50
+comp nexthdr != esp;ok;comp nexthdr != 50
+
+- comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp};ok
+# comp flags ## 8-bit field.  Reserved for future use.  MUST be set to zero.
+
+# Bug comp flags: to list. List the decimal value.
+comp flags 0x0;ok
+comp flags != 0x23;ok
+comp flags 0x33-0x45;ok
+comp flags != 0x33-0x45;ok
+comp flags {0x33, 0x55, 0x67, 0x88};ok
+comp flags != {0x33, 0x55, 0x67, 0x88};ok
+
+comp cpi 22;ok
+comp cpi != 233;ok
+comp cpi 33-45;ok
+comp cpi != 33-45;ok
+comp cpi {33, 55, 67, 88};ok
+comp cpi != {33, 55, 67, 88};ok
diff --git a/tests/py/inet/comp.t.json b/tests/py/inet/comp.t.json
new file mode 100644
index 0000000..c9f6fca
--- /dev/null
+++ b/tests/py/inet/comp.t.json
@@ -0,0 +1,244 @@
+# comp nexthdr != esp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": "esp"
+        }
+    }
+]
+
+# comp flags 0x0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": "0x0"
+        }
+    }
+]
+
+# comp flags != 0x23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": "0x23"
+        }
+    }
+]
+
+# comp flags 0x33-0x45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "0x33", "0x45" ]
+            }
+        }
+    }
+]
+
+# comp flags != 0x33-0x45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "0x33", "0x45" ]
+            }
+        }
+    }
+]
+
+# comp flags {0x33, 0x55, 0x67, 0x88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "0x33",
+                    "0x55",
+                    "0x67",
+                    "0x88"
+                ]
+            }
+        }
+    }
+]
+
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "0x33",
+                    "0x55",
+                    "0x67",
+                    "0x88"
+                ]
+            }
+        }
+    }
+]
+
+# comp cpi 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "cpi",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# comp cpi != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "cpi",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# comp cpi 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "cpi",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# comp cpi != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "cpi",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# comp cpi {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "cpi",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# comp cpi != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "cpi",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/comp.t.json.output b/tests/py/inet/comp.t.json.output
new file mode 100644
index 0000000..435c3de
--- /dev/null
+++ b/tests/py/inet/comp.t.json.output
@@ -0,0 +1,170 @@
+# comp nexthdr != esp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": 50
+        }
+    }
+]
+
+# comp flags 0x0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# comp flags != 0x23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": 35
+        }
+    }
+]
+
+# comp flags 0x33-0x45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 51, 69 ]
+            }
+        }
+    }
+]
+
+# comp flags != 0x33-0x45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 51, 69 ]
+            }
+        }
+    }
+]
+
+# comp flags {0x33, 0x55, 0x67, 0x88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    51,
+                    85,
+                    103,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    51,
+                    85,
+                    103,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# comp flags { 0x33-0x55}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 51, 85 ] }
+                ]
+            }
+        }
+    }
+]
+
+# comp flags != { 0x33-0x55}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "comp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 51, 85 ] }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload
new file mode 100644
index 0000000..024e47c
--- /dev/null
+++ b/tests/py/inet/comp.t.payload
@@ -0,0 +1,105 @@
+# comp nexthdr != esp
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000032 ]
+
+# comp flags 0x0
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# comp flags != 0x23
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp neq reg 1 0x00000023 ]
+
+# comp flags 0x33-0x45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000033 ]
+  [ cmp lte reg 1 0x00000045 ]
+
+# comp flags != 0x33-0x45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ range neq reg 1 0x00000033 0x00000045 ]
+
+# comp flags {0x33, 0x55, 0x67, 0x88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000033  : 0 [end]	element 00000055  : 0 [end]	element 00000067  : 0 [end]	element 00000088  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000033  : 0 [end]	element 00000055  : 0 [end]	element 00000067  : 0 [end]	element 00000088  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# comp cpi 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# comp cpi != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# comp cpi 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# comp cpi != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# comp cpi {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# comp cpi != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t
new file mode 100644
index 0000000..5312b32
--- /dev/null
+++ b/tests/py/inet/ct.t
@@ -0,0 +1,15 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*inet;test-inet;input
+
+meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4
+ct original ip6 saddr ::1;ok
+
+ct original ip daddr 1.2.3.4 accept;ok
+
+# missing protocol context
+ct original saddr ::1;fail
+
+# wrong protocol context
+ct original ip saddr ::1;fail
diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json
new file mode 100644
index 0000000..223ac9e
--- /dev/null
+++ b/tests/py/inet/ct.t.json
@@ -0,0 +1,60 @@
+# meta nfproto ipv4 ct original saddr 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "saddr"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
+# ct original ip6 saddr ::1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "ip6 saddr"
+                }
+            },
+	    "op": "==",
+            "right": "::1"
+        }
+    }
+]
+
+# ct original ip daddr 1.2.3.4 accept
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "ip daddr"
+                }
+            },
+            "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/inet/ct.t.json.output b/tests/py/inet/ct.t.json.output
new file mode 100644
index 0000000..74c436a
--- /dev/null
+++ b/tests/py/inet/ct.t.json.output
@@ -0,0 +1,16 @@
+# meta nfproto ipv4 ct original saddr 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "saddr"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload
new file mode 100644
index 0000000..f7a2ef2
--- /dev/null
+++ b/tests/py/inet/ct.t.payload
@@ -0,0 +1,17 @@
+# meta nfproto ipv4 ct original saddr 1.2.3.4
+ip test-ip4 output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ ct load src => reg 1 , dir original ]
+  [ cmp eq reg 1 0x04030201 ]
+
+# ct original ip6 saddr ::1
+inet test-inet input
+  [ ct load src_ip6 => reg 1 , dir original ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+
+# ct original ip daddr 1.2.3.4 accept
+inet test-inet input
+  [ ct load dst_ip => reg 1 , dir original ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ immediate reg 0 accept ]
diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t
new file mode 100644
index 0000000..99cddbe
--- /dev/null
+++ b/tests/py/inet/dccp.t
@@ -0,0 +1,30 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+dccp sport 21-35;ok
+dccp sport != 21-35;ok
+dccp sport {23, 24, 25};ok
+dccp sport != {23, 24, 25};ok
+
+dccp sport 20-50;ok
+
+# dccp dport 21-35;ok
+# dccp dport != 21-35;ok
+dccp dport {23, 24, 25};ok
+dccp dport != {23, 24, 25};ok
+
+dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+dccp type request;ok
+dccp type != request;ok
+
+dccp option 0 exists;ok
+dccp option 43 missing;ok
+dccp option 255 exists;ok
+dccp option 256 exists;fail
diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json
new file mode 100644
index 0000000..9f47e97
--- /dev/null
+++ b/tests/py/inet/dccp.t.json
@@ -0,0 +1,276 @@
+# dccp sport 21-35
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "dccp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 21, 35 ]
+            }
+        }
+    }
+]
+
+# dccp sport != 21-35
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "dccp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 21, 35 ]
+            }
+        }
+    }
+]
+
+# dccp sport {23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "dccp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# dccp sport != {23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "dccp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# dccp sport 20-50
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "dccp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 20, 50 ]
+            }
+        }
+    }
+]
+
+# dccp dport {23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "dccp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# dccp dport != {23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "dccp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "dccp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "request",
+                    "response",
+                    "data",
+                    "ack",
+                    "dataack",
+                    "closereq",
+                    "close",
+                    "reset",
+                    "sync",
+                    "syncack"
+                ]
+            }
+        }
+    }
+]
+
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "dccp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "request",
+                    "response",
+                    "data",
+                    "ack",
+                    "dataack",
+                    "closereq",
+                    "close",
+                    "reset",
+                    "sync",
+                    "syncack"
+                ]
+            }
+        }
+    }
+]
+
+# dccp type request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "dccp"
+                }
+            },
+	    "op": "==",
+            "right": "request"
+        }
+    }
+]
+
+# dccp type != request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "dccp"
+                }
+            },
+            "op": "!=",
+            "right": "request"
+        }
+    }
+]
+
+# dccp option 0 exists
+[
+    {
+        "match": {
+            "left": {
+                "dccp option": {
+                    "type": 0
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# dccp option 43 missing
+[
+    {
+        "match": {
+            "left": {
+                "dccp option": {
+                    "type": 43
+                }
+            },
+            "op": "==",
+            "right": false
+        }
+    }
+]
+
+# dccp option 255 exists
+[
+    {
+        "match": {
+            "left": {
+                "dccp option": {
+                    "type": 255
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
diff --git a/tests/py/inet/dccp.t.json.output b/tests/py/inet/dccp.t.json.output
new file mode 100644
index 0000000..146741d
--- /dev/null
+++ b/tests/py/inet/dccp.t.json.output
@@ -0,0 +1,18 @@
+# dccp sport ftp-data - re-mail-ck
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "dccp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 20, 50 ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload
new file mode 100644
index 0000000..c0b87be
--- /dev/null
+++ b/tests/py/inet/dccp.t.payload
@@ -0,0 +1,115 @@
+# dccp sport 21-35
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00001500 ]
+  [ cmp lte reg 1 0x00002300 ]
+
+# dccp sport != 21-35
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ range neq reg 1 0x00001500 0x00002300 ]
+
+# dccp sport {23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dccp sport != {23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# dccp sport 20-50
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00001400 ]
+  [ cmp lte reg 1 0x00003200 ]
+
+# dccp dport {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dccp dport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000000  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000006  : 0 [end]	element 00000008  : 0 [end]	element 0000000a  : 0 [end]	element 0000000c  : 0 [end]	element 0000000e  : 0 [end]	element 00000010  : 0 [end]	element 00000012  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000000  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000006  : 0 [end]	element 00000008  : 0 [end]	element 0000000a  : 0 [end]	element 0000000c  : 0 [end]	element 0000000e  : 0 [end]	element 00000010  : 0 [end]	element 00000012  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# dccp type request
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# dccp type != request
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# dccp option 0 exists
+ip test-inet input
+  [ exthdr load 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# dccp option 43 missing
+ip test-inet input
+  [ exthdr load 1b @ 43 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# dccp option 255 exists
+ip test-inet input
+  [ exthdr load 1b @ 255 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
new file mode 100644
index 0000000..e4e169f
--- /dev/null
+++ b/tests/py/inet/dnat.t
@@ -0,0 +1,22 @@
+:prerouting;type nat hook prerouting priority 0
+
+*inet;test-inet;prerouting
+
+iifname "foo" tcp dport 80 redirect to :8080;ok
+
+iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
+iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
+meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
+
+dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
+dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
+
+dnat ip6 to 1.2.3.4;fail
+dnat to 1.2.3.4;fail
+dnat ip6 to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};fail
+ip6 daddr dead::beef dnat to 10.1.2.3;fail
+
+meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80;ok;meta l4proto { 6, 17} dnat ip to 1.1.1.1:80
+ip protocol { tcp, udp } dnat ip to 1.1.1.1:80;ok;ip protocol { 6, 17} dnat ip to 1.1.1.1:80
+meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail
+ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
new file mode 100644
index 0000000..c341a04
--- /dev/null
+++ b/tests/py/inet/dnat.t.json
@@ -0,0 +1,241 @@
+# iifname "foo" tcp dport 80 redirect to :8080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "foo"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 80
+        }
+    },
+    {
+        "redirect": {
+            "port": 8080
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 443
+        }
+    },
+    {
+        "dnat": {
+            "addr": "192.168.3.2",
+            "family": "ip"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 443
+        }
+    },
+    {
+        "dnat": {
+            "addr": "dead::beef",
+            "family": "ip6",
+            "port": 4443
+        }
+    }
+]
+
+# dnat ip to ct mark map { 0x00000014 : 1.2.3.4}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                20,
+                                "1.2.3.4"
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        20,
+                                        "1.1.1.1"
+                                    ]
+                                },
+                                "1.2.3.4"
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "concat": [
+                            {
+                                "ct": {
+                                    "key": "mark"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17
+                ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "1.1.1.1",
+            "family": "ip",
+            "port": 80
+        }
+    }
+]
+
+# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17
+                ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "1.1.1.1",
+            "family": "ip",
+            "port": 80
+        }
+    }
+]
+
+# meta l4proto tcp dnat to :80
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "dnat": {
+            "port": 80
+        }
+    }
+]
+
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
new file mode 100644
index 0000000..ce1601a
--- /dev/null
+++ b/tests/py/inet/dnat.t.payload
@@ -0,0 +1,86 @@
+# iifname "foo" tcp dport 80 redirect to :8080
+inet test-inet prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005000 ]
+  [ immediate reg 1 0x0000901f ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2
+inet test-inet prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000bb01 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443
+inet test-inet prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000bb01 ]
+  [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+  [ immediate reg 2 0x00005b11 ]
+  [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# dnat ip to ct mark map { 0x00000014 : 1.2.3.4}
+__map%d test-inet b size 1
+__map%d test-inet 0
+        element 00000014  : 04030201 0 [end]
+inet test-inet prerouting
+  [ ct load mark => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+__map%d test-inet b size 1
+__map%d test-inet 0
+        element 00000014 01010101  : 04030201 0 [end]
+inet test-inet prerouting
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ ct load mark => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000006  : 0 [end]     element 00000011  : 0 [end]
+inet
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 1 0x01010101 ]
+  [ immediate reg 2 0x00005000 ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000006  : 0 [end]     element 00000011  : 0 [end]
+inet
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 1 0x01010101 ]
+  [ immediate reg 2 0x00005000 ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# meta l4proto tcp dnat to :80
+inet
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00005000 ]
+  [ nat dnat inet proto_min reg 1 flags 0x2 ]
+
diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t
new file mode 100644
index 0000000..536260c
--- /dev/null
+++ b/tests/py/inet/esp.t
@@ -0,0 +1,21 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+esp spi 100;ok
+esp spi != 100;ok
+esp spi 111-222;ok
+esp spi != 111-222;ok
+esp spi { 100, 102};ok
+esp spi != { 100, 102};ok
+
+esp sequence 22;ok
+esp sequence 22-24;ok
+esp sequence != 22-24;ok
+esp sequence { 22, 24};ok
+esp sequence != { 22, 24};ok
diff --git a/tests/py/inet/esp.t.json b/tests/py/inet/esp.t.json
new file mode 100644
index 0000000..a9dedd6
--- /dev/null
+++ b/tests/py/inet/esp.t.json
@@ -0,0 +1,204 @@
+# esp spi 100
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "esp"
+                }
+            },
+	    "op": "==",
+            "right": 100
+        }
+    }
+]
+
+# esp spi != 100
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "esp"
+                }
+            },
+            "op": "!=",
+            "right": 100
+        }
+    }
+]
+
+# esp spi 111-222
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "esp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 111, 222 ]
+            }
+        }
+    }
+]
+
+# esp spi != 111-222
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "esp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 111, 222 ]
+            }
+        }
+    }
+]
+
+# esp spi { 100, 102}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "esp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    100,
+                    102
+                ]
+            }
+        }
+    }
+]
+
+# esp spi != { 100, 102}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "spi",
+                    "protocol": "esp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    100,
+                    102
+                ]
+            }
+        }
+    }
+]
+
+# esp sequence 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "esp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# esp sequence 22-24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "esp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 22, 24 ]
+            }
+        }
+    }
+]
+
+# esp sequence != 22-24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "esp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 22, 24 ]
+            }
+        }
+    }
+]
+
+# esp sequence { 22, 24}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "esp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    24
+                ]
+            }
+        }
+    }
+]
+
+# esp sequence != { 22, 24}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "esp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    22,
+                    24
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload
new file mode 100644
index 0000000..0353b05
--- /dev/null
+++ b/tests/py/inet/esp.t.payload
@@ -0,0 +1,91 @@
+# esp spi 100
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x64000000 ]
+
+# esp spi != 100
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x64000000 ]
+
+# esp spi 111-222
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x6f000000 ]
+  [ cmp lte reg 1 0xde000000 ]
+
+# esp spi != 111-222
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ range neq reg 1 0x6f000000 0xde000000 ]
+
+# esp spi { 100, 102}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 64000000  : 0 [end]	element 66000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# esp spi != { 100, 102}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 64000000  : 0 [end]	element 66000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# esp sequence 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# esp sequence 22-24
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x16000000 ]
+  [ cmp lte reg 1 0x18000000 ]
+
+# esp sequence != 22-24
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x16000000 0x18000000 ]
+
+# esp sequence { 22, 24}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 18000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# esp sequence != { 22, 24}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 18000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/ether-ip.t b/tests/py/inet/ether-ip.t
new file mode 100644
index 0000000..759124d
--- /dev/null
+++ b/tests/py/inet/ether-ip.t
@@ -0,0 +1,9 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok
diff --git a/tests/py/inet/ether-ip.t.json b/tests/py/inet/ether-ip.t.json
new file mode 100644
index 0000000..8f35b3d
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.json
@@ -0,0 +1,92 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+	    "op": "==",
+            "right": "ether"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    }
+]
+
diff --git a/tests/py/inet/ether-ip.t.json.output b/tests/py/inet/ether-ip.t.json.output
new file mode 100644
index 0000000..f659113
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.json.output
@@ -0,0 +1,43 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/inet/ether-ip.t.payload b/tests/py/inet/ether-ip.t.payload
new file mode 100644
index 0000000..62e37a5
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.payload
@@ -0,0 +1,28 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 8b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ immediate reg 0 accept ]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
diff --git a/tests/py/inet/ether-ip.t.payload.netdev b/tests/py/inet/ether-ip.t.payload.netdev
new file mode 100644
index 0000000..b0fa6d8
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.payload.netdev
@@ -0,0 +1,29 @@
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 8b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ immediate reg 0 accept ]
+
diff --git a/tests/py/inet/ether.t b/tests/py/inet/ether.t
new file mode 100644
index 0000000..8625f70
--- /dev/null
+++ b/tests/py/inet/ether.t
@@ -0,0 +1,20 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept;ok
+
+ether saddr 00:0f:54:0c:11:04 accept;ok
+
+vlan id 1;ok
+ether type vlan vlan id 2;ok;vlan id 2
+
+# invalid dependency
+ether type ip vlan id 1;fail
diff --git a/tests/py/inet/ether.t.json b/tests/py/inet/ether.t.json
new file mode 100644
index 0000000..c7a7f88
--- /dev/null
+++ b/tests/py/inet/ether.t.json
@@ -0,0 +1,122 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+	    "op": "==",
+            "right": "ether"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# vlan id 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ether type vlan vlan id 2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
diff --git a/tests/py/inet/ether.t.json.output b/tests/py/inet/ether.t.json.output
new file mode 100644
index 0000000..9ae8c44
--- /dev/null
+++ b/tests/py/inet/ether.t.json.output
@@ -0,0 +1,31 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/inet/ether.t.payload b/tests/py/inet/ether.t.payload
new file mode 100644
index 0000000..8b74a78
--- /dev/null
+++ b/tests/py/inet/ether.t.payload
@@ -0,0 +1,52 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+inet test-inet input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# vlan id 1
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# ether type vlan vlan id 2
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+
diff --git a/tests/py/inet/ether.t.payload.bridge b/tests/py/inet/ether.t.payload.bridge
new file mode 100644
index 0000000..0128d5f
--- /dev/null
+++ b/tests/py/inet/ether.t.payload.bridge
@@ -0,0 +1,44 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+bridge test-bridge input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+bridge test-bridge input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+bridge test-bridge input
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# vlan id 1
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# ether type vlan vlan id 2
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+
diff --git a/tests/py/inet/ether.t.payload.ip b/tests/py/inet/ether.t.payload.ip
new file mode 100644
index 0000000..7c91f41
--- /dev/null
+++ b/tests/py/inet/ether.t.payload.ip
@@ -0,0 +1,52 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# vlan id 1
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# ether type vlan vlan id 2
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ link header + 14 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000200 ]
+
diff --git a/tests/py/inet/fib.t b/tests/py/inet/fib.t
new file mode 100644
index 0000000..dbe45d9
--- /dev/null
+++ b/tests/py/inet/fib.t
@@ -0,0 +1,17 @@
+:prerouting;type filter hook prerouting priority 0
+
+*ip;test-ip;prerouting
+*ip6;test-ip6;prerouting
+
+fib saddr . daddr oif lo;fail
+fib iif . oif . daddr oif lo;fail
+fib mark oif lo;fail
+fib saddr . iif oif ne 0;ok;fib saddr . iif oif != 0
+fib saddr . iif oifname "lo";ok
+
+fib daddr . iif type local;ok
+fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept };ok
+fib daddr . oif type local;fail
+
+fib daddr oif exists;ok
+fib daddr oif missing;ok
diff --git a/tests/py/inet/fib.t.json b/tests/py/inet/fib.t.json
new file mode 100644
index 0000000..c298915
--- /dev/null
+++ b/tests/py/inet/fib.t.json
@@ -0,0 +1,132 @@
+# fib saddr . iif oif ne 0
+[
+    {
+        "match": {
+            "left": {
+                "fib": {
+                    "flags": [
+                        "saddr",
+                        "iif"
+                    ],
+                    "result": "oif"
+                }
+            },
+            "op": "!=",
+            "right": "0"
+        }
+    }
+]
+
+# fib saddr . iif oifname "lo"
+[
+    {
+        "match": {
+            "left": {
+                "fib": {
+                    "flags": [
+                        "saddr",
+                        "iif"
+                    ],
+                    "result": "oifname"
+                }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    }
+]
+
+# fib daddr . iif type local
+[
+    {
+        "match": {
+            "left": {
+                "fib": {
+                    "flags": [
+                        "daddr",
+                        "iif"
+                    ],
+                    "result": "type"
+                }
+            },
+	    "op": "==",
+            "right": "local"
+        }
+    }
+]
+
+# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept }
+[
+    {
+        "vmap": {
+            "key": {
+                "fib": {
+                    "flags": [
+                        "daddr",
+                        "iif"
+                    ],
+                    "result": "type"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "blackhole",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "prohibit",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "unicast",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# fib daddr oif exists
+[
+    {
+        "match": {
+            "left": {
+                "fib": {
+                    "flags": [
+                        "daddr"
+                    ],
+                    "result": "oif"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# fib daddr oif missing
+[
+    {
+        "match": {
+            "left": {
+                "fib": {
+                    "flags": [
+                        "daddr"
+                    ],
+                    "result": "oif"
+                }
+            },
+	    "op": "==",
+            "right": false
+        }
+    }
+]
+
diff --git a/tests/py/inet/fib.t.json.output b/tests/py/inet/fib.t.json.output
new file mode 100644
index 0000000..52cd46b
--- /dev/null
+++ b/tests/py/inet/fib.t.json.output
@@ -0,0 +1,39 @@
+# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept }
+[
+    {
+        "vmap": {
+            "key": {
+                "fib": {
+                    "flags": [
+                        "daddr",
+                        "iif"
+                    ],
+                    "result": "type"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "unicast",
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        "blackhole",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "prohibit",
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload
new file mode 100644
index 0000000..050857d
--- /dev/null
+++ b/tests/py/inet/fib.t.payload
@@ -0,0 +1,32 @@
+# fib saddr . iif oif ne 0
+ip test-ip prerouting
+  [ fib saddr . iif oif => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# fib saddr . iif oifname "lo"
+ip test-ip prerouting
+  [ fib saddr . iif oifname => reg 1 ]
+  [ cmp eq reg 1 0x00006f6c 0x00000000 0x00000000 0x00000000 ]
+
+# fib daddr . iif type local
+ip test-ip prerouting
+  [ fib daddr . iif type => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept }
+__map%d test-ip b
+__map%d test-ip 0
+	element 00000006  : drop 0 [end]	element 00000008  : drop 0 [end]	element 00000001  : accept 0 [end]
+ip test-ip prerouting
+  [ fib daddr . iif type => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# fib daddr oif exists
+ip test-ip prerouting
+  [ fib daddr oif present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# fib daddr oif missing
+ip test-ip prerouting
+  [ fib daddr oif present => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
diff --git a/tests/py/inet/geneve.t b/tests/py/inet/geneve.t
new file mode 100644
index 0000000..101f6df
--- /dev/null
+++ b/tests/py/inet/geneve.t
@@ -0,0 +1,23 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+geneve vni 10;fail
+udp dport 6081 geneve vni 10;ok
+udp dport 6081 geneve ip saddr 10.141.11.2;ok
+udp dport 6081 geneve ip saddr 10.141.11.0/24;ok
+udp dport 6081 geneve ip protocol 1;ok
+udp dport 6081 geneve udp sport 8888;ok
+udp dport 6081 geneve icmp type echo-reply;ok
+udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05;ok
+udp dport 6081 geneve vlan id 10;ok
+udp dport 6081 geneve ip dscp 0x02;ok
+udp dport 6081 geneve ip dscp 0x02;ok
+udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+udp dport 6081 geneve ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/geneve.t.json b/tests/py/inet/geneve.t.json
new file mode 100644
index 0000000..a299fcd
--- /dev/null
+++ b/tests/py/inet/geneve.t.json
@@ -0,0 +1,344 @@
+# udp dport 6081 geneve vni 10
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vni",
+                    "protocol": "geneve",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": 10
+        }
+    }
+]
+
+# udp dport 6081 geneve ip saddr 10.141.11.2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": "10.141.11.2"
+        }
+    }
+]
+
+# udp dport 6081 geneve ip saddr 10.141.11.0/24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "10.141.11.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# udp dport 6081 geneve ip protocol 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# udp dport 6081 geneve udp sport 8888
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": 8888
+        }
+    }
+]
+
+# udp dport 6081 geneve icmp type echo-reply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": "echo-reply"
+        }
+    }
+]
+
+# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": "62:87:4d:d6:19:05"
+        }
+    }
+]
+
+# udp dport 6081 geneve vlan id 10
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": 10
+        }
+    }
+]
+
+# udp dport 6081 geneve ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# udp dport 6081 geneve ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "geneve"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 6081
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip",
+                            "tunnel": "geneve"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip",
+                            "tunnel": "geneve"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.2.3.4",
+                            "4.3.2.1"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/geneve.t.payload b/tests/py/inet/geneve.t.payload
new file mode 100644
index 0000000..1ce54de
--- /dev/null
+++ b/tests/py/inet/geneve.t.payload
@@ -0,0 +1,114 @@
+# udp dport 6081 geneve vni 10
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
+  [ cmp eq reg 1 0x000a0000 ]
+
+# udp dport 6081 geneve ip saddr 10.141.11.2
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x020b8d0a ]
+
+# udp dport 6081 geneve ip saddr 10.141.11.0/24
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x000b8d0a ]
+
+# udp dport 6081 geneve ip protocol 1
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# udp dport 6081 geneve udp sport 8888
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x0000b822 ]
+
+# udp dport 6081 geneve icmp type echo-reply
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ]
+  [ cmp eq reg 1 0xd64d8762 0x00000519 ]
+
+# udp dport 6081 geneve vlan id 10
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000a00 ]
+
+# udp dport 6081 geneve ip dscp 0x02
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-ip4 3 size 1
+__set%d test-ip4 0
+	element 04030201 01020304  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000c117 ]
+  [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ]
+  [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/gre.t b/tests/py/inet/gre.t
new file mode 100644
index 0000000..a3e046a
--- /dev/null
+++ b/tests/py/inet/gre.t
@@ -0,0 +1,22 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+gre version 0;ok
+gre ip saddr 10.141.11.2;ok
+gre ip saddr 10.141.11.0/24;ok
+gre ip protocol 1;ok
+gre udp sport 8888;ok
+gre icmp type echo-reply;ok
+gre ether saddr 62:87:4d:d6:19:05;fail
+gre vlan id 10;fail
+gre ip dscp 0x02;ok
+gre ip dscp 0x02;ok
+gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+gre ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/gre.t.json b/tests/py/inet/gre.t.json
new file mode 100644
index 0000000..c443176
--- /dev/null
+++ b/tests/py/inet/gre.t.json
@@ -0,0 +1,177 @@
+# gre version 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "version",
+                    "protocol": "gre"
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# gre ip saddr 10.141.11.2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "gre"
+                }
+            },
+            "op": "==",
+            "right": "10.141.11.2"
+        }
+    }
+]
+
+# gre ip saddr 10.141.11.0/24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "gre"
+                }
+            },
+            "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "10.141.11.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# gre ip protocol 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip",
+                    "tunnel": "gre"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# gre udp sport 8888
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp",
+                    "tunnel": "gre"
+                }
+            },
+            "op": "==",
+            "right": 8888
+        }
+    }
+]
+
+# gre icmp type echo-reply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp",
+                    "tunnel": "gre"
+                }
+            },
+            "op": "==",
+            "right": "echo-reply"
+        }
+    }
+]
+
+# gre ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "gre"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# gre ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "gre"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip",
+                            "tunnel": "gre"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip",
+                            "tunnel": "gre"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.2.3.4",
+                            "4.3.2.1"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/gre.t.payload b/tests/py/inet/gre.t.payload
new file mode 100644
index 0000000..333133e
--- /dev/null
+++ b/tests/py/inet/gre.t.payload
@@ -0,0 +1,78 @@
+# gre version 0
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000007 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# gre ip saddr 10.141.11.2
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x020b8d0a ]
+
+# gre ip saddr 10.141.11.0/24
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 3b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x000b8d0a ]
+
+# gre ip protocol 1
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 9 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# gre udp sport 8888
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 2b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x0000b822 ]
+
+# gre icmp type echo-reply
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 1b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# gre ip dscp 0x02
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 1 => reg 1 ] ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-ip4 3 size 1
+__set%d test-ip4 0
+	element 04030201 01020304  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 16 => reg 9 ] ]
+  [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/gretap.t b/tests/py/inet/gretap.t
new file mode 100644
index 0000000..cd7ee21
--- /dev/null
+++ b/tests/py/inet/gretap.t
@@ -0,0 +1,21 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+gretap ip saddr 10.141.11.2;ok
+gretap ip saddr 10.141.11.0/24;ok
+gretap ip protocol 1;ok
+gretap udp sport 8888;ok
+gretap icmp type echo-reply;ok
+gretap ether saddr 62:87:4d:d6:19:05;ok
+gretap vlan id 10;ok
+gretap ip dscp 0x02;ok
+gretap ip dscp 0x02;ok
+gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+gretap ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/gretap.t.json b/tests/py/inet/gretap.t.json
new file mode 100644
index 0000000..36fa978
--- /dev/null
+++ b/tests/py/inet/gretap.t.json
@@ -0,0 +1,195 @@
+# gretap ip saddr 10.141.11.2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": "10.141.11.2"
+        }
+    }
+]
+
+# gretap ip saddr 10.141.11.0/24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "10.141.11.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# gretap ip protocol 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# gretap udp sport 8888
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": 8888
+        }
+    }
+]
+
+# gretap icmp type echo-reply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": "echo-reply"
+        }
+    }
+]
+
+# gretap ether saddr 62:87:4d:d6:19:05
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": "62:87:4d:d6:19:05"
+        }
+    }
+]
+
+# gretap vlan id 10
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": 10
+        }
+    }
+]
+
+# gretap ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# gretap ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "gretap"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip",
+                            "tunnel": "gretap"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip",
+                            "tunnel": "gretap"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.2.3.4",
+                            "4.3.2.1"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/gretap.t.payload b/tests/py/inet/gretap.t.payload
new file mode 100644
index 0000000..654c71e
--- /dev/null
+++ b/tests/py/inet/gretap.t.payload
@@ -0,0 +1,87 @@
+# gretap ip saddr 10.141.11.2
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x020b8d0a ]
+
+# gretap ip saddr 10.141.11.0/24
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 3b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x000b8d0a ]
+
+# gretap ip protocol 1
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 9 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# gretap udp sport 8888
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 2b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x0000b822 ]
+
+# gretap icmp type echo-reply
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 1b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# gretap ether saddr 62:87:4d:d6:19:05
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 6b @ link header + 6 => reg 1 ] ]
+  [ cmp eq reg 1 0xd64d8762 0x00000519 ]
+
+# gretap vlan id 10
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 14 => reg 1 ] ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000a00 ]
+
+# gretap ip dscp 0x02
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 1 => reg 1 ] ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-ip4 3 size 1
+__set%d test-ip4 0
+	element 04030201 01020304  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000002f ]
+  [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 16 => reg 9 ] ]
+  [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/icmp.t b/tests/py/inet/icmp.t
new file mode 100644
index 0000000..9014f84
--- /dev/null
+++ b/tests/py/inet/icmp.t
@@ -0,0 +1,18 @@
+:output;type filter hook output priority 0
+
+*inet;test-inet;output
+
+# without nfproto specified, these should add an implicit dependency on
+# the likely l3 proto (i.e., IPv6 for icmpv6 and IPv4 for icmp)
+
+icmp type echo-request;ok
+icmpv6 type echo-request;ok
+
+# make sure only those nfproto matches are dropped if
+# the next statement would add it as a dependency anyway
+
+meta nfproto ipv4 icmp type echo-request;ok;icmp type echo-request
+meta nfproto ipv4 icmpv6 type echo-request;ok
+
+meta nfproto ipv6 icmp type echo-request;ok
+meta nfproto ipv6 icmpv6 type echo-request;ok;icmpv6 type echo-request
diff --git a/tests/py/inet/icmp.t.json b/tests/py/inet/icmp.t.json
new file mode 100644
index 0000000..64be2b3
--- /dev/null
+++ b/tests/py/inet/icmp.t.json
@@ -0,0 +1,124 @@
+# icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta nfproto ipv4 icmp type echo-request
+[
+    {
+        "match": {
+            "left": { "meta": { "key": "nfproto" } },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta nfproto ipv4 icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": { "meta": { "key": "nfproto" } },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta nfproto ipv6 icmp type echo-request
+[
+    {
+        "match": {
+            "left": { "meta": { "key": "nfproto" } },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta nfproto ipv6 icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": { "meta": { "key": "nfproto" } },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
diff --git a/tests/py/inet/icmp.t.json.output b/tests/py/inet/icmp.t.json.output
new file mode 100644
index 0000000..062c82f
--- /dev/null
+++ b/tests/py/inet/icmp.t.json.output
@@ -0,0 +1,32 @@
+# meta nfproto ipv4 icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta nfproto ipv6 icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
diff --git a/tests/py/inet/icmp.t.payload b/tests/py/inet/icmp.t.payload
new file mode 100644
index 0000000..f98cfc3
--- /dev/null
+++ b/tests/py/inet/icmp.t.payload
@@ -0,0 +1,54 @@
+# icmp type echo-request
+inet test-inet output 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# icmpv6 type echo-request
+inet test-inet output 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# meta nfproto ipv4 icmp type echo-request
+inet test-inet output 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta nfproto ipv4 icmpv6 type echo-request
+inet test-inet output 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# meta nfproto ipv6 icmp type echo-request
+inet test-inet output 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta nfproto ipv6 icmpv6 type echo-request
+inet test-inet output 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t
new file mode 100644
index 0000000..9430b3d
--- /dev/null
+++ b/tests/py/inet/icmpX.t
@@ -0,0 +1,10 @@
+:input;type filter hook input priority 0
+
+*inet;test-inet;input
+
+ip protocol icmp icmp type echo-request;ok;ip protocol 1 icmp type echo-request
+icmp type echo-request;ok
+ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;ip6 nexthdr 58 icmpv6 type echo-request
+icmpv6 type echo-request;ok
+# must not remove 'ip protocol' dependency, this explicitly matches icmpv6-in-ipv4.
+ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 icmpv6 type destination-unreachable
diff --git a/tests/py/inet/icmpX.t.json b/tests/py/inet/icmpX.t.json
new file mode 100644
index 0000000..8e13091
--- /dev/null
+++ b/tests/py/inet/icmpX.t.json
@@ -0,0 +1,125 @@
+# ip protocol icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "icmpv6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "ipv6-icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": "ipv6-icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
diff --git a/tests/py/inet/icmpX.t.json.output b/tests/py/inet/icmpX.t.json.output
new file mode 100644
index 0000000..7765cd9
--- /dev/null
+++ b/tests/py/inet/icmpX.t.json.output
@@ -0,0 +1,84 @@
+# ip protocol icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": 58
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 58
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "destination-unreachable"
+        }
+    }
+]
+
diff --git a/tests/py/inet/icmpX.t.payload b/tests/py/inet/icmpX.t.payload
new file mode 100644
index 0000000..9a761ee
--- /dev/null
+++ b/tests/py/inet/icmpX.t.payload
@@ -0,0 +1,46 @@
+# ip protocol icmp icmp type echo-request
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# icmp type echo-request
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# icmpv6 type echo-request
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1
+inet filter input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t
new file mode 100644
index 0000000..bdb3330
--- /dev/null
+++ b/tests/py/inet/ip.t
@@ -0,0 +1,12 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok
+ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail
+ip saddr vmap { 3.3.3.3-3.3.3.4 : accept, 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail
diff --git a/tests/py/inet/ip.t.json b/tests/py/inet/ip.t.json
new file mode 100644
index 0000000..638fb7d
--- /dev/null
+++ b/tests/py/inet/ip.t.json
@@ -0,0 +1,42 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ether"
+                        }
+                    }
+                ]
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.1.1.1",
+                            "2.2.2.2",
+                            "ca:fe:ca:fe:ca:fe"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/ip.t.payload b/tests/py/inet/ip.t.payload
new file mode 100644
index 0000000..589a5cd
--- /dev/null
+++ b/tests/py/inet/ip.t.payload
@@ -0,0 +1,11 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 01010101 02020202 fecafeca 0000feca  : 0 [end]
+inet test-ip input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ payload load 6b @ link header + 6 => reg 10 ]
+  [ lookup reg 1 set __set%d ]
diff --git a/tests/py/inet/ip.t.payload.bridge b/tests/py/inet/ip.t.payload.bridge
new file mode 100644
index 0000000..57dbc9e
--- /dev/null
+++ b/tests/py/inet/ip.t.payload.bridge
@@ -0,0 +1,11 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-bridge 3
+__set%d test-bridge 0
+	element 01010101 02020202 fecafeca 0000feca  : 0 [end]
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ payload load 6b @ link header + 6 => reg 10 ]
+  [ lookup reg 1 set __set%d ]
diff --git a/tests/py/inet/ip.t.payload.inet b/tests/py/inet/ip.t.payload.inet
new file mode 100644
index 0000000..8df41de
--- /dev/null
+++ b/tests/py/inet/ip.t.payload.inet
@@ -0,0 +1,14 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 01010101 02020202 fecafeca 0000feca  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ payload load 6b @ link header + 6 => reg 10 ]
+  [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/ip.t.payload.netdev b/tests/py/inet/ip.t.payload.netdev
new file mode 100644
index 0000000..95be919
--- /dev/null
+++ b/tests/py/inet/ip.t.payload.netdev
@@ -0,0 +1,14 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 01010101 02020202 fecafeca 0000feca  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ payload load 6b @ link header + 6 => reg 10 ]
+  [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t
new file mode 100644
index 0000000..03bafc0
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t
@@ -0,0 +1,21 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+# must not remove ip dependency -- ONLY ipv4 packets should be matched
+ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22
+
+# could in principle remove it here since ipv4 is implied via saddr.
+ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 ip saddr 1.2.3.4 tcp dport 22
+
+# but not here.
+ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 counter ip saddr 1.2.3.4 tcp dport 22
+
+# or here.
+ip protocol tcp counter tcp dport 22;ok;ip protocol 6 counter tcp dport 22
+
+ether type ip tcp dport 22;ok
diff --git a/tests/py/inet/ip_tcp.t.json b/tests/py/inet/ip_tcp.t.json
new file mode 100644
index 0000000..87cb9bf
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.json
@@ -0,0 +1,170 @@
+# ip protocol tcp tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp counter tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ether type ip tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
diff --git a/tests/py/inet/ip_tcp.t.json.output b/tests/py/inet/ip_tcp.t.json.output
new file mode 100644
index 0000000..acad8b1
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.json.output
@@ -0,0 +1,142 @@
+# ip protocol tcp tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp counter tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
diff --git a/tests/py/inet/ip_tcp.t.payload b/tests/py/inet/ip_tcp.t.payload
new file mode 100644
index 0000000..1e16f85
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.payload
@@ -0,0 +1,52 @@
+# ip protocol tcp tcp dport 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter tcp dport 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ether type ip tcp dport 22
+inet test-inet input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
diff --git a/tests/py/inet/ip_tcp.t.payload.bridge b/tests/py/inet/ip_tcp.t.payload.bridge
new file mode 100644
index 0000000..0344cd6
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.payload.bridge
@@ -0,0 +1,51 @@
+# ip protocol tcp tcp dport 22
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter tcp dport 22
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ether type ip tcp dport 22
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
diff --git a/tests/py/inet/ip_tcp.t.payload.netdev b/tests/py/inet/ip_tcp.t.payload.netdev
new file mode 100644
index 0000000..915a787
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.payload.netdev
@@ -0,0 +1,53 @@
+# ip protocol tcp tcp dport 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter tcp dport 22
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ether type ip tcp dport 22
+netdev test-netdev ingress
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t
new file mode 100644
index 0000000..b18df39
--- /dev/null
+++ b/tests/py/inet/ipsec.t
@@ -0,0 +1,23 @@
+:ipsec-forw;type filter hook forward priority 0
+
+*ip;ipsec-ip4;ipsec-forw
+*ip6;ipsec-ip6;ipsec-forw
+*inet;ipsec-inet;ipsec-forw
+
+ipsec in reqid 1;ok
+ipsec in spnum 0 reqid 1;ok;ipsec in reqid 1
+
+ipsec out reqid 0xffffffff;ok;ipsec out reqid 4294967295
+ipsec out spnum 0x100000000;fail
+
+ipsec i reqid 1;fail
+
+ipsec out spi 1-561;ok
+
+ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 };ok
+ipsec in ip6 daddr dead::beef;ok
+ipsec out ip6 saddr dead::feed;ok
+
+ipsec in spnum 256 reqid 1;fail
+
+counter ipsec out ip daddr 192.168.1.2;ok
diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json
new file mode 100644
index 0000000..18a64f3
--- /dev/null
+++ b/tests/py/inet/ipsec.t.json
@@ -0,0 +1,157 @@
+# ipsec in reqid 1
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "key": "reqid",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ipsec in spnum 0 reqid 1
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "key": "reqid",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ipsec out reqid 0xffffffff
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "out",
+                    "key": "reqid",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": 4294967295
+        }
+    }
+]
+
+# ipsec out spi 1-561
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "out",
+                    "key": "spi",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    1,
+                    561
+                ]
+            }
+        }
+    }
+]
+
+# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 }
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "family": "ip",
+                    "key": "saddr",
+                    "spnum": 2
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "1.2.3.4",
+                    {
+                        "prefix": {
+                            "addr": "10.6.0.0",
+                            "len": 16
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ipsec in ip6 daddr dead::beef
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "family": "ip6",
+                    "key": "daddr",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": "dead::beef"
+        }
+    }
+]
+
+# ipsec out ip6 saddr dead::feed
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "out",
+                    "family": "ip6",
+                    "key": "saddr",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": "dead::feed"
+        }
+    }
+]
+
+# counter ipsec out ip daddr 192.168.1.2
+[
+    {
+        "counter": null
+    },
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "out",
+                    "family": "ip",
+                    "key": "daddr",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": "192.168.1.2"
+        }
+    }
+]
diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload
new file mode 100644
index 0000000..9648255
--- /dev/null
+++ b/tests/py/inet/ipsec.t.payload
@@ -0,0 +1,45 @@
+# ipsec in reqid 1
+ip ipsec-ip4 ipsec-input
+  [ xfrm load in 0 reqid => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ipsec in spnum 0 reqid 1
+ip ipsec-ip4 ipsec-input
+  [ xfrm load in 0 reqid => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ipsec out reqid 0xffffffff
+ip ipsec-ip4 ipsec-input
+  [ xfrm load out 0 reqid => reg 1 ]
+  [ cmp eq reg 1 0xffffffff ]
+
+# ipsec out spi 1-561
+inet ipsec-inet ipsec-post
+  [ xfrm load out 0 spi => reg 1 ]
+  [ cmp gte reg 1 0x01000000 ]
+  [ cmp lte reg 1 0x31020000 ]
+
+# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 }
+__set%d ipsec-ip4 7 size 5
+__set%d ipsec-ip4 0
+        element 00000000  : 1 [end]     element 04030201  : 0 [end]     element 05030201  : 1 [end]     element 0000060a  : 0 [end]     element 0000070a  : 1 [end]
+ip ipsec-ip4 ipsec-input
+  [ xfrm load in 2 saddr4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ipsec in ip6 daddr dead::beef
+ip ipsec-ip4 ipsec-forw
+  [ xfrm load in 0 daddr6 => reg 1 ]
+  [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+
+# ipsec out ip6 saddr dead::feed
+ip ipsec-ip4 ipsec-forw
+  [ xfrm load out 0 saddr6 => reg 1 ]
+  [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ]
+
+# counter ipsec out ip daddr 192.168.1.2
+ip ipsec-ip4 ipsec-forw
+  [ counter pkts 0 bytes 0 ]
+  [ xfrm load out 0 daddr4 => reg 1 ]
+  [ cmp eq reg 1 0x0201a8c0 ]
+
diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t
new file mode 100644
index 0000000..5a7161b
--- /dev/null
+++ b/tests/py/inet/map.t
@@ -0,0 +1,10 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a}
+mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017}
diff --git a/tests/py/inet/map.t.json b/tests/py/inet/map.t.json
new file mode 100644
index 0000000..1cb28e0
--- /dev/null
+++ b/tests/py/inet/map.t.json
@@ -0,0 +1,66 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "10.2.3.2",
+                                "0x0000002a"
+                            ],
+                            [
+                                "10.2.3.1",
+                                "0x00000017"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "hdrlength",
+                            "protocol": "ip"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                5,
+                                "0x00000017"
+                            ],
+                            [
+                                4,
+                                "0x00000001"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/map.t.json.output b/tests/py/inet/map.t.json.output
new file mode 100644
index 0000000..b0bb7dd
--- /dev/null
+++ b/tests/py/inet/map.t.json.output
@@ -0,0 +1,66 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "10.2.3.1",
+                                23
+                            ],
+                            [
+                                "10.2.3.2",
+                                42
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "hdrlength",
+                            "protocol": "ip"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                4,
+                                1
+                            ],
+                            [
+                                5,
+                                23
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/map.t.payload b/tests/py/inet/map.t.payload
new file mode 100644
index 0000000..50344ad
--- /dev/null
+++ b/tests/py/inet/map.t.payload
@@ -0,0 +1,23 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+__map%d test-inet b
+__map%d test-inet 0
+	element 0203020a  : 0000002a 0 [end]	element 0103020a  : 00000017 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00000005  : 00000017 0 [end]	element 00000004  : 00000001 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/map.t.payload.ip b/tests/py/inet/map.t.payload.ip
new file mode 100644
index 0000000..3e45667
--- /dev/null
+++ b/tests/py/inet/map.t.payload.ip
@@ -0,0 +1,19 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 0203020a  : 0000002a 0 [end]	element 0103020a  : 00000017 0 [end]
+ip test-ip4 input 
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 00000005  : 00000017 0 [end]	element 00000004  : 00000001 0 [end]
+ip test-ip4 input 
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/map.t.payload.netdev b/tests/py/inet/map.t.payload.netdev
new file mode 100644
index 0000000..2e60f09
--- /dev/null
+++ b/tests/py/inet/map.t.payload.netdev
@@ -0,0 +1,23 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 0203020a  : 0000002a 0 [end]	element 0103020a  : 00000017 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000005  : 00000017 0 [end]	element 00000004  : 00000001 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
new file mode 100644
index 0000000..5c062b3
--- /dev/null
+++ b/tests/py/inet/meta.t
@@ -0,0 +1,32 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*inet;test-inet;input
+
+meta nfproto ipv4;ok
+meta nfproto ipv6;ok
+meta nfproto {ipv4, ipv6};ok
+meta nfproto != {ipv4, ipv6};ok
+meta nfproto ipv6 tcp dport 22;ok
+meta nfproto ipv4 tcp dport 22;ok
+meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4
+meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6
+meta nfproto ipv4 counter ip saddr 1.2.3.4;ok
+
+meta protocol ip udp dport 67;ok
+meta protocol ip6 udp dport 67;ok
+
+meta ipsec exists;ok
+meta secpath missing;ok;meta ipsec missing
+meta ibrname "br0";fail
+meta obrname "br0";fail
+meta mark set ct mark >> 8;ok
+
+meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
+ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
+ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok
+
+meta mark set ip dscp;ok
+meta mark set ip dscp | 0x40;ok
+meta mark set ip6 dscp;ok
+meta mark set ip6 dscp | 0x40;ok
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
new file mode 100644
index 0000000..3ba0fd1
--- /dev/null
+++ b/tests/py/inet/meta.t.json
@@ -0,0 +1,528 @@
+# meta nfproto ipv4
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    }
+]
+
+# meta nfproto ipv6
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    }
+]
+
+# meta nfproto {ipv4, ipv6}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "ipv4",
+                    "ipv6"
+                ]
+            }
+        }
+    }
+]
+
+# meta nfproto != {ipv4, ipv6}
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "ipv4",
+                    "ipv6"
+                ]
+            }
+        }
+    }
+]
+
+# meta nfproto ipv6 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# meta nfproto ipv4 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# meta nfproto ipv4 ip saddr 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
+# meta nfproto ipv6 meta l4proto tcp
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    }
+]
+
+# meta nfproto ipv4 counter ip saddr 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
+# meta ipsec exists
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# meta secpath missing
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "secpath" }
+            },
+	    "op": "==",
+            "right": false
+        }
+    }
+]
+
+# meta mark set ct mark >> 8
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                ">>": [
+                    {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    8
+                ]
+            }
+        }
+    }
+]
+
+# meta protocol ip udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
+
+# meta protocol ip6 udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
+
+# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "meta": {
+                            "key": "mark"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "dport",
+                            "protocol": "tcp"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            {
+                                "range": [
+                                    10,
+                                    20
+                                ]
+                            },
+                            {
+                                "range": [
+                                    80,
+                                    90
+                                ]
+                            }
+                        ]
+                    },
+                    {
+                        "concat": [
+                            {
+                                "range": [
+                                    1048576,
+                                    1048867
+                                ]
+                            },
+                            {
+                                "range": [
+                                    100,
+                                    120
+                                ]
+                            }
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "meta": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.2.3.4",
+                            256
+                        ]
+                    },
+                    {
+                        "concat": [
+                            {
+                                "range": [
+                                    "1.2.3.6",
+                                    "1.2.3.8"
+                                ]
+                            },
+                            {
+                                "range": [
+                                    512,
+                                    768
+                                ]
+                            }
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "meta": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.2.3.4",
+                            256
+                        ]
+                    },
+                    {
+                        "concat": [
+                            "5.6.7.8",
+                            512
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# meta mark set ip dscp
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip dscp | 0x40
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip"
+                        }
+                    },
+                    64
+                ]
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp | 0x40
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    64
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/meta.t.json.got b/tests/py/inet/meta.t.json.got
new file mode 100644
index 0000000..f2fad0b
--- /dev/null
+++ b/tests/py/inet/meta.t.json.got
@@ -0,0 +1,86 @@
+# meta mark set ip dscp
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip dscp | 0x40
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip"
+                        }
+                    },
+                    64
+                ]
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp | 0x40
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    64
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output
new file mode 100644
index 0000000..3e7dd21
--- /dev/null
+++ b/tests/py/inet/meta.t.json.output
@@ -0,0 +1,53 @@
+# meta nfproto ipv4 ip saddr 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
+# meta nfproto ipv6 meta l4proto tcp
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    }
+]
+
+# meta secpath missing
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "ipsec"
+                }
+            },
+            "op": "==",
+            "right": false
+        }
+    }
+]
+
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
new file mode 100644
index 0000000..c53b507
--- /dev/null
+++ b/tests/py/inet/meta.t.payload
@@ -0,0 +1,175 @@
+# meta nfproto ipv4
+ip test-ip4 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# meta nfproto ipv6
+ip test-ip4 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+
+# meta nfproto {ipv4, ipv6}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 0000000a  : 0 [end]
+ip test-ip4 input
+  [ meta load nfproto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta nfproto != {ipv4, ipv6}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 0000000a  : 0 [end]
+ip test-ip4 input
+  [ meta load nfproto => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta nfproto ipv6 tcp dport 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# meta nfproto ipv4 tcp dport 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# meta nfproto ipv4 ip saddr 1.2.3.4
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+
+# meta nfproto ipv6 meta l4proto tcp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# meta nfproto ipv4 counter ip saddr 1.2.3.4
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+
+# meta ipsec exists
+inet test-inet input
+  [ meta load secpath => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# meta secpath missing
+inet test-inet input
+  [ meta load secpath => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# meta mark set ct mark >> 8
+inet test-inet input
+  [ ct load mark => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ]
+  [ meta set mark with reg 1 ]
+
+# meta protocol ip udp dport 67
+inet test-inet input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00004300 ]
+
+# meta protocol ip6 udp dport 67
+inet test-inet input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00004300 ]
+
+# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 }
+__set%d test-inet 87 size 1
+__set%d test-inet 0
+	element 0a000000 00005000  - 14000000 00005a00  : 0 [end]       element 00001000 00006400  - 23011000 00007800  : 0 [end]
+ip test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ meta load mark => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
+__set%d test-inet 87 size 2
+__set%d test-inet 0
+        element 04030201 00010000  - 04030201 00010000  : 0 [end]       element 06030201 00020000  - 08030201 00030000  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ meta load mark => reg 9 ]
+  [ byteorder reg 9 = hton(reg 9, 4, 4) ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 }
+__set%d test-inet 3 size 2
+__set%d test-inet 0
+        element 04030201 00000100  : 0 [end]    element 08070605 00000200  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ meta load mark => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# meta mark set ip dscp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip dscp | 0x40
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp | 0x40
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+  [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/meta.t.payload.got b/tests/py/inet/meta.t.payload.got
new file mode 100644
index 0000000..be3f566
--- /dev/null
+++ b/tests/py/inet/meta.t.payload.got
@@ -0,0 +1,40 @@
+# meta mark set ip dscp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip dscp | 0x40
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp | 0x40
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+  [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t
new file mode 100644
index 0000000..c828541
--- /dev/null
+++ b/tests/py/inet/osf.t
@@ -0,0 +1,18 @@
+:osfchain;type filter hook input priority 0
+
+*ip;osfip;osfchain
+*ip6;osfip6;osfchain
+*inet;osfinet;osfchain
+
+osf name "Linux";ok
+osf ttl loose name "Linux";ok
+osf ttl skip name "Linux";ok
+osf ttl skip version "Linux:3.0";ok
+osf ttl skip version "morethan:sixteenbytes";fail
+osf ttl nottl name "Linux";fail
+osf name "morethansixteenbytes";fail
+osf name ;fail
+osf name { "Windows", "MacOs" };ok
+osf version { "Windows:XP", "MacOs:Sierra" };ok
+ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok
+ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok
diff --git a/tests/py/inet/osf.t.json b/tests/py/inet/osf.t.json
new file mode 100644
index 0000000..cedb7f6
--- /dev/null
+++ b/tests/py/inet/osf.t.json
@@ -0,0 +1,170 @@
+# osf name "Linux"
+[
+    {
+        "match": {
+            "left": {
+                "osf": {
+                    "key": "name"
+                }
+            },
+            "op": "==",
+            "right": "Linux"
+        }
+    }
+]
+
+# osf ttl loose name "Linux"
+[
+    {
+        "match": {
+            "left": {
+                "osf": {
+                    "key": "name",
+                    "ttl": "loose"
+                }
+            },
+            "op": "==",
+            "right": "Linux"
+        }
+    }
+]
+
+# osf ttl skip name "Linux"
+[
+    {
+        "match": {
+            "left": {
+                "osf": {
+                    "key": "name",
+                    "ttl": "skip"
+                }
+            },
+            "op": "==",
+            "right": "Linux"
+        }
+    }
+]
+
+# osf ttl skip version "Linux:3.0"
+[
+    {
+        "match": {
+            "left": {
+                "osf": {
+                    "key": "version",
+                    "ttl": "skip"
+                }
+            },
+            "op": "==",
+            "right": "Linux:3.0"
+        }
+    }
+]
+
+# osf name { "Windows", "MacOs" }
+[
+    {
+        "match": {
+            "left": {
+                "osf": {
+                    "key": "name"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "MacOs",
+                    "Windows"
+                ]
+            }
+        }
+    }
+]
+
+# osf version { "Windows:XP", "MacOs:Sierra" }
+[
+    {
+        "match": {
+            "left": {
+                "osf": {
+                    "key": "version"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "Windows:XP",
+                    "MacOs:Sierra"
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "MacOs",
+                                2
+                            ],
+                            [
+                                "Windows",
+                                1
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "osf": {
+                            "key": "name"
+                        }
+                    }
+                }
+            }
+        }
+    }
+]
+
+# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "Windows:XP",
+                                3
+                            ],
+                            [
+                                "MacOs:Sierra",
+                                4
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "osf": {
+                            "key": "version"
+                        }
+                    }
+                }
+            }
+        }
+    }
+]
diff --git a/tests/py/inet/osf.t.payload b/tests/py/inet/osf.t.payload
new file mode 100644
index 0000000..6ddab97
--- /dev/null
+++ b/tests/py/inet/osf.t.payload
@@ -0,0 +1,53 @@
+# osf name "Linux"
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ]
+
+# osf ttl loose name "Linux"
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ]
+
+# osf ttl skip name "Linux"
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ]
+
+# osf ttl skip version "Linux:3.0"
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ]
+
+# osf name { "Windows", "MacOs" }
+__set%d osfinet 3 size 2
+__set%d osfinet 0
+	element 646e6957 0073776f 00000000 00000000  : 0 [end]	element 4f63614d 00000073 00000000 00000000  : 0 [end]
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# osf version { "Windows:XP", "MacOs:Sierra" }
+__set%d osfinet 3 size 2
+__set%d osfinet 0
+	element 646e6957 3a73776f 00005058 00000000  : 0 [end]	element 4f63614d 69533a73 61727265 00000000  : 0 [end]
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }
+__map%d osfinet b size 2
+__map%d osfinet 0
+	element 646e6957 0073776f 00000000 00000000  : 00000001 0 [end]	element 4f63614d 00000073 00000000 00000000  : 00000002 0 [end]
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }
+__map%d osfinet b size 2
+__map%d osfinet 0
+	element 646e6957 3a73776f 00005058 00000000  : 00000003 0 [end]	element 4f63614d 69533a73 61727265 00000000  : 00000004 0 [end]
+inet osfinet osfchain
+  [ osf dreg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ ct set mark with reg 1 ]
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t
new file mode 100644
index 0000000..61a6d55
--- /dev/null
+++ b/tests/py/inet/reject.t
@@ -0,0 +1,41 @@
+:input;type filter hook input priority 0
+
+*inet;test-inet;input
+
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
+
+mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset
+
+reject;ok
+meta nfproto ipv4 reject;ok;reject with icmp port-unreachable
+meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable
+
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
+reject with icmpx 3;ok;reject with icmpx admin-prohibited
+
+meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable
+meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route
+
+meta nfproto ipv6 reject with icmp host-unreachable;fail
+meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail
+meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail
+meta l4proto udp reject with tcp reset;fail
+
+meta nfproto ipv4 reject with icmpx admin-prohibited;ok
+meta nfproto ipv6 reject with icmpx admin-prohibited;ok
+
+ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject;ok;ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject with icmp port-unreachable
diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json
new file mode 100644
index 0000000..02ac900
--- /dev/null
+++ b/tests/py/inet/reject.t.json
@@ -0,0 +1,331 @@
+# reject with icmp host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-unreachable
+[
+    {
+        "reject": {
+            "expr": "net-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp prot-unreachable
+[
+    {
+        "reject": {
+            "expr": "prot-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-prohibited
+[
+    {
+        "reject": {
+            "expr": "net-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp host-prohibited
+[
+    {
+        "reject": {
+            "expr": "host-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmpv6 no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 addr-unreachable
+[
+    {
+        "reject": {
+            "expr": "addr-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# mark 12345 reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 12345
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
+# reject
+[
+    {
+        "reject": null
+    }
+]
+
+# meta nfproto ipv4 reject
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "reject": null
+    }
+]
+
+# meta nfproto ipv6 reject
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "reject": null
+    }
+]
+
+# reject with icmpx host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx 3
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# meta nfproto ipv6 reject with icmpv6 no-route
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# meta nfproto ipv4 reject with icmpx admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "nfproto"
+                }
+            },
+            "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta nfproto ipv6 reject with icmpx admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "nfproto"
+                }
+            },
+            "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "aa:bb:cc:dd:ee:ff"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "192.168.0.1"
+        }
+    },
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output
new file mode 100644
index 0000000..496ce55
--- /dev/null
+++ b/tests/py/inet/reject.t.json.output
@@ -0,0 +1,77 @@
+# mark 12345 reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 12345
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
+# reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta nfproto ipv4 reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# meta nfproto ipv6 reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# meta nfproto ipv6 reject with icmpv6 no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet
new file mode 100644
index 0000000..828cb83
--- /dev/null
+++ b/tests/py/inet/reject.t.payload.inet
@@ -0,0 +1,144 @@
+# reject with icmp host-unreachable
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 1 ]
+
+# reject with icmp net-unreachable
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 0 ]
+
+# reject with icmp prot-unreachable
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 2 ]
+
+# reject with icmp port-unreachable
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 3 ]
+
+# reject with icmp net-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 9 ]
+
+# reject with icmp host-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 10 ]
+
+# reject with icmp admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 13 ]
+
+# reject with icmpv6 no-route
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 0 code 0 ]
+
+# reject with icmpv6 admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 0 code 1 ]
+
+# reject with icmpv6 addr-unreachable
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 0 code 3 ]
+
+# reject with icmpv6 port-unreachable
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 0 code 4 ]
+
+# mark 12345 reject with tcp reset
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x00003039 ]
+  [ reject type 1 code 0 ]
+
+# reject
+inet test-inet input
+  [ reject type 2 code 1 ]
+
+# meta nfproto ipv4 reject
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 3 ]
+
+# meta nfproto ipv6 reject
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 0 code 4 ]
+
+# reject with icmpx host-unreachable
+inet test-inet input
+  [ reject type 2 code 2 ]
+
+# reject with icmpx no-route
+inet test-inet input
+  [ reject type 2 code 0 ]
+
+# reject with icmpx admin-prohibited
+inet test-inet input
+  [ reject type 2 code 3 ]
+
+# reject with icmpx port-unreachable
+inet test-inet input
+  [ reject type 2 code 1 ]
+
+# reject with icmpx 3
+inet test-inet input
+  [ reject type 2 code 3 ]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 0 code 1 ]
+
+# meta nfproto ipv6 reject with icmpv6 no-route
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 0 code 0 ]
+
+# meta nfproto ipv4 reject with icmpx admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 2 code 3 ]
+
+# meta nfproto ipv6 reject with icmpx admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 2 code 3 ]
+
+# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
+inet test-inet input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 8b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0xddccbbaa 0x0008ffee ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ reject type 0 code 3 ]
+
diff --git a/tests/py/inet/rt.t b/tests/py/inet/rt.t
new file mode 100644
index 0000000..a0e0d00
--- /dev/null
+++ b/tests/py/inet/rt.t
@@ -0,0 +1,15 @@
+:output;type filter hook output priority 0
+
+*inet;test-inet;output
+
+meta nfproto ipv4 rt nexthop 192.168.0.1;ok;meta nfproto ipv4 rt ip nexthop 192.168.0.1
+rt ip6 nexthop fd00::1;ok
+
+# missing context
+rt nexthop 192.168.0.1;fail
+rt nexthop fd00::1;fail
+
+# wrong context
+rt ip nexthop fd00::1;fail
+
+tcp option maxseg size set rt mtu;ok
diff --git a/tests/py/inet/rt.t.json b/tests/py/inet/rt.t.json
new file mode 100644
index 0000000..6dbea41
--- /dev/null
+++ b/tests/py/inet/rt.t.json
@@ -0,0 +1,59 @@
+# meta nfproto ipv4 rt nexthop 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "key": "nexthop"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
+# rt ip6 nexthop fd00::1
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "family": "ip6",
+                    "key": "nexthop"
+                }
+            },
+	    "op": "==",
+            "right": "fd00::1"
+        }
+    }
+]
+
+# tcp option maxseg size set rt mtu
+[
+    {
+        "mangle": {
+            "key": {
+                "tcp option": {
+                    "field": "size",
+                    "name": "maxseg"
+                }
+            },
+            "value": {
+                "rt": {
+                    "key": "mtu"
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/rt.t.json.output b/tests/py/inet/rt.t.json.output
new file mode 100644
index 0000000..382ef87
--- /dev/null
+++ b/tests/py/inet/rt.t.json.output
@@ -0,0 +1,25 @@
+# meta nfproto ipv4 rt nexthop 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "nfproto" }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "family": "ip",
+                    "key": "nexthop"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
diff --git a/tests/py/inet/rt.t.payload b/tests/py/inet/rt.t.payload
new file mode 100644
index 0000000..84dea12
--- /dev/null
+++ b/tests/py/inet/rt.t.payload
@@ -0,0 +1,18 @@
+# meta nfproto ipv4 rt nexthop 192.168.0.1
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ rt load nexthop4 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# rt ip6 nexthop fd00::1
+inet test-inet output
+  [ rt load nexthop6 => reg 1 ]
+  [ cmp eq reg 1 0x000000fd 0x00000000 0x00000000 0x01000000 ]
+
+# tcp option maxseg size set rt mtu
+inet test-inet output
+  [ rt load tcpmss => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 2, 2) ]
+  [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
+
diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t
new file mode 100644
index 0000000..016173b
--- /dev/null
+++ b/tests/py/inet/sctp.t
@@ -0,0 +1,73 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+sctp sport 23;ok
+sctp sport != 23;ok
+sctp sport 23-44;ok
+sctp sport != 23-44;ok
+sctp sport { 23, 24, 25};ok
+sctp sport != { 23, 24, 25};ok
+
+sctp dport 23;ok
+sctp dport != 23;ok
+sctp dport 23-44;ok
+sctp dport != 23-44;ok
+sctp dport { 23, 24, 25};ok
+sctp dport != { 23, 24, 25};ok
+
+sctp checksum 1111;ok
+sctp checksum != 11;ok
+sctp checksum 21-333;ok
+sctp checksum != 32-111;ok
+sctp checksum { 22, 33, 44};ok
+sctp checksum != { 22, 33, 44};ok
+
+sctp vtag 22;ok
+sctp vtag != 233;ok
+sctp vtag 33-45;ok
+sctp vtag != 33-45;ok
+sctp vtag {33, 55, 67, 88};ok
+sctp vtag != {33, 55, 67, 88};ok
+
+# assert all chunk types are recognized
+sctp chunk data exists;ok
+sctp chunk init exists;ok
+sctp chunk init-ack exists;ok
+sctp chunk sack exists;ok
+sctp chunk heartbeat exists;ok
+sctp chunk heartbeat-ack exists;ok
+sctp chunk abort exists;ok
+sctp chunk shutdown exists;ok
+sctp chunk shutdown-ack exists;ok
+sctp chunk error exists;ok
+sctp chunk cookie-echo exists;ok
+sctp chunk cookie-ack exists;ok
+sctp chunk ecne exists;ok
+sctp chunk cwr exists;ok
+sctp chunk shutdown-complete exists;ok
+sctp chunk asconf-ack exists;ok
+sctp chunk forward-tsn exists;ok
+sctp chunk asconf exists;ok
+
+# test common header fields in random chunk types
+sctp chunk data type 0;ok
+sctp chunk init flags 23;ok
+sctp chunk init-ack length 42;ok
+
+# test one custom field in every applicable chunk type
+sctp chunk data stream 1337;ok
+sctp chunk init initial-tsn 5;ok
+sctp chunk init-ack num-outbound-streams 3;ok
+sctp chunk sack a-rwnd 1;ok
+sctp chunk shutdown cum-tsn-ack 65535;ok
+sctp chunk ecne lowest-tsn 5;ok
+sctp chunk cwr lowest-tsn 8;ok
+sctp chunk asconf-ack seqno 12345;ok
+sctp chunk forward-tsn new-cum-tsn 31337;ok
+sctp chunk asconf seqno 12345;ok
diff --git a/tests/py/inet/sctp.t.json b/tests/py/inet/sctp.t.json
new file mode 100644
index 0000000..75a9b01
--- /dev/null
+++ b/tests/py/inet/sctp.t.json
@@ -0,0 +1,928 @@
+# sctp sport 23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": 23
+        }
+    }
+]
+
+# sctp sport != 23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": 23
+        }
+    }
+]
+
+# sctp sport 23-44
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 23, 44 ]
+            }
+        }
+    }
+]
+
+# sctp sport != 23-44
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 23, 44 ]
+            }
+        }
+    }
+]
+
+# sctp sport { 23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# sctp sport != { 23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# sctp dport 23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": 23
+        }
+    }
+]
+
+# sctp dport != 23
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": 23
+        }
+    }
+]
+
+# sctp dport 23-44
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 23, 44 ]
+            }
+        }
+    }
+]
+
+# sctp dport != 23-44
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 23, 44 ]
+            }
+        }
+    }
+]
+
+# sctp dport { 23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# sctp dport != { 23, 24, 25}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    24,
+                    25
+                ]
+            }
+        }
+    }
+]
+
+# sctp checksum 1111
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": 1111
+        }
+    }
+]
+
+# sctp checksum != 11
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": 11
+        }
+    }
+]
+
+# sctp checksum 21-333
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 21, 333 ]
+            }
+        }
+    }
+]
+
+# sctp checksum != 32-111
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 32, 111 ]
+            }
+        }
+    }
+]
+
+# sctp checksum { 22, 33, 44}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    33,
+                    44
+                ]
+            }
+        }
+    }
+]
+
+# sctp checksum != { 22, 33, 44}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    22,
+                    33,
+                    44
+                ]
+            }
+        }
+    }
+]
+
+# sctp vtag 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vtag",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# sctp vtag != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vtag",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# sctp vtag 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vtag",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# sctp vtag != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vtag",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# sctp vtag {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vtag",
+                    "protocol": "sctp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# sctp vtag != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vtag",
+                    "protocol": "sctp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# sctp chunk data exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "data"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk init exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "init"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk init-ack exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "init-ack"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk sack exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk heartbeat exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "heartbeat"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk heartbeat-ack exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "heartbeat-ack"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk abort exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "abort"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk shutdown exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "shutdown"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk shutdown-ack exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "shutdown-ack"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk error exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "error"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk cookie-echo exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "cookie-echo"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk cookie-ack exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "cookie-ack"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk ecne exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "ecne"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk cwr exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "cwr"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk shutdown-complete exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "shutdown-complete"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk asconf-ack exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "asconf-ack"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk forward-tsn exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "forward-tsn"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk asconf exists
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "name": "asconf"
+                }
+            },
+            "op": "==",
+            "right": true
+        }
+    }
+]
+
+# sctp chunk data type 0
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "type",
+                    "name": "data"
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# sctp chunk init flags 23
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "flags",
+                    "name": "init"
+                }
+            },
+            "op": "==",
+            "right": 23
+        }
+    }
+]
+
+# sctp chunk init-ack length 42
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "length",
+                    "name": "init-ack"
+                }
+            },
+            "op": "==",
+            "right": 42
+        }
+    }
+]
+
+# sctp chunk data stream 1337
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "stream",
+                    "name": "data"
+                }
+            },
+            "op": "==",
+            "right": 1337
+        }
+    }
+]
+
+# sctp chunk init initial-tsn 5
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "initial-tsn",
+                    "name": "init"
+                }
+            },
+            "op": "==",
+            "right": 5
+        }
+    }
+]
+
+# sctp chunk init-ack num-outbound-streams 3
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "num-outbound-streams",
+                    "name": "init-ack"
+                }
+            },
+            "op": "==",
+            "right": 3
+        }
+    }
+]
+
+# sctp chunk sack a-rwnd 1
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "a-rwnd",
+                    "name": "sack"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# sctp chunk shutdown cum-tsn-ack 65535
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "cum-tsn-ack",
+                    "name": "shutdown"
+                }
+            },
+            "op": "==",
+            "right": 65535
+        }
+    }
+]
+
+# sctp chunk ecne lowest-tsn 5
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "lowest-tsn",
+                    "name": "ecne"
+                }
+            },
+            "op": "==",
+            "right": 5
+        }
+    }
+]
+
+# sctp chunk cwr lowest-tsn 8
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "lowest-tsn",
+                    "name": "cwr"
+                }
+            },
+            "op": "==",
+            "right": 8
+        }
+    }
+]
+
+# sctp chunk asconf-ack seqno 12345
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "seqno",
+                    "name": "asconf-ack"
+                }
+            },
+            "op": "==",
+            "right": 12345
+        }
+    }
+]
+
+# sctp chunk forward-tsn new-cum-tsn 31337
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "new-cum-tsn",
+                    "name": "forward-tsn"
+                }
+            },
+            "op": "==",
+            "right": 31337
+        }
+    }
+]
+
+# sctp chunk asconf seqno 12345
+[
+    {
+        "match": {
+            "left": {
+                "sctp chunk": {
+                    "field": "seqno",
+                    "name": "asconf"
+                }
+            },
+            "op": "==",
+            "right": 12345
+        }
+    }
+]
+
diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload
new file mode 100644
index 0000000..7337e2e
--- /dev/null
+++ b/tests/py/inet/sctp.t.payload
@@ -0,0 +1,351 @@
+# sctp sport 23
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00001700 ]
+
+# sctp sport != 23
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00001700 ]
+
+# sctp sport 23-44
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00001700 ]
+  [ cmp lte reg 1 0x00002c00 ]
+
+# sctp sport != 23-44
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ range neq reg 1 0x00001700 0x00002c00 ]
+
+# sctp sport { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# sctp sport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp dport 23
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001700 ]
+
+# sctp dport != 23
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x00001700 ]
+
+# sctp dport 23-44
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00001700 ]
+  [ cmp lte reg 1 0x00002c00 ]
+
+# sctp dport != 23-44
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00001700 0x00002c00 ]
+
+# sctp dport { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# sctp dport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp checksum 1111
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x57040000 ]
+
+# sctp checksum != 11
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp neq reg 1 0x0b000000 ]
+
+# sctp checksum 21-333
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x15000000 ]
+  [ cmp lte reg 1 0x4d010000 ]
+
+# sctp checksum != 32-111
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ range neq reg 1 0x20000000 0x6f000000 ]
+
+# sctp checksum { 22, 33, 44}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# sctp checksum != { 22, 33, 44}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp vtag 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# sctp vtag != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0xe9000000 ]
+
+# sctp vtag 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# sctp vtag != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# sctp vtag {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# sctp vtag != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp chunk data exists
+ip
+  [ exthdr load 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk init exists
+ip
+  [ exthdr load 1b @ 1 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk init-ack exists
+ip
+  [ exthdr load 1b @ 2 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk sack exists
+ip
+  [ exthdr load 1b @ 3 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk heartbeat exists
+ip
+  [ exthdr load 1b @ 4 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk heartbeat-ack exists
+ip
+  [ exthdr load 1b @ 5 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk abort exists
+ip
+  [ exthdr load 1b @ 6 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown exists
+ip
+  [ exthdr load 1b @ 7 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown-ack exists
+ip
+  [ exthdr load 1b @ 8 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk error exists
+ip
+  [ exthdr load 1b @ 9 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cookie-echo exists
+ip
+  [ exthdr load 1b @ 10 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cookie-ack exists
+ip
+  [ exthdr load 1b @ 11 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk ecne exists
+ip
+  [ exthdr load 1b @ 12 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cwr exists
+ip
+  [ exthdr load 1b @ 13 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown-complete exists
+ip
+  [ exthdr load 1b @ 14 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk asconf-ack exists
+ip
+  [ exthdr load 1b @ 128 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk forward-tsn exists
+ip
+  [ exthdr load 1b @ 192 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk asconf exists
+ip
+  [ exthdr load 1b @ 193 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk data type 0
+ip
+  [ exthdr load 1b @ 0 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# sctp chunk init flags 23
+ip
+  [ exthdr load 1b @ 1 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000017 ]
+
+# sctp chunk init-ack length 42
+ip
+  [ exthdr load 2b @ 2 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00002a00 ]
+
+# sctp chunk data stream 1337
+ip
+  [ exthdr load 2b @ 0 + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003905 ]
+
+# sctp chunk init initial-tsn 5
+ip
+  [ exthdr load 4b @ 1 + 16 => reg 1 ]
+  [ cmp eq reg 1 0x05000000 ]
+
+# sctp chunk init-ack num-outbound-streams 3
+ip
+  [ exthdr load 2b @ 2 + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000300 ]
+
+# sctp chunk sack a-rwnd 1
+ip
+  [ exthdr load 4b @ 3 + 8 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# sctp chunk shutdown cum-tsn-ack 65535
+ip
+  [ exthdr load 4b @ 7 + 4 => reg 1 ]
+  [ cmp eq reg 1 0xffff0000 ]
+
+# sctp chunk ecne lowest-tsn 5
+ip
+  [ exthdr load 4b @ 12 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x05000000 ]
+
+# sctp chunk cwr lowest-tsn 8
+ip
+  [ exthdr load 4b @ 13 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x08000000 ]
+
+# sctp chunk asconf-ack seqno 12345
+ip
+  [ exthdr load 4b @ 128 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x39300000 ]
+
+# sctp chunk forward-tsn new-cum-tsn 31337
+ip
+  [ exthdr load 4b @ 192 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x697a0000 ]
+
+# sctp chunk asconf seqno 12345
+ip
+  [ exthdr load 4b @ 193 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x39300000 ]
+
diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t
new file mode 100644
index 0000000..5b22e1f
--- /dev/null
+++ b/tests/py/inet/sets.t
@@ -0,0 +1,25 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*bridge;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+!set1 type ipv4_addr timeout 60s;ok
+?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok
+
+!set2 type ipv6_addr timeout 23d23h59m59s;ok
+?set2 dead::beef timeout 5s;ok
+
+ip saddr @set1 drop;ok
+ip saddr != @set2 drop;fail
+
+ip6 daddr != @set2 accept;ok
+ip6 daddr @set1 drop;fail
+
+!set3 type ipv4_addr . ipv4_addr . inet_service flags interval;ok
+?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok
+
+ip saddr . ip daddr . tcp dport @set3 accept;ok
+ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok
diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json
new file mode 100644
index 0000000..b44ffc2
--- /dev/null
+++ b/tests/py/inet/sets.t.json
@@ -0,0 +1,136 @@
+# ip saddr @set1 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "@set1"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip6 daddr != @set2 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": "@set2"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "dport",
+                            "protocol": "tcp"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": "@set3"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "dport",
+                            "protocol": "tcp"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            {
+                                "prefix": {
+                                    "addr": "10.0.0.0",
+                                    "len": 8
+                                }
+                            },
+                            {
+                                "range": [
+                                    10,
+                                    23
+                                ]
+                            }
+                        ]
+                    },
+                    {
+                        "concat": [
+                            {
+                                "range": [
+                                    "192.168.1.1",
+                                    "192.168.3.8"
+                                ]
+                            },
+                            {
+                                "range": [
+                                    80,
+                                    443
+                                ]
+                            }
+                        ]
+                    }
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge
new file mode 100644
index 0000000..3dd9d57
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.bridge
@@ -0,0 +1,42 @@
+# ip saddr @set1 drop
+bridge test-inet input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+bridge test-inet input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+bridge 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ payload load 2b @ transport header + 2 => reg 10 ]
+  [ lookup reg 1 set set3 ]
+  [ immediate reg 0 accept ]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-inet 87
+__set%d test-inet 0
+        element 0000000a 00000a00  - ffffff0a 00001700  : 0 [end]    element 0101a8c0 00005000  - 0803a8c0 0000bb01  : 0 [end]
+bridge 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet
new file mode 100644
index 0000000..53c6b18
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.inet
@@ -0,0 +1,41 @@
+# ip saddr @set1 drop
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+inet 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ payload load 2b @ transport header + 2 => reg 10 ]
+  [ lookup reg 1 set set3 ]
+  [ immediate reg 0 accept ]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-inet 87
+__set%d test-inet 0
+        element 0000000a 00000a00  - ffffff0a 00001700  : 0 [end]    element 0101a8c0 00005000  - 0803a8c0 0000bb01  : 0 [end]
+inet 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev
new file mode 100644
index 0000000..e31aeb9
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.netdev
@@ -0,0 +1,41 @@
+# ip saddr @set1 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+netdev
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ payload load 2b @ transport header + 2 => reg 10 ]
+  [ lookup reg 1 set set3 ]
+  [ immediate reg 0 accept ]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-netdev 87
+__set%d test-netdev 0
+        element 0000000a 00000a00  - ffffff0a 00001700  : 0 [end]    element 0101a8c0 00005000  - 0803a8c0 0000bb01  : 0 [end]
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
diff --git a/tests/py/inet/snat.t b/tests/py/inet/snat.t
new file mode 100644
index 0000000..cf23b5c
--- /dev/null
+++ b/tests/py/inet/snat.t
@@ -0,0 +1,21 @@
+:postrouting;type nat hook postrouting priority 0
+
+*inet;test-inet;postrouting
+
+# explicit family: 'snat to ip':
+iifname "eth0" tcp dport 81 snat ip to 192.168.3.2;ok
+
+# infer snat target family from network header base:
+iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2;ok;iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat ip to 192.168.3.2
+iifname "eth0" tcp dport 81 snat ip6 to dead::beef;ok
+
+iifname "foo" masquerade random;ok
+
+
+snat to 192.168.3.2;fail
+snat ip6 to 192.168.3.2;fail
+snat to dead::beef;fail
+snat ip to dead::beef;fail
+snat ip daddr 1.2.3.4 to dead::beef;fail
+snat ip daddr 1.2.3.4 ip6 to dead::beef;fail
+snat ip6 saddr dead::beef to 1.2.3.4;fail
diff --git a/tests/py/inet/snat.t.json b/tests/py/inet/snat.t.json
new file mode 100644
index 0000000..4671625
--- /dev/null
+++ b/tests/py/inet/snat.t.json
@@ -0,0 +1,131 @@
+# iifname "eth0" tcp dport 81 snat ip to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 81
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2",
+            "family": "ip"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 81
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "10.1.1.1"
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2",
+            "family": "ip"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 81 snat ip6 to dead::beef
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 81
+        }
+    },
+    {
+        "snat": {
+            "addr": "dead::beef",
+            "family": "ip6"
+        }
+    }
+]
+
+# iifname "foo" masquerade random
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "foo"
+        }
+    },
+    {
+        "masquerade": {
+            "flags": "random"
+        }
+    }
+]
+
diff --git a/tests/py/inet/snat.t.payload b/tests/py/inet/snat.t.payload
new file mode 100644
index 0000000..50519c6
--- /dev/null
+++ b/tests/py/inet/snat.t.payload
@@ -0,0 +1,42 @@
+# iifname "eth0" tcp dport 81 snat ip to 192.168.3.2
+inet test-inet postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005100 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2
+inet test-inet postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005100 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0101010a ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 81 snat ip6 to dead::beef
+inet test-inet postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005100 ]
+  [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+  [ nat snat ip6 addr_min reg 1 ]
+
+# iifname "foo" masquerade random
+inet test-inet postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ]
+  [ masq flags 0x4 ]
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
new file mode 100644
index 0000000..05e9ebb
--- /dev/null
+++ b/tests/py/inet/socket.t
@@ -0,0 +1,15 @@
+:sockchain;type filter hook prerouting priority -150
+
+*ip;sockip4;sockchain
+*ip6;sockip6;sockchain
+*inet;sockin;sockchain
+
+socket transparent 0;ok
+socket transparent 1;ok
+socket transparent 2;fail
+
+socket mark 0x00000005;ok
+
+socket wildcard 0;ok
+socket wildcard 1;ok
+socket wildcard 2;fail
diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json
new file mode 100644
index 0000000..fa48e79
--- /dev/null
+++ b/tests/py/inet/socket.t.json
@@ -0,0 +1,74 @@
+# socket transparent 0
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "transparent"
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# socket transparent 1
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "transparent"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# socket mark 0x00000005
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": 5
+        }
+    }
+]
+
+# socket wildcard 0
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "wildcard"
+                }
+            },
+            "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# socket wildcard 1
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "wildcard"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
new file mode 100644
index 0000000..e66ccbf
--- /dev/null
+++ b/tests/py/inet/socket.t.payload
@@ -0,0 +1,24 @@
+# socket transparent 0
+inet sockin sockchain 
+  [ socket load transparent => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# socket transparent 1
+inet sockin sockchain 
+  [ socket load transparent => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# socket mark 0x00000005
+inet sockin sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket wildcard 0
+inet sockin sockchain
+  [ socket load wildcard => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# socket wildcard 1
+inet sockin sockchain
+  [ socket load wildcard => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
diff --git a/tests/py/inet/synproxy.t b/tests/py/inet/synproxy.t
new file mode 100644
index 0000000..55a05e1
--- /dev/null
+++ b/tests/py/inet/synproxy.t
@@ -0,0 +1,13 @@
+:synproxychain;type filter hook input priority 0
+
+*ip;synproxyip;synproxychain
+*ip6;synproxyip6;synproxychain
+*inet;synproxyinet;synproxychain
+
+synproxy;ok
+synproxy mss 1460 wscale 7;ok
+synproxy mss 1460 wscale 5 timestamp sack-perm;ok
+synproxy timestamp sack-perm;ok
+synproxy timestamp;ok
+synproxy sack-perm;ok
+
diff --git a/tests/py/inet/synproxy.t.json b/tests/py/inet/synproxy.t.json
new file mode 100644
index 0000000..1dd85a6
--- /dev/null
+++ b/tests/py/inet/synproxy.t.json
@@ -0,0 +1,64 @@
+# synproxy
+[
+    {
+        "synproxy":null
+    }
+]
+
+# synproxy mss 1460 wscale 7
+[
+    {
+        "synproxy": {
+            "mss": 1460,
+            "wscale": 7
+        }
+    }
+]
+
+# synproxy timestamp
+[
+    {
+        "synproxy": {
+            "flags": [
+                "timestamp"
+            ]
+        }
+    }
+]
+
+# synproxy timestamp sack-perm
+[
+    {
+        "synproxy": {
+            "flags": [
+                "timestamp",
+                "sack-perm"
+            ]
+        }
+    }
+]
+
+# synproxy mss 1460 wscale 5 timestamp sack-perm
+[
+    {
+        "synproxy": {
+            "flags": [
+                "timestamp",
+                "sack-perm"
+            ],
+            "mss": 1460,
+            "wscale": 5
+        }
+    }
+]
+
+# synproxy sack-perm
+[
+    {
+        "synproxy": {
+            "flags": [
+                "sack-perm"
+            ]
+        }
+    }
+]
diff --git a/tests/py/inet/synproxy.t.payload b/tests/py/inet/synproxy.t.payload
new file mode 100644
index 0000000..dd318b9
--- /dev/null
+++ b/tests/py/inet/synproxy.t.payload
@@ -0,0 +1,24 @@
+# synproxy
+inet synproxyinet synproxychain
+  [ synproxy mss 0 wscale 0 ]
+
+# synproxy mss 1460 wscale 7
+inet synproxyinet synproxychain
+  [ synproxy mss 1460 wscale 7 ]
+
+# synproxy mss 1460 wscale 5 timestamp sack-perm
+inet synproxyinet synproxychain
+  [ synproxy mss 1460 wscale 5 ]
+
+# synproxy timestamp sack-perm
+inet synproxyinet synproxychain
+  [ synproxy mss 0 wscale 0 ]
+
+# synproxy timestamp
+inet synproxyinet synproxychain
+  [ synproxy mss 0 wscale 0 ]
+
+# synproxy sack-perm
+inet synproxyinet synproxychain
+  [ synproxy mss 0 wscale 0 ]
+
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
new file mode 100644
index 0000000..f51ebd3
--- /dev/null
+++ b/tests/py/inet/tcp.t
@@ -0,0 +1,115 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+tcp dport set {1, 2, 3};fail
+
+tcp dport 22;ok
+tcp dport != 233;ok
+tcp dport 33-45;ok
+tcp dport != 33-45;ok
+tcp dport { 33, 55, 67, 88};ok
+tcp dport != { 33, 55, 67, 88};ok
+tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept
+tcp dport vmap { 22 : accept, 23 : drop };ok
+tcp dport vmap { 25:accept, 28:drop };ok
+tcp dport { 22, 53, 80, 110 };ok
+tcp dport != { 22, 53, 80, 110 };ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+tcp sport 22;ok
+tcp sport != 233;ok
+tcp sport 33-45;ok
+tcp sport != 33-45;ok
+tcp sport { 33, 55, 67, 88};ok
+tcp sport != { 33, 55, 67, 88};ok
+tcp sport vmap { 25:accept, 28:drop };ok
+
+tcp sport 8080 drop;ok
+tcp sport 1024 tcp dport 22;ok
+tcp sport 1024 tcp dport 22 tcp sequence 0;ok
+
+tcp sequence 0 tcp sport 1024 tcp dport 22;ok
+tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok;tcp sequence 0 tcp sport { 1022, 1024} tcp dport 22
+
+tcp sequence 22;ok
+tcp sequence != 233;ok
+tcp sequence 33-45;ok
+tcp sequence != 33-45;ok
+tcp sequence { 33, 55, 67, 88};ok
+tcp sequence != { 33, 55, 67, 88};ok
+
+tcp ackseq 42949672 drop;ok
+tcp ackseq 22;ok
+tcp ackseq != 233;ok
+tcp ackseq 33-45;ok
+tcp ackseq != 33-45;ok
+tcp ackseq { 33, 55, 67, 88};ok
+tcp ackseq != { 33, 55, 67, 88};ok
+
+- tcp doff 22;ok
+- tcp doff != 233;ok
+- tcp doff 33-45;ok
+- tcp doff != 33-45;ok
+- tcp doff { 33, 55, 67, 88};ok
+- tcp doff != { 33, 55, 67, 88};ok
+
+# BUG reserved
+# BUG: It is accepted but it is not shown then. tcp reserver
+
+tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop;ok
+tcp flags != { fin, urg, ecn, cwr} drop;ok
+tcp flags cwr;ok
+tcp flags != cwr;ok
+tcp flags == syn;ok
+tcp flags fin,syn / fin,syn;ok
+tcp flags != syn / fin,syn;ok
+tcp flags & syn != 0;ok;tcp flags syn
+tcp flags & syn == 0;ok;tcp flags ! syn
+tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack
+tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack
+# it should be possible to transform this to: tcp flags syn
+tcp flags & syn == syn;ok
+tcp flags & syn != syn;ok
+tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) == syn;ok;tcp flags syn / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) == (syn | ack);ok;tcp flags syn,ack / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) != (syn | ack);ok;tcp flags != syn,ack / fin,syn,rst,ack
+tcp flags & (syn | ack) == (syn | ack);ok;tcp flags syn,ack / syn,ack
+tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff
+tcp flags { syn, syn | ack };ok
+tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok
+tcp flags ! fin,rst;ok
+tcp flags & (fin | syn | rst | ack) ! syn;fail
+
+tcp window 22222;ok
+tcp window 22;ok
+tcp window != 233;ok
+tcp window 33-45;ok
+tcp window != 33-45;ok
+tcp window { 33, 55, 67, 88};ok
+tcp window != { 33, 55, 67, 88};ok
+
+tcp checksum 22;ok
+tcp checksum != 233;ok
+tcp checksum 33-45;ok
+tcp checksum != 33-45;ok
+tcp checksum { 33, 55, 67, 88};ok
+tcp checksum != { 33, 55, 67, 88};ok
+
+tcp urgptr 1234 accept;ok
+tcp urgptr 22;ok
+tcp urgptr != 233;ok
+tcp urgptr 33-45;ok
+tcp urgptr != 33-45;ok
+tcp urgptr { 33, 55, 67, 88};ok
+tcp urgptr != { 33, 55, 67, 88};ok
+
+tcp doff 8;ok
diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
new file mode 100644
index 0000000..8439c2b
--- /dev/null
+++ b/tests/py/inet/tcp.t.json
@@ -0,0 +1,1799 @@
+# tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp dport != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# tcp dport 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp dport != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp dport { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp dport != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp dport {telnet, http, https} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "telnet",
+                    "http",
+                    "https"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp dport vmap { 22 : accept, 23 : drop }
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        22,
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        23,
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# tcp dport vmap { 25:accept, 28:drop }
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        25,
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        28,
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# tcp dport { 22, 53, 80, 110 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    53,
+                    80,
+                    110
+                ]
+            }
+        }
+    }
+]
+
+# tcp dport != { 22, 53, 80, 110 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    22,
+                    53,
+                    80,
+                    110
+                ]
+            }
+        }
+    }
+]
+
+# tcp sport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp sport != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# tcp sport 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp sport != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp sport { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp sport != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp sport vmap { 25:accept, 28:drop }
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        25,
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        28,
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# tcp sport 8080 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 8080
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# tcp sport 1024 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 1024
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp sport 1024 tcp dport 22 tcp sequence 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 1024
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# tcp sequence 0 tcp sport 1024 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 1024
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1024,
+                    1022
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp sequence 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp sequence != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# tcp sequence 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp sequence != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp sequence { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp sequence != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp ackseq 42949672 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ackseq",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 42949672
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# tcp ackseq 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ackseq",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp ackseq != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ackseq",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# tcp ackseq 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ackseq",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp ackseq != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ackseq",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp ackseq { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ackseq",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp ackseq != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ackseq",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "fin",
+                    "syn",
+                    "rst",
+                    "psh",
+                    "ack",
+                    "urg",
+                    "ecn",
+                    "cwr"
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# tcp flags != { fin, urg, ecn, cwr} drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "fin",
+                    "urg",
+                    "ecn",
+                    "cwr"
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# tcp flags cwr
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "in",
+            "right": "cwr"
+        }
+    }
+]
+
+# tcp flags != cwr
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": "cwr"
+        }
+    }
+]
+
+# tcp flags == syn
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & (syn|fin) == (syn|fin)
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    {
+                        "|": [
+                            "syn",
+                            "fin"
+                        ]
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "|": [
+                    "syn",
+                    "fin"
+                ]
+            }
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    {
+                        "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ]
+                    }
+                ]
+            },
+            "op": "==",
+            "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] }
+        }
+    }
+]
+
+# tcp window 22222
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "window",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22222
+        }
+    }
+]
+
+# tcp window 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "window",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp window != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "window",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# tcp window 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "window",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp window != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "window",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp window { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "window",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp window != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "window",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp checksum 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp checksum != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# tcp checksum 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp checksum != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp checksum { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp checksum != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp urgptr 1234 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "urgptr",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 1234
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp urgptr 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "urgptr",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp urgptr != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "urgptr",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# tcp urgptr 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "urgptr",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp urgptr != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "urgptr",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# tcp urgptr { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "urgptr",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp urgptr != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "urgptr",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# tcp doff 8
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "doff",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 8
+        }
+    }
+]
+
+# tcp flags { syn, syn | ack }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "|": [
+                            "syn",
+                            "ack"
+                        ]
+                    },
+                    "syn"
+                ]
+            }
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    {
+                        "|": [
+                            {
+                                "|": [
+                                    {
+                                        "|": [
+                                            {
+                                                "|": [
+                                                    {
+                                                        "|": [
+                                                            "fin",
+                                                            "syn"
+                                                        ]
+                                                    },
+                                                    "rst"
+                                                ]
+                                            },
+                                            "psh"
+                                        ]
+                                    },
+                                    "ack"
+                                ]
+                            },
+                            "urg"
+                        ]
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "|": [
+                            {
+                                "|": [
+                                    "fin",
+                                    "psh"
+                                ]
+                            },
+                            "ack"
+                        ]
+                    },
+                    "fin",
+                    {
+                        "|": [
+                            "psh",
+                            "ack"
+                        ]
+                    },
+                    "ack"
+                ]
+            }
+        }
+    }
+]
+
+# tcp flags ! fin,rst
+[
+    {
+        "match": {
+            "op": "!",
+            "left": {
+                "payload": {
+                    "protocol": "tcp",
+                    "field": "flags"
+                }
+            },
+            "right": [
+                "fin",
+                "rst"
+            ]
+        }
+    }
+]
+
+# tcp flags fin,syn / fin,syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "fin",
+                        "syn"
+                    ]
+                ]
+            },
+            "op": "==",
+            "right": [
+                "fin",
+                "syn"
+            ]
+        }
+    }
+]
+
+# tcp flags != syn / fin,syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "fin",
+                        "syn"
+                    ]
+                ]
+            },
+            "op": "!=",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & syn == 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & syn != 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "in",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & (syn | ack) != 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "in",
+            "right": [
+                "syn",
+                "ack"
+            ]
+        }
+    }
+]
+
+# tcp flags & (syn | ack) == 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!",
+            "right": [
+                "syn",
+                "ack"
+            ]
+        }
+    }
+]
+
+# tcp flags & syn == syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    "syn"
+                ]
+            },
+            "op": "==",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & syn != syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    "syn"
+                ]
+            },
+            "op": "!=",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | ack) syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "fin",
+                        "syn",
+                        "rst",
+                        "ack"
+                    ]
+                ]
+            },
+            "op": "==",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | ack) == syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "fin",
+                        "syn",
+                        "rst",
+                        "ack"
+                    ]
+                ]
+            },
+            "op": "==",
+            "right": "syn"
+        }
+    }
+]
+
+
+# tcp flags & (fin | syn | rst | ack) != syn
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "fin",
+                        "syn",
+                        "rst",
+                        "ack"
+                    ]
+                ]
+            },
+            "op": "!=",
+            "right": "syn"
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | ack) == (syn | ack)
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "fin",
+                        "syn",
+                        "rst",
+                        "ack"
+                    ]
+                ]
+            },
+            "op": "==",
+            "right": [
+                "syn",
+                "ack"
+            ]
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | ack) != (syn | ack)
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "fin",
+                        "syn",
+                        "rst",
+                        "ack"
+                    ]
+                ]
+            },
+            "op": "!=",
+            "right": [
+                "syn",
+                "ack"
+            ]
+        }
+    }
+]
+
+# tcp flags & (syn | ack) == (syn | ack)
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    [
+                        "syn",
+                        "ack"
+                    ]
+                ]
+            },
+            "op": "==",
+            "right": [
+                "syn",
+                "ack"
+            ]
+        }
+    }
+]
+
diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output
new file mode 100644
index 0000000..c471e8d
--- /dev/null
+++ b/tests/py/inet/tcp.t.json.output
@@ -0,0 +1,210 @@
+# tcp dport {telnet, http, https} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    80,
+                    443
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1022,
+                    1024
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# tcp flags & (syn|fin) == (syn|fin)
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    {
+                        "|": [
+                            "fin",
+                            "syn"
+                        ]
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "|": [
+                    "fin",
+                    "syn"
+                ]
+            }
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": 255
+        }
+    }
+]
+
+# tcp flags { syn, syn | ack }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flags",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "syn",
+                    {
+                        "|": [
+                            "syn",
+                            "ack"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "flags",
+                            "protocol": "tcp"
+                        }
+                    },
+                    {
+                        "|": [
+                            {
+                                "|": [
+                                    {
+                                        "|": [
+                                            {
+                                                "|": [
+                                                    {
+                                                        "|": [
+                                                            "fin",
+                                                            "syn"
+                                                        ]
+                                                    },
+                                                    "rst"
+                                                ]
+                                            },
+                                            "psh"
+                                        ]
+                                    },
+                                    "ack"
+                                ]
+                            },
+                            "urg"
+                        ]
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "fin",
+                    {
+                        "|": [
+                            {
+                                "|": [
+                                    "fin",
+                                    "psh"
+                                ]
+                            },
+                            "ack"
+                        ]
+                    },
+                    {
+                        "|": [
+                            "psh",
+                            "ack"
+                        ]
+                    },
+                    "ack"
+                ]
+            }
+        }
+    }
+]
diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload
new file mode 100644
index 0000000..1cfe500
--- /dev/null
+++ b/tests/py/inet/tcp.t.payload
@@ -0,0 +1,674 @@
+# tcp dport 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# tcp dport != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# tcp dport 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# tcp dport != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp dport { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp dport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp dport {telnet, http, https} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00005000  : 0 [end]	element 0000bb01  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# tcp dport vmap { 22 : accept, 23 : drop }
+__map%d test-inet b
+__map%d test-inet 0
+	element 00001600  : accept 0 [end]	element 00001700  : drop 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# tcp dport vmap { 25:accept, 28:drop }
+__map%d test-inet b
+__map%d test-inet 0
+	element 00001900  : accept 0 [end]	element 00001c00  : drop 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# tcp dport { 22, 53, 80, 110 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001600  : 0 [end]	element 00003500  : 0 [end]	element 00005000  : 0 [end]	element 00006e00  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp dport != { 22, 53, 80, 110 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001600  : 0 [end]	element 00003500  : 0 [end]	element 00005000  : 0 [end]	element 00006e00  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp sport 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# tcp sport != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# tcp sport 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# tcp sport != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp sport { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp sport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp sport vmap { 25:accept, 28:drop }
+__map%d test-inet b
+__map%d test-inet 0
+	element 00001900  : accept 0 [end]	element 00001c00  : drop 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# tcp sport 8080 drop
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000901f ]
+  [ immediate reg 0 drop ]
+
+# tcp sport 1024 tcp dport 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x16000004 ]
+
+# tcp sport 1024 tcp dport 22 tcp sequence 0
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x16000004 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# tcp sequence 0 tcp sport 1024 tcp dport 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x16000004 ]
+
+# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000004  : 0 [end]	element 0000fe03  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# tcp sequence 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# tcp sequence != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0xe9000000 ]
+
+# tcp sequence 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# tcp sequence != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# tcp sequence { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp sequence != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp ackseq 42949672 drop
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x285c8f02 ]
+  [ immediate reg 0 drop ]
+
+# tcp ackseq 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# tcp ackseq != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp neq reg 1 0xe9000000 ]
+
+# tcp ackseq 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# tcp ackseq != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# tcp ackseq { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp ackseq != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000008  : 0 [end]	element 00000010  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000080  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 drop ]
+
+# tcp flags != { fin, urg, ecn, cwr} drop
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000080  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 drop ]
+
+# tcp flags cwr
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# tcp flags != cwr
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ cmp neq reg 1 0x00000080 ]
+
+# tcp flags == syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags fin,syn / fin,syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000003 ]
+
+# tcp flags != syn / fin,syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# tcp flags & syn != 0
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# tcp flags & syn == 0
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# tcp flags & (syn | ack) != 0
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# tcp flags & (syn | ack) == 0
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# tcp flags & syn == syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags & syn != syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) == syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) != syn
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) == (syn | ack)
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000012 ]
+
+# tcp flags & (fin | syn | rst | ack) != (syn | ack)
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000012 ]
+
+# tcp flags & (syn | ack) == (syn | ack)
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000012 ]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x000000ff ]
+
+# tcp window 22222
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x0000ce56 ]
+
+# tcp window 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# tcp window != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# tcp window 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# tcp window != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp window { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp window != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp checksum 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# tcp checksum != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# tcp checksum 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# tcp checksum != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp checksum { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp urgptr 1234 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ cmp eq reg 1 0x0000d204 ]
+  [ immediate reg 0 accept ]
+
+# tcp urgptr 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# tcp urgptr != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# tcp urgptr 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# tcp urgptr != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp urgptr { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp urgptr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp doff 8
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000080 ]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000001  : 0 [end]     element 00000010  : 0 [end]     element 00000018  : 0 [end]     element 00000019  : 0 [end]
+ip
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp flags { syn, syn | ack }
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000002  : 0 [end]     element 00000012  : 0 [end]
+inet
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# tcp flags ! fin,rst
+inet
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000005 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t
new file mode 100644
index 0000000..d23bbcb
--- /dev/null
+++ b/tests/py/inet/tproxy.t
@@ -0,0 +1,21 @@
+:y;type filter hook prerouting priority -150
+
+*inet;x;y
+
+tproxy;fail
+meta l4proto 17 tproxy to 192.0.2.1;fail
+meta l4proto 6 tproxy to 192.0.2.1:50080;fail
+meta l4proto 17 tproxy ip to 192.0.2.1;ok
+meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok
+ip protocol 6 tproxy ip6 to [2001:db8::1];fail
+
+meta l4proto 6 tproxy to [2001:db8::1];fail
+meta l4proto 17 tproxy to [2001:db8::1]:50080;fail
+meta l4proto 6 tproxy ip6 to [2001:db8::1];ok
+meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok
+ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail
+
+meta l4proto 17 tproxy ip to :50080;ok
+meta l4proto 17 tproxy ip6 to :50080;ok
+meta l4proto 17 tproxy to :50080;ok
+ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok
diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json
new file mode 100644
index 0000000..7b3b11c
--- /dev/null
+++ b/tests/py/inet/tproxy.t.json
@@ -0,0 +1,185 @@
+# meta l4proto 17 tproxy ip to 192.0.2.1
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1",
+            "family": "ip"
+        }
+    }
+]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1",
+            "family": "ip",
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1",
+            "family": "ip6"
+        }
+    }
+]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1",
+            "family": "ip6",
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 17 tproxy ip to :50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "family": "ip",
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 17 tproxy ip6 to :50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "family": "ip6",
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 17 tproxy to :50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "port": 50080
+        }
+    }
+]
+
+# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": {
+                "prefix": {
+			"addr": "0.0.0.0",
+			"len": 0
+		}
+	    }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+	    "family": "ip",
+            "port": 2000
+        }
+    }
+]
diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload
new file mode 100644
index 0000000..24bf8f6
--- /dev/null
+++ b/tests/py/inet/tproxy.t.payload
@@ -0,0 +1,63 @@
+# meta l4proto 17 tproxy ip to 192.0.2.1
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x010200c0 ]
+  [ tproxy ip addr reg 1 ]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x010200c0 ]
+  [ immediate reg 2 0x0000a0c3 ]
+  [ tproxy ip addr reg 1 port reg 2 ]
+
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+  [ tproxy ip6 addr reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+  [ immediate reg 2 0x0000a0c3 ]
+  [ tproxy ip6 addr reg 1 port reg 2 ]
+
+# meta l4proto 17 tproxy to :50080
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy port reg 1 ]
+
+# meta l4proto 17 tproxy ip to :50080
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip port reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to :50080
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip6 port reg 1 ]
+
+# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000
+inet x y 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000000 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000d007 ]
+  [ tproxy ip port reg 1 ]
+
diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t
new file mode 100644
index 0000000..7f21c8e
--- /dev/null
+++ b/tests/py/inet/udp.t
@@ -0,0 +1,45 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+udp sport 80 accept;ok
+udp sport != 60 accept;ok
+udp sport 50-70 accept;ok
+udp sport != 50-60 accept;ok
+udp sport { 49, 50} drop;ok
+udp sport != { 50, 60} accept;ok
+
+udp dport set {1, 2, 3};fail
+
+udp dport 80 accept;ok
+udp dport != 60 accept;ok
+udp dport 70-75 accept;ok
+udp dport != 50-60 accept;ok
+udp dport { 49, 50} drop;ok
+udp dport != { 50, 60} accept;ok
+
+udp length 6666;ok
+udp length != 6666;ok
+udp length 50-65 accept;ok
+udp length != 50-65 accept;ok
+udp length { 50, 65} accept;ok
+udp length != { 50, 65} accept;ok
+
+udp checksum 6666 drop;ok
+udp checksum != { 444, 555} accept;ok
+
+udp checksum 22;ok
+udp checksum != 233;ok
+udp checksum 33-45;ok
+udp checksum != 33-45;ok
+udp checksum { 33, 55, 67, 88};ok
+udp checksum != { 33, 55, 67, 88};ok
+
+# limit impact to lo
+iif "lo" udp checksum set 0;ok
+iif "lo" udp dport set 65535;ok
diff --git a/tests/py/inet/udp.t.json b/tests/py/inet/udp.t.json
new file mode 100644
index 0000000..665998e
--- /dev/null
+++ b/tests/py/inet/udp.t.json
@@ -0,0 +1,583 @@
+# udp sport 80 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 80
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp sport != 60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": 60
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp sport 50-70 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 50, 70 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp sport != 50-60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 50, 60 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp sport { 49, 50} drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    49,
+                    50
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# udp sport != { 50, 60} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    50,
+                    60
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp dport 80 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 80
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp dport != 60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": 60
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp dport 70-75 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 70, 75 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp dport != 50-60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 50, 60 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp dport { 49, 50} drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    49,
+                    50
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# udp dport != { 50, 60} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    50,
+                    60
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp length 6666
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 6666
+        }
+    }
+]
+
+# udp length != 6666
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": 6666
+        }
+    }
+]
+
+# udp length 50-65 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 50, 65 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp length != 50-65 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 50, 65 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp length { 50, 65} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    50,
+                    65
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp length != { 50, 65} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    50,
+                    65
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp checksum 6666 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 6666
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# udp checksum != { 444, 555} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    444,
+                    555
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udp checksum 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# udp checksum != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# udp checksum 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# udp checksum != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# udp checksum { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# udp checksum != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# iif "lo" udp checksum set 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udp"
+                }
+            },
+            "value": 0
+        }
+    }
+]
+
+# iif "lo" udp dport set 65535
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "value": 65535
+        }
+    }
+]
+
diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload
new file mode 100644
index 0000000..e6beda7
--- /dev/null
+++ b/tests/py/inet/udp.t.payload
@@ -0,0 +1,248 @@
+# udp sport 80 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00005000 ]
+  [ immediate reg 0 accept ]
+
+# udp sport != 60 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udp sport 50-70 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00003200 ]
+  [ cmp lte reg 1 0x00004600 ]
+  [ immediate reg 0 accept ]
+
+# udp sport != 50-60 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ range neq reg 1 0x00003200 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udp sport { 49, 50} drop
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 drop ]
+
+# udp sport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# udp dport 80 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005000 ]
+  [ immediate reg 0 accept ]
+
+# udp dport != 60 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udp dport 70-75 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004600 ]
+  [ cmp lte reg 1 0x00004b00 ]
+  [ immediate reg 0 accept ]
+
+# udp dport != 50-60 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00003200 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udp dport { 49, 50} drop
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 drop ]
+
+# udp dport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# udp length 6666
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000a1a ]
+
+# udp length != 6666
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x00000a1a ]
+
+# udp length 50-65 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00003200 ]
+  [ cmp lte reg 1 0x00004100 ]
+  [ immediate reg 0 accept ]
+
+# udp length != 50-65 accept
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x00003200 0x00004100 ]
+  [ immediate reg 0 accept ]
+
+# udp length { 50, 65} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00004100  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# udp length != { 50, 65} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00004100  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# udp checksum 6666 drop
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000a1a ]
+  [ immediate reg 0 drop ]
+
+# udp checksum != { 444, 555} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# udp checksum 22
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# udp checksum != 233
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# udp checksum 33-45
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# udp checksum != 33-45
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# udp checksum { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# udp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# iif "lo" udp checksum set 0
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 csum_flags 0x0 ]
+
+# iif "lo" udp dport set 65535
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x0000ffff ]
+  [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 csum_flags 0x0 ]
diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t
new file mode 100644
index 0000000..6a54709
--- /dev/null
+++ b/tests/py/inet/udplite.t
@@ -0,0 +1,38 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+udplite sport 80 accept;ok
+udplite sport != 60 accept;ok
+udplite sport 50-70 accept;ok
+udplite sport != 50-60 accept;ok
+udplite sport { 49, 50} drop;ok
+udplite sport != { 49, 50} accept;ok
+
+udplite dport 80 accept;ok
+udplite dport != 60 accept;ok
+udplite dport 70-75 accept;ok
+udplite dport != 50-60 accept;ok
+udplite dport { 49, 50} drop;ok
+udplite dport != { 49, 50} accept;ok
+
+- udplite csumcov 6666;ok
+- udplite csumcov != 6666;ok
+- udplite csumcov 50-65 accept;ok
+- udplite csumcov != 50-65 accept;ok
+- udplite csumcov { 50, 65} accept;ok
+- udplite csumcov != { 50, 65} accept;ok
+
+udplite checksum 6666 drop;ok
+udplite checksum != { 444, 555} accept;ok
+udplite checksum 22;ok
+udplite checksum != 233;ok
+udplite checksum 33-45;ok
+udplite checksum != 33-45;ok
+udplite checksum { 33, 55, 67, 88};ok
+udplite checksum != { 33, 55, 67, 88};ok
diff --git a/tests/py/inet/udplite.t.json b/tests/py/inet/udplite.t.json
new file mode 100644
index 0000000..713a534
--- /dev/null
+++ b/tests/py/inet/udplite.t.json
@@ -0,0 +1,413 @@
+# udplite sport 80 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": 80
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite sport != 60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": 60
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite sport 50-70 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 50, 70 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite sport != 50-60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 50, 60 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite sport { 49, 50} drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    49,
+                    50
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# udplite sport != { 49, 50} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    49,
+                    50
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite dport 80 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": 80
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite dport != 60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": 60
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite dport 70-75 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 70, 75 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite dport != 50-60 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 50, 60 ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite dport { 49, 50} drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    49,
+                    50
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# udplite dport != { 49, 50} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    49,
+                    50
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite checksum 6666 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": 6666
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# udplite checksum != { 444, 555} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    444,
+                    555
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# udplite checksum 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# udplite checksum != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# udplite checksum 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# udplite checksum != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# udplite checksum { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# udplite checksum != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "udplite"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload
new file mode 100644
index 0000000..de9d09e
--- /dev/null
+++ b/tests/py/inet/udplite.t.payload
@@ -0,0 +1,178 @@
+# udplite sport 80 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00005000 ]
+  [ immediate reg 0 accept ]
+
+# udplite sport != 60 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udplite sport 50-70 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00003200 ]
+  [ cmp lte reg 1 0x00004600 ]
+  [ immediate reg 0 accept ]
+
+# udplite sport != 50-60 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ range neq reg 1 0x00003200 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udplite sport { 49, 50} drop
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 drop ]
+
+# udplite sport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# udplite dport 80 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005000 ]
+  [ immediate reg 0 accept ]
+
+# udplite dport != 60 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udplite dport 70-75 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004600 ]
+  [ cmp lte reg 1 0x00004b00 ]
+  [ immediate reg 0 accept ]
+
+# udplite dport != 50-60 accept
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00003200 0x00003c00 ]
+  [ immediate reg 0 accept ]
+
+# udplite dport { 49, 50} drop
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 drop ]
+
+# udplite dport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# udplite checksum 6666 drop
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000a1a ]
+  [ immediate reg 0 drop ]
+
+# udplite checksum != { 444, 555} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# udplite checksum 22
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# udplite checksum != 233
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# udplite checksum 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# udplite checksum != 33-45
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# udplite checksum { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# udplite checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/vmap.t b/tests/py/inet/vmap.t
new file mode 100644
index 0000000..0ac6e56
--- /dev/null
+++ b/tests/py/inet/vmap.t
@@ -0,0 +1,10 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop };ok;iifname . ip protocol . th dport vmap { "eth0" . 6 . 22 : accept, "eth1" . 17 . 67 : drop }
+ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e };ok
+udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept };ok
diff --git a/tests/py/inet/vmap.t.json b/tests/py/inet/vmap.t.json
new file mode 100644
index 0000000..37472cc
--- /dev/null
+++ b/tests/py/inet/vmap.t.json
@@ -0,0 +1,144 @@
+# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
+[
+    {
+        "vmap": {
+            "data": {
+                "set": [
+                    [
+                        {
+                            "concat": [
+                                "eth0",
+                                6,
+                                22
+                            ]
+                        },
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        {
+                            "concat": [
+                                "eth1",
+                                17,
+                                67
+                            ]
+                        },
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            },
+            "key": {
+                "concat": [
+                    {
+                        "meta": {
+                            "key": "iifname"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "protocol",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "dport",
+                            "protocol": "th"
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "base": "ih",
+                            "len": 32,
+                            "offset": 32
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.1.1.1",
+                            20
+                        ]
+                    },
+                    {
+                        "concat": [
+                            "2.2.2.2",
+                            30
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+[
+    {
+        "vmap": {
+            "data": {
+                "set": [
+                    [
+                        {
+                            "concat": [
+                                {
+                                    "range": [
+                                        47,
+                                        63
+                                    ]
+                                },
+                                "0xe373135363130333131303735353203"
+                            ]
+                        },
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            },
+            "key": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "length",
+                            "protocol": "udp"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "base": "th",
+                            "len": 128,
+                            "offset": 160
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/vmap.t.payload b/tests/py/inet/vmap.t.payload
new file mode 100644
index 0000000..29ec846
--- /dev/null
+++ b/tests/py/inet/vmap.t.payload
@@ -0,0 +1,34 @@
+# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
+__map%d test-inet b size 2
+__map%d test-inet 0
+	element 30687465 00000000 00000000 00000000 00000006 00001600  : accept 0 [end]	element 31687465 00000000 00000000 00000000 00000011 00004300  : drop 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ meta load iifname => reg 1 ]
+  [ payload load 1b @ network header + 9 => reg 2 ]
+  [ payload load 2b @ transport header + 2 => reg 13 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+__set%d test-inet 3 size 2
+__set%d test-inet 0
+        element 01010101 14000000  : 0 [end]    element 02020202 1e000000  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ inner header + 4 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+__map%d x 8f size 1
+__map%d x 0
+	element 00002f00 3531370e 33303136 37303131 03323535  - 00003f00 3531370e 33303136 37303131 03323535  : accept 0 [end]
+inet x y
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ payload load 16b @ transport header + 20 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/inet/vmap.t.payload.netdev b/tests/py/inet/vmap.t.payload.netdev
new file mode 100644
index 0000000..3f51bb3
--- /dev/null
+++ b/tests/py/inet/vmap.t.payload.netdev
@@ -0,0 +1,34 @@
+# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
+__map%d test-netdev b size 2
+__map%d test-netdev 0
+	element 30687465 00000000 00000000 00000000 00000006 00001600  : accept 0 [end]	element 31687465 00000000 00000000 00000000 00000011 00004300  : drop 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load iifname => reg 1 ]
+  [ payload load 1b @ network header + 9 => reg 2 ]
+  [ payload load 2b @ transport header + 2 => reg 13 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+__set%d test-netdev 3 size 2
+__set%d test-netdev 0
+	element 01010101 14000000  : 0 [end]	element 02020202 1e000000  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ inner header + 4 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+__map%d test-netdev 8f size 1
+__map%d test-netdev 0
+	element 00002f00 3531370e 33303136 37303131 03323535  - 00003f00 3531370e 33303136 37303131 03323535  : accept 0 [end]
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ payload load 16b @ transport header + 20 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/inet/vxlan.t b/tests/py/inet/vxlan.t
new file mode 100644
index 0000000..10cdb7a
--- /dev/null
+++ b/tests/py/inet/vxlan.t
@@ -0,0 +1,23 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+vxlan vni 10;fail
+udp dport 4789 vxlan vni 10;ok
+udp dport 4789 vxlan ip saddr 10.141.11.2;ok
+udp dport 4789 vxlan ip saddr 10.141.11.0/24;ok
+udp dport 4789 vxlan ip protocol 1;ok
+udp dport 4789 vxlan udp sport 8888;ok
+udp dport 4789 vxlan icmp type echo-reply;ok
+udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05;ok
+udp dport 4789 vxlan vlan id 10;ok
+udp dport 4789 vxlan ip dscp 0x02;ok
+udp dport 4789 vxlan ip dscp 0x02;ok
+udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+udp dport 4789 vxlan ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/vxlan.t.json b/tests/py/inet/vxlan.t.json
new file mode 100644
index 0000000..91b3d29
--- /dev/null
+++ b/tests/py/inet/vxlan.t.json
@@ -0,0 +1,344 @@
+# udp dport 4789 vxlan vni 10
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "vni",
+                    "protocol": "vxlan",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": 10
+        }
+    }
+]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": "10.141.11.2"
+        }
+    }
+]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.0/24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "10.141.11.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# udp dport 4789 vxlan ip protocol 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# udp dport 4789 vxlan udp sport 8888
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sport",
+                    "protocol": "udp",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": 8888
+        }
+    }
+]
+
+# udp dport 4789 vxlan icmp type echo-reply
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": "echo-reply"
+        }
+    }
+]
+
+# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": "62:87:4d:d6:19:05"
+        }
+    }
+]
+
+# udp dport 4789 vxlan vlan id 10
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "vlan",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": 10
+        }
+    }
+]
+
+# udp dport 4789 vxlan ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# udp dport 4789 vxlan ip dscp 0x02
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip",
+                    "tunnel": "vxlan"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 4789
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip",
+                            "tunnel": "vxlan"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip",
+                            "tunnel": "vxlan"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.2.3.4",
+                            "4.3.2.1"
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/inet/vxlan.t.payload b/tests/py/inet/vxlan.t.payload
new file mode 100644
index 0000000..cde8e56
--- /dev/null
+++ b/tests/py/inet/vxlan.t.payload
@@ -0,0 +1,114 @@
+# udp dport 4789 vxlan vni 10
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
+  [ cmp eq reg 1 0x000a0000 ]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.2
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x020b8d0a ]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.0/24
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x000b8d0a ]
+
+# udp dport 4789 vxlan ip protocol 1
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# udp dport 4789 vxlan udp sport 8888
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x0000b822 ]
+
+# udp dport 4789 vxlan icmp type echo-reply
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ]
+  [ cmp eq reg 1 0xd64d8762 0x00000519 ]
+
+# udp dport 4789 vxlan vlan id 10
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000a00 ]
+
+# udp dport 4789 vxlan ip dscp 0x02
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-netdev 3 size 1
+__set%d test-netdev 0
+        element 04030201 01020304  : 0 [end]
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000b512 ]
+  [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+  [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ]
+  [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/ip/chains.t b/tests/py/ip/chains.t
new file mode 100644
index 0000000..fc3745e
--- /dev/null
+++ b/tests/py/ip/chains.t
@@ -0,0 +1,15 @@
+# filter chains available are: input, output, forward, prerouting, postrouting
+:filter-input;type filter hook input priority 0
+:filter-pre;type filter hook prerouting priority 0
+:filter-forw;type filter hook forward priority 0
+:filter-out;type filter hook output priority 0
+:filter-post;type filter hook postrouting priority 0
+# nat chains available are: input, output, prerouting, postrouting
+:nat-input-t;type nat hook input priority 0
+:nat-pre-t;type nat hook prerouting priority 0
+:nat-out-t;type nat hook output priority 0
+:nat-post-t;type nat hook postrouting priority 0
+# route chain available are: output
+:route-out-t;type route hook output priority 0
+
+*ip;test-ip4;filter-input,filter-pre,filter-forw,filter-out,filter-post,nat-input-t,nat-pre-t,nat-out-t,nat-post-t,route-out-t
diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
new file mode 100644
index 0000000..a0a2228
--- /dev/null
+++ b/tests/py/ip/ct.t
@@ -0,0 +1,36 @@
+:output;type filter hook output priority 0
+
+*ip;test-ip4;output
+
+ct original ip saddr 192.168.0.1;ok
+ct reply ip saddr 192.168.0.1;ok
+ct original ip daddr 192.168.0.1;ok
+ct reply ip daddr 192.168.0.1;ok
+
+# same, but with a netmask
+ct original ip saddr 192.168.1.0/24;ok
+ct reply ip saddr 192.168.1.0/24;ok
+ct original ip daddr 192.168.1.0/24;ok
+ct reply ip daddr 192.168.1.0/24;ok
+
+ct l3proto ipv4;ok
+ct l3proto foobar;fail
+
+ct protocol 6 ct original proto-dst 22;ok
+ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-src 53
+
+# wrong address family
+ct reply ip daddr dead::beef;fail
+
+meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
+meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
+meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail
+meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok
+ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail
+ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok
+ct mark set ip dscp << 2 | 0x10;ok
+ct mark set ip dscp << 26 | 0x10;ok
+ct mark set ip dscp & 0x0f << 1;ok;ct mark set ip dscp & af33
+ct mark set ip dscp & 0x0f << 2;ok;ct mark set ip dscp & 0x3c
+ct mark set ip dscp | 0x04;ok
+ct mark set ip dscp | 1 << 20;ok;ct mark set ip dscp | 0x100000
diff --git a/tests/py/ip/ct.t.json b/tests/py/ip/ct.t.json
new file mode 100644
index 0000000..915632a
--- /dev/null
+++ b/tests/py/ip/ct.t.json
@@ -0,0 +1,481 @@
+# ct original ip saddr 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "ip saddr"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
+# ct reply ip saddr 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "ip saddr"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
+# ct original ip daddr 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "ip daddr"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
+# ct reply ip daddr 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "ip daddr"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
+# ct original ip saddr 192.168.1.0/24
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "ip saddr"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "192.168.1.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# ct reply ip saddr 192.168.1.0/24
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "ip saddr"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "192.168.1.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# ct original ip daddr 192.168.1.0/24
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "ip daddr"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "192.168.1.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# ct reply ip daddr 192.168.1.0/24
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "ip daddr"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "192.168.1.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# ct l3proto ipv4
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "l3proto"
+                }
+            },
+	    "op": "==",
+            "right": "ipv4"
+        }
+    }
+]
+
+# ct protocol 6 ct original proto-dst 22
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "protocol"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "proto-dst"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ct original protocol 17 ct reply proto-src 53
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "original",
+                    "key": "protocol"
+                }
+            },
+	    "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "proto-src"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    }
+]
+
+# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "1.1.1.1",
+                                17
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "ct": {
+                            "dir": "original",
+                            "key": "ip daddr"
+                        }
+                    }
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        "1.1.1.1",
+                                        20
+                                    ]
+                                },
+                                30
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "concat": [
+                            {
+                                "ct": {
+                                    "dir": "original",
+                                    "key": "ip saddr"
+                                }
+                            },
+                            {
+                                "meta": {
+                                    "key": "mark"
+                                }
+                            }
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "ct": {
+                            "dir": "original",
+                            "key": "ip saddr"
+                        }
+                    },
+                    {
+                        "meta": {
+                            "key": "mark"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "1.1.1.1",
+                            20
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip dscp << 2 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip"
+                                }
+                            },
+                            2
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip dscp << 26 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip"
+                                }
+                            },
+                            26
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip dscp & 0x0f << 1
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip"
+                        }
+                    },
+                    "af33"
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip dscp & 0x0f << 2
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip"
+                        }
+                    },
+                    60
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip dscp | 0x04
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip"
+                        }
+                    },
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip dscp | 1 << 20
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip"
+                        }
+                    },
+                    1048576
+                ]
+            }
+        }
+    }
+]
diff --git a/tests/py/ip/ct.t.json.output b/tests/py/ip/ct.t.json.output
new file mode 100644
index 0000000..cf4abae
--- /dev/null
+++ b/tests/py/ip/ct.t.json.output
@@ -0,0 +1,27 @@
+# ct original protocol 17 ct reply proto-src 53
+[
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "protocol"
+                }
+            },
+	    "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "dir": "reply",
+                    "key": "proto-src"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    }
+]
+
diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
new file mode 100644
index 0000000..692011d
--- /dev/null
+++ b/tests/py/ip/ct.t.payload
@@ -0,0 +1,136 @@
+# ct original ip saddr 192.168.0.1
+ip test-ip4 output
+  [ ct load src_ip => reg 1 , dir original ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ct reply ip saddr 192.168.0.1
+ip test-ip4 output
+  [ ct load src_ip => reg 1 , dir reply ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ct original ip daddr 192.168.0.1
+ip test-ip4 output
+  [ ct load dst_ip => reg 1 , dir original ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ct reply ip daddr 192.168.0.1
+ip test-ip4 output
+  [ ct load dst_ip => reg 1 , dir reply ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ct original ip saddr 192.168.1.0/24
+ip test-ip4 output
+  [ ct load src_ip => reg 1 , dir original ]
+  [ cmp eq reg 1 0x0001a8c0 ]
+
+# ct reply ip saddr 192.168.1.0/24
+ip test-ip4 output
+  [ ct load src_ip => reg 1 , dir reply ]
+  [ cmp eq reg 1 0x0001a8c0 ]
+
+# ct original ip daddr 192.168.1.0/24
+ip test-ip4 output
+  [ ct load dst_ip => reg 1 , dir original ]
+  [ cmp eq reg 1 0x0001a8c0 ]
+
+# ct reply ip daddr 192.168.1.0/24
+ip test-ip4 output
+  [ ct load dst_ip => reg 1 , dir reply ]
+  [ cmp eq reg 1 0x0001a8c0 ]
+
+# ct l3proto ipv4
+ip test-ip4 output
+  [ ct load l3protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# ct protocol 6 ct original proto-dst 22
+ip test-ip4 output
+  [ ct load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ ct load proto_dst => reg 1 , dir original ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ct original protocol 17 ct reply proto-src 53
+ip test-ip4 output
+  [ ct load protocol => reg 1 , dir original ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ ct load proto_src => reg 1 , dir reply ]
+  [ cmp eq reg 1 0x00003500 ]
+
+# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 01010101  : 00000011 0 [end]
+ip
+  [ ct load dst_ip => reg 1 , dir original ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 01010101 00000014  : 0000001e 0 [end]
+ip
+  [ ct load src_ip => reg 1 , dir original ]
+  [ meta load mark => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+        element 01010101 00000014  : 0 [end]
+ip
+  [ ct load src_ip => reg 1 , dir original ]
+  [ meta load mark => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ct mark set ip dscp << 2 | 0x10
+ip test-ip4 output
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip dscp << 26 | 0x10
+ip
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip dscp & 0x0f << 1
+ip test-ip4 output
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip dscp & 0x0f << 2
+ip test-ip4 output
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip dscp | 0x04
+ip test-ip4 output
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip dscp | 1 << 20
+ip test-ip4 output
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffefffff ) ^ 0x00100000 ]
+  [ ct set mark with reg 1 ]
diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t
new file mode 100644
index 0000000..881571d
--- /dev/null
+++ b/tests/py/ip/dnat.t
@@ -0,0 +1,23 @@
+:prerouting;type nat hook prerouting priority 0
+
+*ip;test-ip4;prerouting
+
+iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2;ok
+iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2;ok
+iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2;ok
+iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok
+iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2;ok
+iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080;ok
+iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999;ok
+iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080;ok
+iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999;ok
+
+dnat to ct mark map { 0x00000014 : 1.2.3.4};ok
+dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
+
+dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 8888 - 8999 };ok
+dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 80 };ok
+dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 };ok
+ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 };ok
+meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 };ok
+dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 };ok
diff --git a/tests/py/ip/dnat.t.json b/tests/py/ip/dnat.t.json
new file mode 100644
index 0000000..fe15d07
--- /dev/null
+++ b/tests/py/ip/dnat.t.json
@@ -0,0 +1,743 @@
+# iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    80,
+                    90
+                ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    80,
+                    90
+                ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 23, 34 ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 81
+        }
+    },
+    {
+        "dnat": {
+            "addr": "192.168.3.2",
+            "port": 8080
+        }
+    }
+]
+
+# dnat to ct mark map { 0x00000014 : 1.2.3.4}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "0x00000014",
+                                "1.2.3.4"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "concat": [
+                            {
+                                "ct": {
+                                    "key": "mark"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        "0x00000014",
+                                        "1.1.1.1"
+                                    ]
+                                },
+                                "1.2.3.4"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999
+[
+    {
+	"match": {
+	    "left": {
+		"meta": {
+		    "key": "iifname"
+		}
+	    },
+	    "op": "==",
+	    "right": "eth0"
+	}
+    },
+    {
+	"match": {
+	    "left": {
+		"payload": {
+		    "field": "dport",
+		    "protocol": "tcp"
+		}
+	    },
+	    "op": "==",
+	    "right": 81
+	}
+    },
+    {
+	"dnat": {
+	    "addr": "192.168.3.2",
+	    "port": {
+		"range": [
+		    8080,
+		    8999
+		]
+	    }
+	}
+    }
+]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999
+[
+    {
+	"match": {
+	    "left": {
+		"meta": {
+		    "key": "iifname"
+		}
+	    },
+	    "op": "==",
+	    "right": "eth0"
+	}
+    },
+    {
+	"match": {
+	    "left": {
+		"payload": {
+		    "field": "dport",
+		    "protocol": "tcp"
+		}
+	    },
+	    "op": "==",
+	    "right": 81
+	}
+    },
+    {
+	"dnat": {
+	    "addr": {
+		"range": [
+		    "192.168.3.2",
+		    "192.168.3.4"
+		]
+	    },
+	    "port": {
+		"range": [
+		    8080,
+		    8999
+		]
+	    }
+	}
+    }
+]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080
+[
+    {
+	"match": {
+	    "left": {
+		"meta": {
+		    "key": "iifname"
+		}
+	    },
+	    "op": "==",
+	    "right": "eth0"
+	}
+    },
+    {
+	"match": {
+	    "left": {
+		"payload": {
+		    "field": "dport",
+		    "protocol": "tcp"
+		}
+	    },
+	    "op": "==",
+	    "right": 81
+	}
+    },
+    {
+	"dnat": {
+	    "addr": {
+		"range": [
+		    "192.168.3.2",
+		    "192.168.3.4"
+		]
+	    },
+	    "port": 8080
+	}
+    }
+]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 }
+[
+    {
+	"dnat": {
+	    "addr": {
+		"map": {
+		    "data": {
+			"set": [
+			    [
+				{
+				    "concat": [
+					"192.168.1.2",
+					80
+				    ]
+				},
+				{
+				    "concat": [
+					"10.141.10.2",
+					{
+					    "range": [
+						8888,
+						8999
+					    ]
+					}
+				    ]
+				}
+			    ]
+			]
+		    },
+		    "key": {
+			"concat": [
+			    {
+				"payload": {
+				    "field": "saddr",
+				    "protocol": "ip"
+				}
+			    },
+			    {
+				"payload": {
+				    "field": "dport",
+				    "protocol": "tcp"
+				}
+			    }
+			]
+		    }
+		}
+	    },
+	    "family": "ip"
+	}
+    }
+]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 8888 - 8999 }
+[
+    {
+	"dnat": {
+	    "addr": {
+		"map": {
+		    "data": {
+			"set": [
+			    [
+				{
+				    "concat": [
+					"192.168.1.2",
+					80
+				    ]
+				},
+				{
+				    "concat": [
+					{
+					    "prefix": {
+						"addr": "10.141.10.0",
+						"len": 24
+					    }
+					},
+					{
+					    "range": [
+						8888,
+						8999
+					    ]
+					}
+				    ]
+				}
+			    ]
+			]
+		    },
+		    "key": {
+			"concat": [
+			    {
+				"payload": {
+				    "field": "saddr",
+				    "protocol": "ip"
+				}
+			    },
+			    {
+				"payload": {
+				    "field": "dport",
+				    "protocol": "tcp"
+				}
+			    }
+			]
+		    }
+		}
+	    },
+	    "family": "ip"
+	}
+    }
+]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 80 }
+[
+    {
+	"dnat": {
+	    "addr": {
+		"map": {
+		    "data": {
+			"set": [
+			    [
+				{
+				    "concat": [
+					"192.168.1.2",
+					80
+				    ]
+				},
+				{
+				    "concat": [
+					{
+					    "prefix": {
+						"addr": "10.141.10.0",
+						"len": 24
+					    }
+					},
+					80
+				    ]
+				}
+			    ]
+			]
+		    },
+		    "key": {
+			"concat": [
+			    {
+				"payload": {
+				    "field": "saddr",
+				    "protocol": "ip"
+				}
+			    },
+			    {
+				"payload": {
+				    "field": "dport",
+				    "protocol": "tcp"
+				}
+			    }
+			]
+		    }
+		}
+	    },
+	    "family": "ip"
+	}
+    }
+]
+
+# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 }
+[
+    {
+	"match": {
+	    "left": {
+		"payload": {
+		    "field": "daddr",
+		    "protocol": "ip"
+		}
+	    },
+	    "op": "==",
+	    "right": "192.168.0.1"
+	}
+    },
+    {
+	"dnat": {
+	    "addr": {
+		"map": {
+		    "data": {
+			"set": [
+			    [
+				80,
+				{
+				    "concat": [
+					"10.141.10.4",
+					8080
+				    ]
+				}
+			    ],
+			    [
+				443,
+				{
+				    "concat": [
+					"10.141.10.4",
+					8443
+				    ]
+				}
+			    ]
+			]
+		    },
+		    "key": {
+			"payload": {
+			    "field": "dport",
+			    "protocol": "tcp"
+			}
+		    }
+		}
+	    },
+	    "family": "ip"
+	}
+    }
+]
+
+# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        "enp2s0",
+                                        "10.1.1.136"
+                                    ]
+                                },
+                                {
+                                    "concat": [
+                                        "1.1.2.69",
+                                        22
+                                    ]
+                                }
+                            ],
+                            [
+                                {
+                                    "concat": [
+                                        "enp2s0",
+                                        {
+                                            "range": [
+                                                "10.1.1.1",
+                                                "10.1.1.135"
+                                            ]
+                                        }
+                                    ]
+                                },
+                                {
+                                    "concat": [
+                                        {
+                                            "range": [
+                                                "1.1.2.66",
+                                                "1.84.236.78"
+                                            ]
+                                        },
+                                        22
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "concat": [
+                            {
+                                "meta": {
+                                    "key": "iifname"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        "enp2s0",
+                                        "10.1.1.136"
+                                    ]
+                                },
+                                {
+                                    "prefix": {
+                                        "addr": "1.1.2.69",
+                                        "len": 32
+                                    }
+                                }
+                            ],
+                            [
+                                {
+                                    "concat": [
+                                        "enp2s0",
+                                        {
+                                            "range": [
+                                                "10.1.1.1",
+                                                "10.1.1.135"
+                                            ]
+                                        }
+                                    ]
+                                },
+                                {
+                                    "range": [
+                                        "1.1.2.66",
+                                        "1.84.236.78"
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "concat": [
+                            {
+                                "meta": {
+                                    "key": "iifname"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
diff --git a/tests/py/ip/dnat.t.json.output b/tests/py/ip/dnat.t.json.output
new file mode 100644
index 0000000..4f2c6df
--- /dev/null
+++ b/tests/py/ip/dnat.t.json.output
@@ -0,0 +1,65 @@
+# dnat to ct mark map { 0x00000014 : 1.2.3.4}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "ct": {
+                            "key": "mark"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                20,
+                                "1.2.3.4"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "concat": [
+                            {
+                                "ct": {
+                                    "key": "mark"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        20,
+                                        "1.1.1.1"
+                                    ]
+                                },
+                                "1.2.3.4"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip
new file mode 100644
index 0000000..439c6ab
--- /dev/null
+++ b/tests/py/ip/dnat.t.payload.ip
@@ -0,0 +1,204 @@
+# iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00005000 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00001700 0x00002200 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005100 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ immediate reg 2 0x0000901f ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# dnat to ct mark map { 0x00000014 : 1.2.3.4}
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 00000014  : 04030201 0 [end]
+ip test-ip4 prerouting
+  [ ct load mark => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 00000014 01010101  : 04030201 0 [end]
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 8888 - 8999 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+        element 0201a8c0 00005000  : 000a8d0a 0000b822 ff0a8d0a 00002723 0 [end]
+ip
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 80 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+        element 0201a8c0 00005000  : 000a8d0a 00005000 ff0a8d0a 00005000 0 [end]
+ip
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+        element 0201a8c0 00005000  : 020a8d0a 0000b822 020a8d0a 00002723 0 [end]
+ip
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999
+ip
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005100 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ immediate reg 2 0x0000901f ]
+  [ immediate reg 3 0x00002723 ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 flags 0x2 ]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080
+ip
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005100 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ immediate reg 2 0x0403a8c0 ]
+  [ immediate reg 3 0x0000901f ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999
+ip
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00005100 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ immediate reg 2 0x0403a8c0 ]
+  [ immediate reg 3 0x0000901f ]
+  [ immediate reg 4 0x00002723 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ]
+
+# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 }
+__map%d test-ip4 b size 2
+__map%d test-ip4 0
+        element 0000bb01  : 040a8d0a 0000fb20 0 [end]   element 00005000  : 040a8d0a 0000901f 0 [end]
+ip
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 9 ]
+
+# meta l4proto 6 dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+__map%d test-ip4 8f size 2
+__map%d test-ip4 0
+        element 32706e65 00003073 00000000 00000000 8801010a  - 32706e65 00003073 00000000 00000000 8801010a  : 45020101 00001600 45020101 00001600 0 [end]     element 32706e65 00003073 00000000 00000000 0101010a  - 32706e65 00003073 00000000 00000000 8701010a  : 42020101 00001600 4eec5401 00001600 0 [end]
+ip test-ip4 prerouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ meta load iifname => reg 1 ]
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
+
+# dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+__map%d test-ip4 8f size 2
+__map%d test-ip4 0
+        element 32706e65 00003073 00000000 00000000 8801010a  - 32706e65 00003073 00000000 00000000 8801010a  : 45020101 45020101 0 [end]       element 32706e65 00003073 00000000 00000000 0101010a  - 32706e65 00003073 00000000 00000000 8701010a  : 42020101 4eec5401 0 [end]
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 9 ]
+
diff --git a/tests/py/ip/dup.t b/tests/py/ip/dup.t
new file mode 100644
index 0000000..700031c
--- /dev/null
+++ b/tests/py/ip/dup.t
@@ -0,0 +1,7 @@
+:input;type filter hook input priority 0
+
+*ip;test-ip4;input
+
+dup to 192.168.2.1;ok
+dup to 192.168.2.1 device "lo";ok
+dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device "lo";ok
diff --git a/tests/py/ip/dup.t.json b/tests/py/ip/dup.t.json
new file mode 100644
index 0000000..aa1e826
--- /dev/null
+++ b/tests/py/ip/dup.t.json
@@ -0,0 +1,46 @@
+# dup to 192.168.2.1
+[
+    {
+        "dup": {
+            "addr": "192.168.2.1"
+        }
+    }
+]
+
+# dup to 192.168.2.1 device "lo"
+[
+    {
+        "dup": {
+            "addr": "192.168.2.1",
+            "dev": "lo"
+        }
+    }
+]
+
+# dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device "lo"
+[
+    {
+        "dup": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "192.168.2.120",
+                                "192.168.2.1"
+                            ]
+                        ]
+                    }
+                }
+            },
+            "dev": "lo"
+        }
+    }
+]
+
diff --git a/tests/py/ip/dup.t.payload b/tests/py/ip/dup.t.payload
new file mode 100644
index 0000000..347dc07
--- /dev/null
+++ b/tests/py/ip/dup.t.payload
@@ -0,0 +1,21 @@
+# dup to 192.168.2.1
+ip test-ip4 test 
+  [ immediate reg 1 0x0102a8c0 ]
+  [ dup sreg_addr 1 ]
+
+# dup to 192.168.2.1 device "lo"
+ip test-ip4 test 
+  [ immediate reg 1 0x0102a8c0 ]
+  [ immediate reg 2 0x00000001 ]
+  [ dup sreg_addr 1 sreg_dev 2 ]
+
+# dup to ip saddr map { 192.168.2.120 : 192.168.2.1 } device "lo"
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 7802a8c0  : 0102a8c0 0 [end]
+ip test-ip4 test 
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ immediate reg 2 0x00000001 ]
+  [ dup sreg_addr 1 sreg_dev 2 ]
+
diff --git a/tests/py/ip/ether.t b/tests/py/ip/ether.t
new file mode 100644
index 0000000..e1d302c
--- /dev/null
+++ b/tests/py/ip/ether.t
@@ -0,0 +1,8 @@
+:input;type filter hook input priority 0
+
+*ip;test-ip;input
+
+tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 accept
+tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok
+tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4;ok
+ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept;ok
diff --git a/tests/py/ip/ether.t.json b/tests/py/ip/ether.t.json
new file mode 100644
index 0000000..355c7fc
--- /dev/null
+++ b/tests/py/ip/ether.t.json
@@ -0,0 +1,163 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+	    "op": "==",
+            "right": "ether"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    }
+]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    }
+]
+
+# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/ip/ether.t.json.output b/tests/py/ip/ether.t.json.output
new file mode 100644
index 0000000..1e5dd50
--- /dev/null
+++ b/tests/py/ip/ether.t.json.output
@@ -0,0 +1,43 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/ip/ether.t.payload b/tests/py/ip/ether.t.payload
new file mode 100644
index 0000000..bd7c8f1
--- /dev/null
+++ b/tests/py/ip/ether.t.payload
@@ -0,0 +1,50 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+ip test-ip input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4
+ip test-ip input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+ip test-ip input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+
+# ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+ip test-ip input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ immediate reg 0 accept ]
+
diff --git a/tests/py/ip/flowtable.t b/tests/py/ip/flowtable.t
new file mode 100644
index 0000000..086c6cf
--- /dev/null
+++ b/tests/py/ip/flowtable.t
@@ -0,0 +1,5 @@
+:input;type filter hook input priority 0
+
+*ip;test-ip;input
+
+meter xyz size 8192 { ip saddr timeout 30s counter};ok
diff --git a/tests/py/ip/flowtable.t.json b/tests/py/ip/flowtable.t.json
new file mode 100644
index 0000000..a03cc9d
--- /dev/null
+++ b/tests/py/ip/flowtable.t.json
@@ -0,0 +1,24 @@
+# meter xyz size 8192 { ip saddr timeout 30s counter}
+[
+    {
+        "meter": {
+            "key": {
+                "elem": {
+                    "timeout": 30,
+                    "val": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "name": "xyz",
+            "size": 8192,
+            "stmt": {
+                "counter": null
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/flowtable.t.payload b/tests/py/ip/flowtable.t.payload
new file mode 100644
index 0000000..c0aad39
--- /dev/null
+++ b/tests/py/ip/flowtable.t.payload
@@ -0,0 +1,7 @@
+# meter xyz size 8192 { ip saddr timeout 30s counter}
+xyz test-ip 31
+xyz test-ip 0
+ip test-ip input 
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ dynset update reg_key 1 set xyz timeout 30000ms expr [ counter pkts 0 bytes 0 ] ]
+
diff --git a/tests/py/ip/hash.t b/tests/py/ip/hash.t
new file mode 100644
index 0000000..cbfc7ee
--- /dev/null
+++ b/tests/py/ip/hash.t
@@ -0,0 +1,10 @@
+:pre;type nat hook prerouting priority 0
+*ip;test-ip4;pre
+
+ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef;ok
+ct mark set jhash ip saddr . ip daddr mod 2;ok
+ct mark set jhash ip saddr . ip daddr mod 2 seed 0x0;ok
+ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef offset 100;ok
+ct mark set jhash ip saddr . ip daddr mod 2 offset 100;ok
+dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { 0 : 192.168.20.100, 1 : 192.168.30.100 };ok
+ct mark set symhash mod 2 offset 100;ok
diff --git a/tests/py/ip/hash.t.json b/tests/py/ip/hash.t.json
new file mode 100644
index 0000000..a95cf22
--- /dev/null
+++ b/tests/py/ip/hash.t.json
@@ -0,0 +1,230 @@
+# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "jhash": {
+                    "expr": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    },
+                    "mod": 2,
+                    "seed": 3735928559
+                }
+            }
+        }
+    }
+]
+
+# ct mark set jhash ip saddr . ip daddr mod 2
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "jhash": {
+                    "expr": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    },
+                    "mod": 2
+                }
+            }
+        }
+    }
+]
+
+# ct mark set jhash ip saddr . ip daddr mod 2 seed 0x0
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "jhash": {
+                    "expr": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    },
+                    "mod": 2,
+                    "seed": 0
+                }
+            }
+        }
+    }
+]
+
+# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef offset 100
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "jhash": {
+                    "expr": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    },
+                    "mod": 2,
+                    "offset": 100,
+                    "seed": 3735928559
+                }
+            }
+        }
+    }
+]
+
+# ct mark set jhash ip saddr . ip daddr mod 2 offset 100
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "jhash": {
+                    "expr": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "daddr",
+                                    "protocol": "ip"
+                                }
+                            }
+                        ]
+                    },
+                    "mod": 2,
+                    "offset": 100
+                }
+            }
+        }
+    }
+]
+
+# dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { 0 : 192.168.20.100, 1 : 192.168.30.100 }
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "jhash": {
+                            "expr": {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            "mod": 2,
+                            "seed": 3735928559
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                0,
+                                "192.168.20.100"
+                            ],
+                            [
+                                1,
+                                "192.168.30.100"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# ct mark set symhash mod 2 offset 100
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "symhash": {
+                    "mod": 2,
+                    "offset": 100
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/hash.t.payload b/tests/py/ip/hash.t.payload
new file mode 100644
index 0000000..fefe492
--- /dev/null
+++ b/tests/py/ip/hash.t.payload
@@ -0,0 +1,49 @@
+# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef
+ip test-ip4 pre 
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ payload load 4b @ network header + 16 => reg 13 ]
+  [ hash reg 1 = jhash(reg 2, 8, 0xdeadbeef) % mod 2 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set jhash ip saddr . ip daddr mod 2
+ip test-ip4 pre
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ payload load 4b @ network header + 16 => reg 13 ]
+  [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 2 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set jhash ip saddr . ip daddr mod 2 seed 0x0
+ip test-ip4 pre
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ payload load 4b @ network header + 16 => reg 13 ]
+  [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 2 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef offset 100
+ip test-ip4 pre
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ payload load 4b @ network header + 16 => reg 13 ]
+  [ hash reg 1 = jhash(reg 2, 8, 0xdeadbeef) % mod 2 offset 100 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set jhash ip saddr . ip daddr mod 2 offset 100
+ip test-ip4 pre
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ payload load 4b @ network header + 16 => reg 13 ]
+  [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 2 offset 100 ]
+  [ ct set mark with reg 1 ]
+
+# dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { 0 : 192.168.20.100, 1 : 192.168.30.100 }
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 00000000  : 6414a8c0 0 [end]	element 00000001  : 641ea8c0 0 [end]
+ip test-ip4 pre 
+  [ payload load 4b @ network header + 12 => reg 2 ]
+  [ hash reg 1 = jhash(reg 2, 4, 0xdeadbeef) % mod 2 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# ct mark set symhash mod 2 offset 100
+ip test-ip4 pre
+  [ hash reg 1 = symhash() % mod 2 offset 100 ]
+  [ ct set mark with reg 1 ]
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
new file mode 100644
index 0000000..7ddf8b3
--- /dev/null
+++ b/tests/py/ip/icmp.t
@@ -0,0 +1,77 @@
+# BUG: There is a bug with icmp protocol and inet family.
+# *inet;test-inet
+:input;type filter hook input priority 0
+
+*ip;test-ip4;input
+
+icmp type echo-reply accept;ok
+icmp type destination-unreachable accept;ok
+icmp type source-quench accept;ok
+icmp type redirect accept;ok
+icmp type echo-request accept;ok
+icmp type time-exceeded accept;ok
+icmp type parameter-problem accept;ok
+icmp type timestamp-request accept;ok
+icmp type timestamp-reply accept;ok
+icmp type info-request accept;ok
+icmp type info-reply accept;ok
+icmp type address-mask-request accept;ok
+icmp type address-mask-reply accept;ok
+icmp type router-advertisement accept;ok
+icmp type router-solicitation accept;ok
+icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept;ok
+icmp type != {echo-reply, destination-unreachable, source-quench};ok
+
+icmp code 111 accept;ok
+icmp code != 111 accept;ok
+icmp code 33-55;ok
+icmp code != 33-55;ok
+icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56}
+icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok
+
+icmp checksum 12343 accept;ok
+icmp checksum != 12343 accept;ok
+icmp checksum 11-343 accept;ok
+icmp checksum != 11-343 accept;ok
+icmp checksum { 1111, 222, 343} accept;ok
+icmp checksum != { 1111, 222, 343} accept;ok
+
+icmp id 1245 log;ok;icmp type { echo-reply, echo-request} icmp id 1245 log
+icmp id 22;ok;icmp type { echo-reply, echo-request} icmp id 22
+icmp id != 233;ok;icmp type { echo-reply, echo-request} icmp id != 233
+icmp id 33-45;ok;icmp type { echo-reply, echo-request} icmp id 33-45
+icmp id != 33-45;ok;icmp type { echo-reply, echo-request} icmp id != 33-45
+
+icmp id { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id { 22, 34, 333}
+icmp id != { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id != { 22, 34, 333}
+
+icmp sequence 22;ok;icmp type { echo-reply, echo-request} icmp sequence 22
+icmp sequence != 233;ok;icmp type { echo-reply, echo-request} icmp sequence != 233
+icmp sequence 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence 33-45
+icmp sequence != 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence != 33-45
+icmp sequence { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence { 33, 55, 67, 88}
+icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33, 55, 67, 88}
+icmp id 1 icmp sequence 2;ok;icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
+icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2;ok
+icmp type echo-reply icmp id 1;ok
+
+icmp mtu 33;ok
+icmp mtu 22-33;ok
+icmp mtu 22;ok
+icmp mtu != 233;ok
+icmp mtu 33-45;ok
+icmp mtu != 33-45;ok
+icmp mtu { 33, 55, 67, 88};ok
+icmp mtu != { 33, 55, 67, 88};ok
+
+icmp gateway 22;ok
+icmp gateway != 233;ok
+icmp gateway 33-45;ok
+icmp gateway != 33-45;ok
+icmp gateway { 33, 55, 67, 88};ok
+icmp gateway != { 33, 55, 67, 88};ok
+icmp gateway != 34;ok
+icmp gateway != { 333, 334};ok
+
+icmp code 1 icmp type 2;ok;icmp type 2 icmp code host-unreachable
+icmp code != 1 icmp type 2 icmp mtu 5;fail
diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json
new file mode 100644
index 0000000..4f05250
--- /dev/null
+++ b/tests/py/ip/icmp.t.json
@@ -0,0 +1,1494 @@
+# icmp type echo-reply accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "echo-reply"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type destination-unreachable accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "destination-unreachable"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type source-quench accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "source-quench"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type redirect accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "redirect"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type echo-request accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "echo-request"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type time-exceeded accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "time-exceeded"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type parameter-problem accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "parameter-problem"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type timestamp-request accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "timestamp-request"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type timestamp-reply accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "timestamp-reply"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type info-request accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "info-request"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type info-reply accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "info-reply"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type address-mask-request accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "address-mask-request"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type address-mask-reply accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "address-mask-reply"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type router-advertisement accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "router-advertisement"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type router-solicitation accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "router-solicitation"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "destination-unreachable",
+                    "source-quench",
+                    "redirect",
+                    "echo-request",
+                    "router-advertisement",
+                    "router-solicitation",
+                    "time-exceeded",
+                    "parameter-problem",
+                    "timestamp-request",
+                    "timestamp-reply",
+                    "info-request",
+                    "info-reply",
+                    "address-mask-request",
+                    "address-mask-reply"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp type != {echo-reply, destination-unreachable, source-quench}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "destination-unreachable",
+                    "source-quench"
+                ]
+            }
+        }
+    }
+]
+
+# icmp code 111 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 111
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp code != 111 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 111
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp code 33-55
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    33,
+                    55
+                ]
+            }
+        }
+    }
+]
+
+# icmp code != 33-55
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    33,
+                    55
+                ]
+            }
+        }
+    }
+]
+
+# icmp code { 2, 4, 54, 33, 56}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    2,
+                    4,
+                    33,
+                    54,
+                    56
+                ]
+            }
+        }
+    }
+]
+
+# icmp code != { prot-unreachable, frag-needed, 33, 54, 56}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "prot-unreachable",
+                    "frag-needed",
+                    33,
+                    54,
+                    56
+                ]
+            }
+        }
+    }
+]
+
+# icmp checksum 12343 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 12343
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp checksum != 12343 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 12343
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp checksum 11-343 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    11,
+                    343
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp checksum != 11-343 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    11,
+                    343
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp checksum { 1111, 222, 343} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    222,
+                    343,
+                    1111
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp checksum != { 1111, 222, 343} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    222,
+                    343,
+                    1111
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmp id 1245 log
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 1245
+        }
+    },
+    {
+        "log": null
+    }
+]
+
+# icmp id 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# icmp id != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# icmp id 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp id != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp id { 22, 34, 333}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    22,
+                    34,
+                    333
+                ]
+            }
+        }
+    }
+]
+
+# icmp id != { 22, 34, 333}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    22,
+                    34,
+                    333
+                ]
+            }
+        }
+    }
+]
+
+# icmp sequence 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# icmp sequence != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# icmp sequence 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp sequence != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp sequence { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmp sequence != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmp id 1 icmp sequence 2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# icmp type echo-reply icmp id 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "echo-reply"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# icmp mtu 33
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 33
+        }
+    }
+]
+
+# icmp mtu 22-33
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    22,
+                    33
+                ]
+            }
+        }
+    }
+]
+
+# icmp mtu 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# icmp mtu != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# icmp mtu 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp mtu != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp mtu { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmp mtu != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmp gateway 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# icmp gateway != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# icmp gateway 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp gateway != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmp gateway { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmp gateway != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmp gateway != 34
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 34
+        }
+    }
+]
+
+# icmp gateway != { 333, 334}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "gateway",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    333,
+                    334
+                ]
+            }
+        }
+    }
+]
+
+# icmp code 1 icmp type 2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": "host-unreachable"
+        }
+    }
+]
diff --git a/tests/py/ip/icmp.t.json.output b/tests/py/ip/icmp.t.json.output
new file mode 100644
index 0000000..5a07585
--- /dev/null
+++ b/tests/py/ip/icmp.t.json.output
@@ -0,0 +1,169 @@
+# icmp code { 2, 4, 54, 33, 56}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "prot-unreachable",
+                    "frag-needed",
+                    33,
+                    54,
+                    56
+                ]
+            }
+        }
+    }
+]
+
+# icmp id 1245 log
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 1245
+        }
+    },
+    {
+        "log": null
+    }
+]
+
+# icmp id 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# icmp id != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# icmp id { 33-55}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-reply",
+                    "echo-request"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "range": [
+                            33,
+                            55
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
new file mode 100644
index 0000000..3bc6de3
--- /dev/null
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -0,0 +1,619 @@
+# icmp type echo-reply accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 accept ]
+
+# icmp type destination-unreachable accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ immediate reg 0 accept ]
+
+# icmp type source-quench accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000004 ]
+  [ immediate reg 0 accept ]
+
+# icmp type redirect accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ immediate reg 0 accept ]
+
+# icmp type echo-request accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 0 accept ]
+
+# icmp type time-exceeded accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000b ]
+  [ immediate reg 0 accept ]
+
+# icmp type parameter-problem accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000c ]
+  [ immediate reg 0 accept ]
+
+# icmp type timestamp-request accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000d ]
+  [ immediate reg 0 accept ]
+
+# icmp type timestamp-reply accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000e ]
+  [ immediate reg 0 accept ]
+
+# icmp type info-request accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000f ]
+  [ immediate reg 0 accept ]
+
+# icmp type info-reply accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000010 ]
+  [ immediate reg 0 accept ]
+
+# icmp type address-mask-request accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 0 accept ]
+
+# icmp type address-mask-reply accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000012 ]
+  [ immediate reg 0 accept ]
+
+# icmp type != {echo-reply, destination-unreachable, source-quench}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 00000003  : 0 [end]	element 00000004  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmp code 111 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp eq reg 1 0x0000006f ]
+  [ immediate reg 0 accept ]
+
+# icmp code != 111 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp neq reg 1 0x0000006f ]
+  [ immediate reg 0 accept ]
+
+# icmp code 33-55
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# icmp code != 33-55
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x00000037 ]
+
+# icmp code { 2, 4, 54, 33, 56}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000036  : 0 [end]	element 00000021  : 0 [end]	element 00000038  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmp code != { prot-unreachable, frag-needed, 33, 54, 56}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000036  : 0 [end]	element 00000021  : 0 [end]	element 00000038  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmp checksum 12343 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003730 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum != 12343 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x00003730 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum 11-343 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00000b00 ]
+  [ cmp lte reg 1 0x00005701 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum != 11-343 accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00000b00 0x00005701 ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum { 1111, 222, 343} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005704  : 0 [end]	element 0000de00  : 0 [end]	element 00005701  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# icmp checksum != { 1111, 222, 343} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005704  : 0 [end]	element 0000de00  : 0 [end]	element 00005701  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# icmp id 1245 log
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd04 ]
+  [ log ]
+
+# icmp id 22
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# icmp id != 233
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# icmp id 33-45
+__set%d test-ip4 3
+__set%d  test-ip4 input
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmp id != 33-45
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# icmp id { 22, 34, 333}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001600  : 0 [end]	element 00002200  : 0 [end]	element 00004d01  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmp id != { 22, 34, 333}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001600  : 0 [end]	element 00002200  : 0 [end]	element 00004d01  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmp sequence 22
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# icmp sequence != 233
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# icmp sequence 33-45
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmp sequence != 33-45
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# icmp sequence { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmp sequence != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmp id 1 icmp sequence 2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000000  : 0 [end]
+ip 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x02000100 ]
+
+# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 00000008  : 0 [end]
+ip 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x02000100 ]
+
+# icmp type echo-reply icmp id 1
+ip
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# icmp mtu 33
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00002100 ]
+
+# icmp mtu 22-33
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00001600 ]
+  [ cmp lte reg 1 0x00002100 ]
+
+# icmp mtu 22
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# icmp mtu != 233
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# icmp mtu 33-45
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmp mtu != 33-45
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# icmp mtu { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmp mtu != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmp gateway 22
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# icmp gateway != 233
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0xe9000000 ]
+
+# icmp gateway 33-45
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# icmp gateway != 33-45
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# icmp gateway { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmp gateway != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmp gateway != 34
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x22000000 ]
+
+# icmp gateway != { 333, 334}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 4d010000  : 0 [end]	element 4e010000  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmp type router-advertisement accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000009 ]
+  [ immediate reg 0 accept ]
+
+# icmp type router-solicitation accept
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ immediate reg 0 accept ]
+
+# icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000000  : 0 [end]     element 00000003  : 0 [end]     element 00000004  : 0 [end]     element 00000005  : 0 [end]     element 00000008  : 0 [end]     element 0000000b  : 0 [end]     element 0000000c  : 0 [end]     element 0000000d  : 0 [end]     element 0000000e  : 0 [end]     element 0000000f  : 0 [end]     element 00000010  : 0 [end]     element 00000011  : 0 [end]     element 00000012  : 0 [end]     element 00000009  : 0 [end]     element 0000000a  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# icmp code 1 icmp type 2
+ip 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000102 ]
diff --git a/tests/py/ip/igmp.t b/tests/py/ip/igmp.t
new file mode 100644
index 0000000..a556e47
--- /dev/null
+++ b/tests/py/ip/igmp.t
@@ -0,0 +1,23 @@
+# *inet;test-inet
+:input;type filter hook input priority 0
+
+*ip;test-ip4;input
+
+igmp type membership-query;ok
+igmp type membership-report-v1;ok
+igmp type membership-report-v2;ok
+igmp type membership-report-v3;ok
+igmp type leave-group;ok
+
+igmp type { membership-report-v1, membership-report-v2, membership-report-v3};ok
+igmp type != { membership-report-v1, membership-report-v2, membership-report-v3};ok
+
+igmp checksum 12343;ok
+igmp checksum != 12343;ok
+igmp checksum 11-343;ok
+igmp checksum != 11-343;ok
+igmp checksum { 1111, 222, 343};ok
+igmp checksum != { 1111, 222, 343};ok
+
+igmp mrt 10;ok
+igmp mrt != 10;ok
diff --git a/tests/py/ip/igmp.t.json b/tests/py/ip/igmp.t.json
new file mode 100644
index 0000000..0e2a43f
--- /dev/null
+++ b/tests/py/ip/igmp.t.json
@@ -0,0 +1,273 @@
+# igmp type membership-query
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": "membership-query"
+        }
+    }
+]
+
+# igmp type membership-report-v1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": "membership-report-v1"
+        }
+    }
+]
+
+# igmp type membership-report-v2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": "membership-report-v2"
+        }
+    }
+]
+
+# igmp type membership-report-v3
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": "membership-report-v3"
+        }
+    }
+]
+
+# igmp type leave-group
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": "leave-group"
+        }
+    }
+]
+
+# igmp type { membership-report-v1, membership-report-v2, membership-report-v3}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "membership-report-v1",
+                    "membership-report-v2",
+                    "membership-report-v3"
+                ]
+            }
+        }
+    }
+]
+
+# igmp type != { membership-report-v1, membership-report-v2, membership-report-v3}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "membership-report-v1",
+                    "membership-report-v2",
+                    "membership-report-v3"
+                ]
+            }
+        }
+    }
+]
+
+# igmp checksum 12343
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": 12343
+        }
+    }
+]
+
+# igmp checksum != 12343
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "!=",
+            "right": 12343
+        }
+    }
+]
+
+# igmp checksum 11-343
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    11,
+                    343
+                ]
+            }
+        }
+    }
+]
+
+# igmp checksum != 11-343
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    11,
+                    343
+                ]
+            }
+        }
+    }
+]
+
+# igmp checksum { 1111, 222, 343}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    222,
+                    343,
+                    1111
+                ]
+            }
+        }
+    }
+]
+
+# igmp checksum != { 1111, 222, 343}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    222,
+                    343,
+                    1111
+                ]
+            }
+        }
+    }
+]
+
+# igmp mrt 10
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mrt",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "==",
+            "right": 10
+        }
+    }
+]
+
+# igmp mrt != 10
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mrt",
+                    "protocol": "igmp"
+                }
+            },
+            "op": "!=",
+            "right": 10
+        }
+    }
+]
diff --git a/tests/py/ip/igmp.t.payload b/tests/py/ip/igmp.t.payload
new file mode 100644
index 0000000..940fe2c
--- /dev/null
+++ b/tests/py/ip/igmp.t.payload
@@ -0,0 +1,118 @@
+# igmp type membership-query
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+
+# igmp type membership-report-v1
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000012 ]
+
+# igmp type membership-report-v2
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# igmp type membership-report-v3
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000022 ]
+
+# igmp type leave-group
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000017 ]
+
+# igmp checksum 12343
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003730 ]
+
+# igmp checksum != 12343
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x00003730 ]
+
+# igmp checksum 11-343
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00000b00 ]
+  [ cmp lte reg 1 0x00005701 ]
+
+# igmp checksum != 11-343
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00000b00 0x00005701 ]
+
+# igmp checksum { 1111, 222, 343}
+__set%d test-ip4 3 size 3
+__set%d test-ip4 0
+	element 00005704  : 0 [end]	element 0000de00  : 0 [end]	element 00005701  : 0 [end]
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# igmp checksum != { 1111, 222, 343}
+__set%d test-ip4 3 size 3
+__set%d test-ip4 0
+	element 00005704  : 0 [end]	element 0000de00  : 0 [end]	element 00005701  : 0 [end]
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# igmp type { membership-report-v1, membership-report-v2, membership-report-v3}
+__set%d test-ip4 3 size 3
+__set%d test-ip4 0
+	element 00000012  : 0 [end]	element 00000016  : 0 [end]	element 00000022  : 0 [end]
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# igmp type != { membership-report-v1, membership-report-v2, membership-report-v3}
+__set%d test-ip4 3 size 3
+__set%d test-ip4 0
+	element 00000012  : 0 [end]	element 00000016  : 0 [end]	element 00000022  : 0 [end]
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# igmp mrt 10
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+
+# igmp mrt != 10
+ip test-ip4 input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp neq reg 1 0x0000000a ]
+
diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t
new file mode 100644
index 0000000..720d9ae
--- /dev/null
+++ b/tests/py/ip/ip.t
@@ -0,0 +1,135 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+- ip version 2;ok
+
+# bug ip hdrlength
+- ip hdrlength 10;ok
+- ip hdrlength != 5;ok
+- ip hdrlength 5-8;ok
+- ip hdrlength != 3-13;ok
+- ip hdrlength {3, 5, 6, 8};ok
+- ip hdrlength != {3, 5, 7, 8};ok
+- ip hdrlength { 3-5};ok
+- ip hdrlength != { 3-59};ok
+# ip hdrlength 12
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip test input ip hdrlength 12
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+# <cmdline>:1:37-38: Error: Value 22 exceeds valid range 0-15
+# add rule ip test input ip hdrlength 22
+
+ip dscp cs1;ok
+ip dscp != cs1;ok
+ip dscp 0x38;ok;ip dscp cs7
+ip dscp != 0x20;ok;ip dscp != cs4
+ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
+- ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
+ip dscp != {cs0, cs3};ok
+ip dscp vmap { cs1 : continue , cs4 : accept } counter;ok
+
+ip length 232;ok
+ip length != 233;ok
+ip length 333-435;ok
+ip length != 333-453;ok
+ip length { 333, 553, 673, 838};ok
+ip length != { 333, 553, 673, 838};ok
+
+ip id 22;ok
+ip id != 233;ok
+ip id 33-45;ok
+ip id != 33-45;ok
+ip id { 33, 55, 67, 88};ok
+ip id != { 33, 55, 67, 88};ok
+
+ip frag-off 0xde accept;ok
+ip frag-off != 0xe9;ok
+ip frag-off 0x21-0x2d;ok
+ip frag-off != 0x21-0x2d;ok
+ip frag-off { 0x21, 0x37, 0x43, 0x58};ok
+ip frag-off != { 0x21, 0x37, 0x43, 0x58};ok
+ip frag-off & 0x1fff != 0x0;ok
+ip frag-off & 0x2000 != 0x0;ok
+ip frag-off & 0x4000 != 0x0;ok
+
+ip ttl 0 drop;ok
+ip ttl 233;ok
+ip ttl 33-55;ok
+ip ttl != 45-50;ok
+ip ttl {43, 53, 45 };ok
+ip ttl != {43, 53, 45 };ok
+
+ip protocol tcp;ok;ip protocol 6
+ip protocol != tcp;ok;ip protocol != 6
+ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept
+ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol != { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept
+
+ip protocol 255;ok
+ip protocol 256;fail
+
+ip checksum 13172 drop;ok
+ip checksum 22;ok
+ip checksum != 233;ok
+ip checksum 33-45;ok
+ip checksum != 33-45;ok
+ip checksum { 33, 55, 67, 88};ok
+ip checksum != { 33, 55, 67, 88};ok
+
+ip saddr set {192.19.1.2, 191.1.22.1};fail
+
+ip saddr 192.168.2.0/24;ok
+ip saddr != 192.168.2.0/24;ok
+ip saddr 192.168.3.1 ip daddr 192.168.3.100;ok
+ip saddr != 1.1.1.1;ok
+ip saddr 1.1.1.1;ok
+ip daddr 192.168.0.1-192.168.0.250;ok
+ip daddr 10.0.0.0-10.255.255.255;ok
+ip daddr 172.16.0.0-172.31.255.255;ok
+ip daddr 192.168.3.1-192.168.4.250;ok
+ip daddr != 192.168.0.1-192.168.0.250;ok
+ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+
+ip daddr 192.168.1.2-192.168.1.55;ok
+ip daddr != 192.168.1.2-192.168.1.55;ok
+ip saddr 192.168.1.3-192.168.33.55;ok
+ip saddr != 192.168.1.3-192.168.33.55;ok
+
+ip daddr 192.168.0.1;ok
+ip daddr 192.168.0.1 drop;ok
+ip daddr 192.168.0.2;ok
+
+ip saddr & 0xff == 1;ok;ip saddr & 0.0.0.255 == 0.0.0.1
+ip saddr & 0.0.0.255 < 0.0.0.127;ok
+
+ip saddr & 0xffff0000 == 0xffff0000;ok;ip saddr 255.255.0.0/16
+
+ip version 4 ip hdrlength 5;ok
+ip hdrlength 0;ok
+ip hdrlength 15;ok
+ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter;ok
+ip hdrlength 16;fail
+
+# limit impact to lo
+iif "lo" ip daddr set 127.0.0.1;ok
+iif "lo" ip checksum set 0;ok
+iif "lo" ip id set 0;ok
+iif "lo" ip ecn set 1;ok;iif "lo" ip ecn set ect1
+iif "lo" ip ecn set ce;ok
+iif "lo" ip ttl set 23;ok
+iif "lo" ip protocol set 1;ok
+
+iif "lo" ip dscp set af23;ok
+iif "lo" ip dscp set cs0;ok
+
+ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok
+ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept };ok
+
+ip saddr 1.2.3.4 ip daddr 3.4.5.6;ok
+ip saddr 1.2.3.4 counter ip daddr 3.4.5.6;ok
diff --git a/tests/py/ip/ip.t.json b/tests/py/ip/ip.t.json
new file mode 100644
index 0000000..882c94e
--- /dev/null
+++ b/tests/py/ip/ip.t.json
@@ -0,0 +1,1811 @@
+# ip dscp cs1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "cs1"
+        }
+    }
+]
+
+# ip dscp != cs1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "cs1"
+        }
+    }
+]
+
+# ip dscp 0x38
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "0x38"
+        }
+    }
+]
+
+# ip dscp != 0x20
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "0x20"
+        }
+    }
+]
+
+# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "cs0",
+                    "cs1",
+                    "cs2",
+                    "cs3",
+                    "cs4",
+                    "cs5",
+                    "cs6",
+                    "cs7",
+                    "af11",
+                    "af12",
+                    "af13",
+                    "af21",
+                    "af22",
+                    "af23",
+                    "af31",
+                    "af32",
+                    "af33",
+                    "af41",
+                    "af42",
+                    "af43",
+                    "ef"
+                ]
+            }
+        }
+    }
+]
+
+# ip dscp != {cs0, cs3}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "cs0",
+                    "cs3"
+                ]
+            }
+        }
+    }
+]
+
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "cs1",
+                        {
+                            "continue": null
+                        }
+                    ],
+                    [
+                        "cs4",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "counter": null
+    }
+]
+
+# ip length 232
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 232
+        }
+    }
+]
+
+# ip length != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ip length 333-435
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 333, 435 ]
+            }
+        }
+    }
+]
+
+# ip length != 333-453
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 333, 453 ]
+            }
+        }
+    }
+]
+
+# ip length { 333, 553, 673, 838}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    333,
+                    553,
+                    673,
+                    838
+                ]
+            }
+        }
+    }
+]
+
+# ip length != { 333, 553, 673, 838}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    333,
+                    553,
+                    673,
+                    838
+                ]
+            }
+        }
+    }
+]
+
+# ip id 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip id != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ip id 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip id != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip id { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip id != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip frag-off 0xde accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "frag-off",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 222
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip frag-off != 0xe9
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "frag-off",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ip frag-off 0x21-0x2d
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "frag-off",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip frag-off != 0x21-0x2d
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "frag-off",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip frag-off { 0x21, 0x37, 0x43, 0x58}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "frag-off",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip frag-off != { 0x21, 0x37, 0x43, 0x58}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "frag-off",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip frag-off & 0x1fff != 0x0
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "frag-off",
+                            "protocol": "ip"
+                        }
+                    },
+                    8191
+                ]
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# ip frag-off & 0x2000 != 0x0
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "frag-off",
+                            "protocol": "ip"
+                        }
+                    },
+                    8192
+                ]
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# ip frag-off & 0x4000 != 0x0
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "frag-off",
+                            "protocol": "ip"
+                        }
+                    },
+                    16384
+                ]
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# ip ttl 0 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ttl",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip ttl 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ttl",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 233
+        }
+    }
+]
+
+# ip ttl 33-55
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ttl",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 55 ]
+            }
+        }
+    }
+]
+
+# ip ttl != 45-50
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ttl",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 45, 50 ]
+            }
+        }
+    }
+]
+
+# ip ttl {43, 53, 45 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ttl",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    43,
+                    45,
+                    53
+                ]
+            }
+        }
+    }
+]
+
+# ip ttl != {43, 53, 45 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "ttl",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    43,
+                    45,
+                    53
+                ]
+            }
+        }
+    }
+]
+
+# ip protocol tcp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    }
+]
+
+# ip protocol != tcp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "tcp"
+        }
+    }
+]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "icmp",
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "icmp",
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip protocol 255
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 255
+        }
+    }
+]
+
+# ip checksum 13172 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 13172
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip checksum 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip checksum != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ip checksum 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip checksum != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip checksum { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip checksum != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr 192.168.2.0/24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "192.168.2.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# ip saddr != 192.168.2.0/24
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "prefix": {
+                    "addr": "192.168.2.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.3.1"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.3.100"
+        }
+    }
+]
+
+# ip saddr != 1.1.1.1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "1.1.1.1"
+        }
+    }
+]
+
+# ip saddr 1.1.1.1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "1.1.1.1"
+        }
+    }
+]
+
+# ip daddr 192.168.0.1-192.168.0.250
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "192.168.0.1", "192.168.0.250" ]
+            }
+        }
+    }
+]
+
+# ip daddr 10.0.0.0-10.255.255.255
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "10.0.0.0", "10.255.255.255" ]
+            }
+        }
+    }
+]
+
+# ip daddr 172.16.0.0-172.31.255.255
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "172.16.0.0", "172.31.255.255" ]
+            }
+        }
+    }
+]
+
+# ip daddr 192.168.3.1-192.168.4.250
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "192.168.3.1", "192.168.4.250" ]
+            }
+        }
+    }
+]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "192.168.0.1", "192.168.0.250" ]
+            }
+        }
+    }
+]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "192.168.5.1",
+                    "192.168.5.2",
+                    "192.168.5.3"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "192.168.5.1",
+                    "192.168.5.2",
+                    "192.168.5.3"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip daddr 192.168.1.2-192.168.1.55
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "192.168.1.2", "192.168.1.55" ]
+            }
+        }
+    }
+]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "192.168.1.2", "192.168.1.55" ]
+            }
+        }
+    }
+]
+
+# ip saddr 192.168.1.3-192.168.33.55
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "192.168.1.3", "192.168.33.55" ]
+            }
+        }
+    }
+]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "192.168.1.3", "192.168.33.55" ]
+            }
+        }
+    }
+]
+
+# ip daddr 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
+# ip daddr 192.168.0.1 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip daddr 192.168.0.2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.2"
+        }
+    }
+]
+
+# ip saddr & 0xff == 1
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    "0xff"
+                ]
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ip saddr & 0.0.0.255 < 0.0.0.127
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    "0.0.0.255"
+                ]
+            },
+            "op": "<",
+            "right": "0.0.0.127"
+        }
+    }
+]
+
+# ip saddr & 0xffff0000 == 0xffff0000
+[
+    {
+        "match": {
+            "left": {
+		"&": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+		    "0xffff0000"
+                ]
+            },
+	    "op": "==",
+            "right": "0xffff0000"
+        }
+    }
+]
+
+# ip version 4 ip hdrlength 5
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "version",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 4
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 5
+        }
+    }
+]
+
+# ip hdrlength 0
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# ip hdrlength 15
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 15
+        }
+    }
+]
+
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "hdrlength",
+                    "protocol": "ip"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        { "range": [ 0, 4 ] },
+                        { "drop": null }
+                    ],
+                    [
+                        5,
+                        { "accept": null }
+                    ],
+                    [
+                        6,
+                        { "continue": null }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "counter": null
+    }
+]
+
+# iif "lo" ip daddr set 127.0.0.1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "value": "127.0.0.1"
+        }
+    }
+]
+
+# iif "lo" ip checksum set 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "ip"
+                }
+            },
+            "value": 0
+        }
+    }
+]
+
+# iif "lo" ip id set 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "ip"
+                }
+            },
+            "value": 0
+        }
+    }
+]
+
+# iif "lo" ip ecn set 1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "ecn",
+                    "protocol": "ip"
+                }
+            },
+            "value": 1
+        }
+    }
+]
+
+# iif "lo" ip ecn set ce
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "ecn",
+                    "protocol": "ip"
+                }
+            },
+            "value": "ce"
+        }
+    }
+]
+
+# iif "lo" ip ttl set 23
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "ttl",
+                    "protocol": "ip"
+                }
+            },
+            "value": 23
+        }
+    }
+]
+
+# iif "lo" ip protocol set 1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "value": 1
+        }
+    }
+]
+
+# iif "lo" ip dscp set af23
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+            "value": "af23"
+        }
+    }
+]
+
+# iif "lo" ip dscp set cs0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+            "value": "cs0"
+        }
+    }
+]
+
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    }
+                ]
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "concat": [
+                            "192.0.2.1",
+                            {
+                                "range": [
+                                    "10.0.0.1",
+                                    "10.0.0.2"
+                                ]
+                            }
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+[
+    {
+        "vmap": {
+            "data": {
+                "set": [
+                    [
+                        {
+                            "concat": [
+                                {
+                                    "range": [
+                                        "192.168.5.1",
+                                        "192.168.5.128"
+                                    ]
+                                },
+                                {
+                                    "range": [
+                                        "192.168.6.1",
+                                        "192.168.6.128"
+                                    ]
+                                }
+                            ]
+                        },
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            },
+            "key": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr 1.2.3.4 ip daddr 3.4.5.6
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "3.4.5.6"
+        }
+    }
+]
+
+# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "1.2.3.4"
+        }
+    },
+    {
+        "counter": {
+            "bytes": 0,
+            "packets": 0
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "3.4.5.6"
+        }
+    }
+]
diff --git a/tests/py/ip/ip.t.json.got b/tests/py/ip/ip.t.json.got
new file mode 100644
index 0000000..07ab4e3
--- /dev/null
+++ b/tests/py/ip/ip.t.json.got
@@ -0,0 +1,62 @@
+# ip frag-off & 0x1fff != 0x0
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "frag-off",
+                            "protocol": "ip"
+                        }
+                    },
+                    8191
+                ]
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# ip frag-off & 0x2000 != 0x0
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "frag-off",
+                            "protocol": "ip"
+                        }
+                    },
+                    8192
+                ]
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
+# ip frag-off & 0x4000 != 0x0
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "frag-off",
+                            "protocol": "ip"
+                        }
+                    },
+                    16384
+                ]
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
diff --git a/tests/py/ip/ip.t.json.output b/tests/py/ip/ip.t.json.output
new file mode 100644
index 0000000..b201cda
--- /dev/null
+++ b/tests/py/ip/ip.t.json.output
@@ -0,0 +1,232 @@
+# ip dscp 0x38
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "cs7"
+        }
+    }
+]
+
+# ip dscp != 0x20
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "cs4"
+        }
+    }
+]
+
+# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "cs0",
+                    "cs1",
+                    "af11",
+                    "af12",
+                    "af13",
+                    "cs2",
+                    "af21",
+                    "af22",
+                    "af23",
+                    "cs3",
+                    "af31",
+                    "af32",
+                    "af33",
+                    "cs4",
+                    "af41",
+                    "af42",
+                    "af43",
+                    "cs5",
+                    "ef",
+                    "cs6",
+                    "cs7"
+                ]
+            }
+        }
+    }
+]
+
+# ip protocol tcp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    }
+]
+
+# ip protocol != tcp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": 6
+        }
+    }
+]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1,
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    1,
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip saddr & 0xff == 1
+[
+    {
+        "match": {
+            "left": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    "0.0.0.255"
+                ]
+            },
+            "op": "==",
+            "right": "0.0.0.1"
+        }
+    }
+]
+
+# ip saddr & 0xffff0000 == 0xffff0000
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "255.255.0.0",
+                    "len": 16
+                }
+            }
+        }
+    }
+]
+
+# iif "lo" ip ecn set 1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "ecn",
+                    "protocol": "ip"
+                }
+            },
+            "value": "ect1"
+        }
+    }
+]
+
diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
new file mode 100644
index 0000000..43605a3
--- /dev/null
+++ b/tests/py/ip/ip.t.payload
@@ -0,0 +1,558 @@
+# ip dscp cs1
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000020 ]
+
+# ip dscp != cs1
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000020 ]
+
+# ip dscp 0x38
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x000000e0 ]
+
+# ip dscp != 0x20
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000080 ]
+
+# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+__set%d test-ip4 3
+__set%d test-ip4 0
+        element 00000020  : 0 [end]     element 00000040  : 0 [end]     element 00000060  : 0 [end]     element 00000080  : 0 [end]    element 000000a0  : 0 [end]      element 000000c0  : 0 [end]     element 000000e0  : 0 [end]     element 00000000  : 0 [end]     element 00000028  : 0 [end]     element 00000030  : 0 [end]     element 00000038  : 0 [end]     element 00000048  : 0 [end]     element 00000050  : 0 [end]     element 00000058  : 0 [end]     element 00000068  : 0 [end]     element 00000070  : 0 [end]     element 00000078  : 0 [end]     element 00000088  : 0 [end]     element 00000090  : 0 [end]     element 00000098  : 0 [end]     element 000000b8  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip dscp != {cs0, cs3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+        element 00000000  : 0 [end]     element 00000060  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-ip4 b size 2
+__map%d test-ip4 0
+	element 00000020  : continue 0 [end]	element 00000080  : accept 0 [end]
+ip test-ip4 input 
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ip length 232
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004d01 ]
+  [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ range neq reg 1 0x00004d01 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip length != { 333, 553, 673, 838}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip id 22
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip id != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off 0xde accept
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000de00 ]
+  [ immediate reg 0 accept ]
+
+# ip frag-off != 0xe9
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 0x21-0x2d
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 0x21-0x2d
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip frag-off { 0x21, 0x37, 0x43, 0x58}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip frag-off != { 0x21, 0x37, 0x43, 0x58}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off & 0x1fff != 0x0
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip ttl 0 drop
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 drop ]
+
+# ip ttl 233
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x000000e9 ]
+
+# ip ttl 33-55
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ range neq reg 1 0x0000002d 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip ttl != {43, 53, 45 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip protocol tcp
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# ip protocol != tcp
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp neq reg 1 0x00000006 ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip protocol 255
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x000000ff ]
+
+# ip checksum 13172 drop
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00007433 ]
+  [ immediate reg 0 drop ]
+
+# ip checksum 22
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip saddr 192.168.2.0/24
+ip test-ip4 input
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+ip test-ip4 input
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0103a8c0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x6403a8c0 ]
+
+# ip saddr != 1.1.1.1
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x01010101 ]
+
+# ip saddr 1.1.1.1
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x01010101 ]
+
+# ip daddr 192.168.0.1-192.168.0.250
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0100a8c0 ]
+  [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x000010ac ]
+  [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0103a8c0 ]
+  [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0201a8c0 ]
+  [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0201a8c0 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp gte reg 1 0x0301a8c0 ]
+  [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ range neq reg 1 0x0301a8c0 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ immediate reg 0 drop ]
+
+# ip daddr 192.168.0.2
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0200a8c0 ]
+
+# ip saddr & 0xff == 1
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# ip saddr & 0.0.0.255 < 0.0.0.127
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp lt reg 1 0x7f000000 ]
+
+# ip saddr & 0xffff0000 == 0xffff0000
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000ffff ]
+
+# ip version 4 ip hdrlength 5
+ip test-ip4 input
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000040 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# ip hdrlength 0
+ip test-ip4 input
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ip hdrlength 15
+ip test-ip4 input
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000f ]
+
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-ip4 f size 4
+__map%d test-ip4 0
+	element 00000000  : drop 0 [end]	element 00000005  : accept 0 [end]	element 00000006  : continue 0 [end]	element 00000007  : 1 [end]
+ip test-ip4 input 
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# iif "lo" ip daddr set 127.0.0.1
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 1 0x0100007f ]
+  [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# iif "lo" ip checksum set 0
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip id set 0
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set 1
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set ce
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip dscp set af23
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip dscp set cs0
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ttl set 23
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip protocol set 1
+ip test-ip4 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-ip4 87 size 1
+__set%d test-ip4 0
+        element 010200c0 0100000a  - 010200c0 0200000a  : 0 [end]
+ip
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-ip4 8f size 1
+__map%d test-ip4 0
+        element 0105a8c0 0106a8c0  - 8005a8c0 8006a8c0  : accept 0 [end]
+ip
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr 1.2.3.4 ip daddr 3.4.5.6
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
+
+# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge
new file mode 100644
index 0000000..e506f30
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.bridge
@@ -0,0 +1,728 @@
+# ip dscp cs1
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000020 ]
+
+# ip dscp != cs1
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000020 ]
+
+# ip dscp 0x38
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x000000e0 ]
+
+# ip dscp != 0x20
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000080 ]
+
+# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+__set%d test-bridge 3 size 21
+__set%d test-bridge 0
+	element 00000000  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000060  : 0 [end]	element 00000080  : 0 [end]	element 000000a0  : 0 [end]	element 000000c0  : 0 [end]	element 000000e0  : 0 [end]	element 00000028  : 0 [end]	element 00000030  : 0 [end]	element 00000038  : 0 [end]	element 00000048  : 0 [end]	element 00000050  : 0 [end]	element 00000058  : 0 [end]	element 00000068  : 0 [end]	element 00000070  : 0 [end]	element 00000078  : 0 [end]	element 00000088  : 0 [end]	element 00000090  : 0 [end]	element 00000098  : 0 [end]	element 000000b8  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip dscp != {cs0, cs3}
+__set%d test-bridge 3 size 2
+__set%d test-bridge 0
+	element 00000000  : 0 [end]	element 00000060  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-bridge b size 2
+__map%d test-bridge 0
+	element 00000020  : continue 0 [end]	element 00000080  : accept 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ip length 232
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004d01 ]
+  [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ range neq reg 1 0x00004d01 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip length != { 333, 553, 673, 838}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip id 22
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip id != { 33, 55, 67, 88}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off 0xde accept
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000de00 ]
+  [ immediate reg 0 accept ]
+
+# ip frag-off != 0xe9
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 0x21-0x2d
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 0x21-0x2d
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip frag-off { 0x21, 0x37, 0x43, 0x58}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip frag-off != { 0x21, 0x37, 0x43, 0x58}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off & 0x1fff != 0x0
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip ttl 0 drop
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 drop ]
+
+# ip ttl 233
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x000000e9 ]
+
+# ip ttl 33-55
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ range neq reg 1 0x0000002d 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+__set%d test-bridge 3 size 3
+__set%d test-bridge 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip ttl != {43, 53, 45 }
+__set%d test-bridge 3 size 3
+__set%d test-bridge 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip protocol tcp
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# ip protocol != tcp
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp neq reg 1 0x00000006 ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-bridge 3 size 9
+__set%d test-bridge 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-bridge 3 size 9
+__set%d test-bridge 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip protocol 255
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x000000ff ]
+
+# ip checksum 13172 drop
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00007433 ]
+  [ immediate reg 0 drop ]
+
+# ip checksum 22
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip checksum != { 33, 55, 67, 88}
+__set%d test-bridge 3 size 4
+__set%d test-bridge 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip saddr 192.168.2.0/24
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0103a8c0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x6403a8c0 ]
+
+# ip saddr != 1.1.1.1
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x01010101 ]
+
+# ip saddr 1.1.1.1
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x01010101 ]
+
+# ip daddr 192.168.0.1-192.168.0.250
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0100a8c0 ]
+  [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x000010ac ]
+  [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0103a8c0 ]
+  [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-bridge 3 size 3
+__set%d test-bridge 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-bridge 3 size 3
+__set%d test-bridge 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0201a8c0 ]
+  [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0201a8c0 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp gte reg 1 0x0301a8c0 ]
+  [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ range neq reg 1 0x0301a8c0 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ immediate reg 0 drop ]
+
+# ip daddr 192.168.0.2
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0200a8c0 ]
+
+# ip saddr & 0xff == 1
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# ip saddr & 0.0.0.255 < 0.0.0.127
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp lt reg 1 0x7f000000 ]
+
+# ip saddr & 0xffff0000 == 0xffff0000
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000ffff ]
+
+# ip version 4 ip hdrlength 5
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000040 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# ip hdrlength 0
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ip hdrlength 15
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000f ]
+
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-bridge f size 4
+__map%d test-bridge 0
+	element 00000000  : drop 0 [end]	element 00000005  : accept 0 [end]	element 00000006  : continue 0 [end]	element 00000007  : 1 [end]
+bridge test-bridge input 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# iif "lo" ip daddr set 127.0.0.1
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 1 0x0100007f ]
+  [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# iif "lo" ip checksum set 0
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip id set 0
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set 1
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set ce
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ttl set 23
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip protocol set 1
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# iif "lo" ip dscp set af23
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip dscp set cs0
+bridge test-bridge input 
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-bridge 87 size 1
+__set%d test-bridge 0
+        element 010200c0 0100000a  - 010200c0 0200000a  : 0 [end]
+bridge
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-bridge 8f size 1
+__map%d test-bridge 0
+        element 0105a8c0 0106a8c0  - 8005a8c0 8006a8c0  : accept 0 [end]
+bridge
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr 1.2.3.4 ip daddr 3.4.5.6
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
+
+# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
diff --git a/tests/py/ip/ip.t.payload.bridge.got b/tests/py/ip/ip.t.payload.bridge.got
new file mode 100644
index 0000000..e728c23
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.bridge.got
@@ -0,0 +1,24 @@
+# ip frag-off & 0x1fff != 0x0
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+bridge test-bridge input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
diff --git a/tests/py/ip/ip.t.payload.got b/tests/py/ip/ip.t.payload.got
new file mode 100644
index 0000000..9a5c942
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.got
@@ -0,0 +1,18 @@
+# ip frag-off & 0x1fff != 0x0
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet
new file mode 100644
index 0000000..a7fa0fa
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.inet
@@ -0,0 +1,728 @@
+# ip dscp cs1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000020 ]
+
+# ip dscp != cs1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000020 ]
+
+# ip dscp 0x38
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x000000e0 ]
+
+# ip dscp != 0x20
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000080 ]
+
+# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000020  : 0 [end]     element 00000040  : 0 [end]     element 00000060  : 0 [end]     element 00000080  : 0 [end]    element 000000a0  : 0 [end]      element 000000c0  : 0 [end]     element 000000e0  : 0 [end]     element 00000000  : 0 [end]     element 00000028  : 0 [end]     element 00000030  : 0 [end]     element 00000038  : 0 [end]     element 00000048  : 0 [end]     element 00000050  : 0 [end]     element 00000058  : 0 [end]     element 00000068  : 0 [end]     element 00000070  : 0 [end]     element 00000078  : 0 [end]     element 00000088  : 0 [end]     element 00000090  : 0 [end]     element 00000098  : 0 [end]     element 000000b8  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip dscp != {cs0, cs3}
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000000  : 0 [end]     element 00000060  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-inet b size 2
+__map%d test-inet 0
+	element 00000020  : continue 0 [end]	element 00000080  : accept 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ip length 232
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004d01 ]
+  [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ range neq reg 1 0x00004d01 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip length != { 333, 553, 673, 838}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip id 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip id != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off 0xde accept
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000de00 ]
+  [ immediate reg 0 accept ]
+
+# ip frag-off != 0xe9
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 0x21-0x2d
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 0x21-0x2d
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip frag-off { 0x21, 0x37, 0x43, 0x58}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip frag-off != { 0x21, 0x37, 0x43, 0x58}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off & 0x1fff != 0x0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip ttl 0 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 drop ]
+
+# ip ttl 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x000000e9 ]
+
+# ip ttl 33-55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ range neq reg 1 0x0000002d 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip ttl != {43, 53, 45 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip protocol tcp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# ip protocol != tcp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp neq reg 1 0x00000006 ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip protocol 255
+ip test-ip4 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x000000ff ]
+
+# ip checksum 13172 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00007433 ]
+  [ immediate reg 0 drop ]
+
+# ip checksum 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip saddr 192.168.2.0/24
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0103a8c0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x6403a8c0 ]
+
+# ip saddr != 1.1.1.1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x01010101 ]
+
+# ip saddr 1.1.1.1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x01010101 ]
+
+# ip daddr 192.168.0.1-192.168.0.250
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0100a8c0 ]
+  [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x000010ac ]
+  [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0103a8c0 ]
+  [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0201a8c0 ]
+  [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0201a8c0 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp gte reg 1 0x0301a8c0 ]
+  [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ range neq reg 1 0x0301a8c0 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ immediate reg 0 drop ]
+
+# ip daddr 192.168.0.2
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0200a8c0 ]
+
+# ip saddr & 0xff == 1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# ip saddr & 0.0.0.255 < 0.0.0.127
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp lt reg 1 0x7f000000 ]
+
+# ip saddr & 0xffff0000 == 0xffff0000
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000ffff ]
+
+# ip version 4 ip hdrlength 5
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000040 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# ip hdrlength 0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ip hdrlength 15
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000f ]
+
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-inet f size 4
+__map%d test-inet 0
+	element 00000000  : drop 0 [end]	element 00000005  : accept 0 [end]	element 00000006  : continue 0 [end]	element 00000007  : 1 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# iif "lo" ip daddr set 127.0.0.1
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ immediate reg 1 0x0100007f ]
+  [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# iif "lo" ip checksum set 0
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip id set 0
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set 1
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set ce
+inet test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip dscp set af23
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip dscp set cs0
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ttl set 23
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip protocol set 1
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-inet 87 size 1
+__set%d test-inet 0
+        element 010200c0 0100000a  - 010200c0 0200000a  : 0 [end]
+inet
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-inet 8f size 1
+__map%d test-inet 0
+        element 0105a8c0 0106a8c0  - 8005a8c0 8006a8c0  : accept 0 [end]
+inet
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr 1.2.3.4 ip daddr 3.4.5.6
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
+
+# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
diff --git a/tests/py/ip/ip.t.payload.inet.got b/tests/py/ip/ip.t.payload.inet.got
new file mode 100644
index 0000000..ac52c78
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.inet.got
@@ -0,0 +1,24 @@
+# ip frag-off & 0x1fff != 0x0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev
new file mode 100644
index 0000000..aebd9d6
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.netdev
@@ -0,0 +1,728 @@
+# ip length 232
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000e800 ]
+
+# ip length != 233
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip length 333-435
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00004d01 ]
+  [ cmp lte reg 1 0x0000b301 ]
+
+# ip length != 333-453
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ range neq reg 1 0x00004d01 0x0000c501 ]
+
+# ip length { 333, 553, 673, 838}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip length != { 333, 553, 673, 838}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip id 22
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip id != 233
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip id 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip id != 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip id { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip id != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off 0xde accept
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000de00 ]
+  [ immediate reg 0 accept ]
+
+# ip frag-off != 0xe9
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip frag-off 0x21-0x2d
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip frag-off != 0x21-0x2d
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip frag-off { 0x21, 0x37, 0x43, 0x58}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip frag-off != { 0x21, 0x37, 0x43, 0x58}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip frag-off & 0x1fff != 0x0
+netdev x y
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+netdev x y
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+netdev x y
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip ttl 0 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ immediate reg 0 drop ]
+
+# ip ttl 33-55
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x00000037 ]
+
+# ip ttl != 45-50
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ range neq reg 1 0x0000002d 0x00000032 ]
+
+# ip ttl {43, 53, 45 }
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip ttl != {43, 53, 45 }
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip protocol 255
+ip test-ip4 input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x000000ff ]
+
+# ip checksum 13172 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00007433 ]
+  [ immediate reg 0 drop ]
+
+# ip checksum 22
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip checksum != 233
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip checksum 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip checksum != 33-45
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip checksum { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip checksum != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip saddr 192.168.2.0/24
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0002a8c0 ]
+
+# ip saddr != 192.168.2.0/24
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 3b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x0002a8c0 ]
+
+# ip saddr 192.168.3.1 ip daddr 192.168.3.100
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0103a8c0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x6403a8c0 ]
+
+# ip saddr 1.1.1.1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x01010101 ]
+
+# ip daddr 192.168.0.1-192.168.0.250
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0100a8c0 ]
+  [ cmp lte reg 1 0xfa00a8c0 ]
+
+# ip daddr 10.0.0.0-10.255.255.255
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0xffffff0a ]
+
+# ip daddr 172.16.0.0-172.31.255.255
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x000010ac ]
+  [ cmp lte reg 1 0xffff1fac ]
+
+# ip daddr 192.168.3.1-192.168.4.250
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0103a8c0 ]
+  [ cmp lte reg 1 0xfa04a8c0 ]
+
+# ip daddr != 192.168.0.1-192.168.0.250
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
+
+# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# ip daddr 192.168.1.2-192.168.1.55
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0201a8c0 ]
+  [ cmp lte reg 1 0x3701a8c0 ]
+
+# ip daddr != 192.168.1.2-192.168.1.55
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ range neq reg 1 0x0201a8c0 0x3701a8c0 ]
+
+# ip saddr 192.168.1.3-192.168.33.55
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp gte reg 1 0x0301a8c0 ]
+  [ cmp lte reg 1 0x3721a8c0 ]
+
+# ip saddr != 192.168.1.3-192.168.33.55
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ range neq reg 1 0x0301a8c0 0x3721a8c0 ]
+
+# ip daddr 192.168.0.1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
+# ip daddr 192.168.0.1 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr & 0xff == 1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# ip saddr & 0.0.0.255 < 0.0.0.127
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0xff000000 ) ^ 0x00000000 ]
+  [ cmp lt reg 1 0x7f000000 ]
+
+# ip saddr & 0xffff0000 == 0xffff0000
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000ffff ]
+
+# ip version 4 ip hdrlength 5
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000040 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# ip hdrlength 0
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# ip hdrlength 15
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000f ]
+
+# ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter
+__map%d test-netdev f size 4
+__map%d test-netdev 0
+	element 00000000  : drop 0 [end]	element 00000005  : accept 0 [end]	element 00000006  : continue 0 [end]	element 00000007  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ip ttl 233
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x000000e9 ]
+
+# ip protocol tcp
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# ip protocol != tcp
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp neq reg 1 0x00000006 ]
+
+# ip saddr != 1.1.1.1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp neq reg 1 0x01010101 ]
+
+# ip daddr 192.168.0.2
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0200a8c0 ]
+
+# ip dscp cs1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000020 ]
+
+# ip dscp != cs1
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000020 ]
+
+# ip dscp 0x38
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x000000e0 ]
+
+# ip dscp != 0x20
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000080 ]
+
+# ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000000  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000060  : 0 [end]	element 00000080  : 0 [end]	element 000000a0  : 0 [end]	element 000000c0  : 0 [end]	element 000000e0  : 0 [end]	element 00000028  : 0 [end]	element 00000030  : 0 [end]	element 00000038  : 0 [end]	element 00000048  : 0 [end]	element 00000050  : 0 [end]	element 00000058  : 0 [end]	element 00000068  : 0 [end]	element 00000070  : 0 [end]	element 00000078  : 0 [end]	element 00000088  : 0 [end]	element 00000090  : 0 [end]	element 00000098  : 0 [end]	element 000000b8  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip dscp != {cs0, cs3}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000000  : 0 [end]	element 00000060  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip dscp vmap { cs1 : continue , cs4 : accept } counter
+__map%d test-netdev b size 2
+__map%d test-netdev 0
+	element 00000020  : continue 0 [end]	element 00000080  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# iif "lo" ip daddr set 127.0.0.1
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 1 0x0100007f ]
+  [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# iif "lo" ip checksum set 0
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 10 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip id set 0
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ immediate reg 1 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 4 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set 1
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ecn set ce
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000fcff ) ^ 0x00000300 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip dscp set af23
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00005800 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip dscp set cs0
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip ttl set 23
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff00 ) ^ 0x00000017 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]
+
+# iif "lo" ip protocol set 1
+netdev test-netdev ingress
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ]
+  [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ]
+
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-netdev 87 size 1
+__set%d test-netdev 0
+        element 010200c0 0100000a  - 010200c0 0200000a  : 0 [end]
+netdev
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-netdev 8f size 1
+__map%d test-netdev 0
+        element 0105a8c0 0106a8c0  - 8005a8c0 8006a8c0  : accept 0 [end]
+netdev
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr 1.2.3.4 ip daddr 3.4.5.6
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
+
+# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x04030201 ]
+  [ counter pkts 0 bytes 0 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x06050403 ]
diff --git a/tests/py/ip/ip.t.payload.netdev.got b/tests/py/ip/ip.t.payload.netdev.got
new file mode 100644
index 0000000..b3e2e35
--- /dev/null
+++ b/tests/py/ip/ip.t.payload.netdev.got
@@ -0,0 +1,24 @@
+# ip frag-off & 0x1fff != 0x0
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000ff1f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x2000 != 0x0
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000020 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# ip frag-off & 0x4000 != 0x0
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000040 ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+
diff --git a/tests/py/ip/ip_tcp.t b/tests/py/ip/ip_tcp.t
new file mode 100644
index 0000000..ff398aa
--- /dev/null
+++ b/tests/py/ip/ip_tcp.t
@@ -0,0 +1,9 @@
+:input;type filter hook input priority 0
+
+*ip;test-ip;input
+
+# can remove ip dependency -- its redundant in ip family
+ip protocol tcp tcp dport 22;ok;tcp dport 22
+
+# but not here
+ip protocol tcp meta mark set 1 tcp dport 22;ok;ip protocol 6 meta mark set 0x00000001 tcp dport 22
diff --git a/tests/py/ip/ip_tcp.t.json b/tests/py/ip/ip_tcp.t.json
new file mode 100644
index 0000000..3757d6e
--- /dev/null
+++ b/tests/py/ip/ip_tcp.t.json
@@ -0,0 +1,64 @@
+# ip protocol tcp tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp meta mark set 1 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
diff --git a/tests/py/ip/ip_tcp.t.json.output b/tests/py/ip/ip_tcp.t.json.output
new file mode 100644
index 0000000..2d671df
--- /dev/null
+++ b/tests/py/ip/ip_tcp.t.json.output
@@ -0,0 +1,52 @@
+# ip protocol tcp tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip protocol tcp meta mark set 1 tcp dport 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
diff --git a/tests/py/ip/ip_tcp.t.payload b/tests/py/ip/ip_tcp.t.payload
new file mode 100644
index 0000000..f6f640d
--- /dev/null
+++ b/tests/py/ip/ip_tcp.t.payload
@@ -0,0 +1,16 @@
+# ip protocol tcp tcp dport 22
+ip test-ip input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp meta mark set 1 tcp dport 22
+ip test-ip input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00000001 ]
+  [ meta set mark with reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t
new file mode 100644
index 0000000..384ac72
--- /dev/null
+++ b/tests/py/ip/masquerade.t
@@ -0,0 +1,30 @@
+:postrouting;type nat hook postrouting priority 0
+
+*ip;test-ip4;postrouting
+
+# nf_nat flags combination
+udp dport 53 masquerade;ok
+udp dport 53 masquerade random;ok
+udp dport 53 masquerade random,persistent;ok
+udp dport 53 masquerade random,persistent,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent
+udp dport 53 masquerade random,fully-random;ok
+udp dport 53 masquerade random,fully-random,persistent;ok
+udp dport 53 masquerade persistent;ok
+udp dport 53 masquerade persistent,random;ok;udp dport 53 masquerade random,persistent
+udp dport 53 masquerade persistent,random,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent
+udp dport 53 masquerade persistent,fully-random;ok;udp dport 53 masquerade fully-random,persistent
+udp dport 53 masquerade persistent,fully-random,random;ok;udp dport 53 masquerade random,fully-random,persistent
+
+# using ports
+ip protocol 6 masquerade to :1024;ok
+ip protocol 6 masquerade to :1024-2048;ok
+
+# masquerade is a terminal statement
+tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail
+tcp sport 22 masquerade accept;fail
+ip saddr 10.1.1.1 masquerade drop;fail
+
+# masquerade with sets
+tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter masquerade;ok
+iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade;ok
diff --git a/tests/py/ip/masquerade.t.json b/tests/py/ip/masquerade.t.json
new file mode 100644
index 0000000..4a90c70
--- /dev/null
+++ b/tests/py/ip/masquerade.t.json
@@ -0,0 +1,429 @@
+# udp dport 53 masquerade
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": null
+    }
+]
+
+# udp dport 53 masquerade random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": "random"
+        }
+    }
+]
+
+# udp dport 53 masquerade random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade random,persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "persistent",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade random,fully-random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": "persistent"
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "fully-random",
+                "random"
+            ]
+        }
+    }
+]
+
+# ip protocol 6 masquerade to :1024
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "masquerade": {
+            "port": 1024
+        }
+    }
+]
+
+# ip protocol 6 masquerade to :1024-2048
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "masquerade": {
+            "port": {
+                "range": [ 1024, 2048 ]
+            }
+        }
+    }
+]
+
+# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1,
+                    2,
+                    3,
+                    4,
+                    5,
+                    6,
+                    7,
+                    8,
+                    101,
+                    202,
+                    303,
+                    1001,
+                    2002,
+                    3003
+                ]
+            }
+        }
+    },
+    {
+        "masquerade": null
+    }
+]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter masquerade
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "10.0.0.0", "10.2.3.4" ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "masquerade": null
+    }
+]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": [
+                "established",
+                "new"
+            ]
+        }
+    },
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        22,
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        222,
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "masquerade": null
+    }
+]
+
diff --git a/tests/py/ip/masquerade.t.json.output b/tests/py/ip/masquerade.t.json.output
new file mode 100644
index 0000000..58e7e29
--- /dev/null
+++ b/tests/py/ip/masquerade.t.json.output
@@ -0,0 +1,123 @@
+# udp dport 53 masquerade random,persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
diff --git a/tests/py/ip/masquerade.t.payload b/tests/py/ip/masquerade.t.payload
new file mode 100644
index 0000000..79e5285
--- /dev/null
+++ b/tests/py/ip/masquerade.t.payload
@@ -0,0 +1,142 @@
+# udp dport 53 masquerade
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq ]
+
+# udp dport 53 masquerade random
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x4 ]
+
+# udp dport 53 masquerade random,persistent
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0xc ]
+
+# udp dport 53 masquerade random,persistent,fully-random
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade random,fully-random
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x14 ]
+
+# udp dport 53 masquerade random,fully-random,persistent
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x8 ]
+
+# udp dport 53 masquerade persistent,random
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0xc ]
+
+# udp dport 53 masquerade persistent,random,fully-random
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent,fully-random
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x18 ]
+
+# udp dport 53 masquerade persistent,fully-random,random
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]	element 00000800  : 0 [end]	element 00006500  : 0 [end]	element 0000ca00  : 0 [end]	element 00002f01  : 0 [end]	element 0000e903  : 0 [end]	element 0000d207  : 0 [end]	element 0000bb0b  : 0 [end]
+ip test-ip4 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ masq ]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter masquerade
+ip test-ip4 postrouting
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0x0403020a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ counter pkts 0 bytes 0 ]
+  [ masq ]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 00001600  : drop 0 [end]	element 0000de00  : drop 0 [end]
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ masq ]
+
+# ip protocol 6 masquerade to :1024
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00000004 ]
+  [ masq proto_min reg 1 flags 0x2 ]
+
+# ip protocol 6 masquerade to :1024-2048
+ip test-ip4 postrouting
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00000004 ]
+  [ immediate reg 2 0x00000008 ]
+  [ masq proto_min reg 1 proto_max reg 2 flags 0x2 ]
+
diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t
new file mode 100644
index 0000000..a88a614
--- /dev/null
+++ b/tests/py/ip/meta.t
@@ -0,0 +1,22 @@
+:input;type filter hook input priority 0
+
+*ip;test-ip4;input
+
+icmp type echo-request;ok
+meta l4proto icmp icmp type echo-request;ok;icmp type echo-request
+meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert
+meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert
+icmpv6 type nd-router-advert;ok
+
+meta protocol ip udp dport 67;ok;udp dport 67
+
+meta ibrname "br0";fail
+meta obrname "br0";fail
+
+meta sdif "lo" accept;ok
+meta sdifname != "vrf1" accept;ok
+
+meta mark set ip dscp;ok
+
+meta mark set ip dscp << 2 | 0x10;ok
+meta mark set ip dscp << 26 | 0x10;ok
diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json
new file mode 100644
index 0000000..25936db
--- /dev/null
+++ b/tests/py/ip/meta.t.json
@@ -0,0 +1,236 @@
+# icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta l4proto icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": "icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta l4proto ipv6-icmp icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": "ipv6-icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
+# meta l4proto 58 icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": 58
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
+# icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
+# meta sdif "lo" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "sdif"
+                }
+            },
+            "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta sdifname != "vrf1" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "sdifname"
+                }
+            },
+            "op": "!=",
+            "right": "vrf1"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta protocol ip udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
+
+# meta mark set ip dscp
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip dscp << 2 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip"
+                                }
+                            },
+                            2
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+
+# meta mark set ip dscp << 26 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip"
+                                }
+                            },
+                            26
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
diff --git a/tests/py/ip/meta.t.json.output b/tests/py/ip/meta.t.json.output
new file mode 100644
index 0000000..091282b
--- /dev/null
+++ b/tests/py/ip/meta.t.json.output
@@ -0,0 +1,48 @@
+# meta l4proto icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta l4proto ipv6-icmp icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
+# meta l4proto 58 icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload
new file mode 100644
index 0000000..880ac5d
--- /dev/null
+++ b/tests/py/ip/meta.t.payload
@@ -0,0 +1,78 @@
+# icmp type echo-request
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta l4proto icmp icmp type echo-request
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta l4proto ipv6-icmp icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+
+# meta l4proto 58 icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+
+# icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+
+# meta sdif "lo" accept
+ip6 test-ip4 input
+  [ meta load sdif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# meta sdifname != "vrf1" accept
+ip6 test-ip4 input
+  [ meta load sdifname => reg 1 ]
+  [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ]
+  [ immediate reg 0 accept ]
+
+# meta protocol ip udp dport 67
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00004300 ]
+
+# meta mark set ip dscp
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip dscp << 2 | 0x10
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip dscp << 26 | 0x10
+ip
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ meta set mark with reg 1 ]
diff --git a/tests/py/ip/numgen.t b/tests/py/ip/numgen.t
new file mode 100644
index 0000000..2a88146
--- /dev/null
+++ b/tests/py/ip/numgen.t
@@ -0,0 +1,9 @@
+:pre;type nat hook prerouting priority 0
+*ip;test-ip4;pre
+
+ct mark set numgen inc mod 2;ok
+ct mark set numgen inc mod 2 offset 100;ok
+dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 };ok
+dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200};ok
+dnat to numgen inc mod 7 offset 167772161;ok
+dnat to numgen inc mod 255 offset 167772161;ok
diff --git a/tests/py/ip/numgen.t.json b/tests/py/ip/numgen.t.json
new file mode 100644
index 0000000..6cf6604
--- /dev/null
+++ b/tests/py/ip/numgen.t.json
@@ -0,0 +1,129 @@
+# ct mark set numgen inc mod 2
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "numgen": {
+                    "mod": 2,
+                    "mode": "inc"
+                }
+            }
+        }
+    }
+]
+
+# ct mark set numgen inc mod 2 offset 100
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "numgen": {
+                    "mod": 2,
+                    "mode": "inc",
+                    "offset": 100
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 }
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "numgen": {
+                            "mod": 2,
+                            "mode": "inc"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                0,
+                                "192.168.10.100"
+                            ],
+                            [
+                                1,
+                                "192.168.20.200"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "numgen": {
+                            "mod": 10,
+                            "mode": "inc"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                { "range": [ 0, 5 ] },
+                                "192.168.10.100"
+                            ],
+                            [
+                                { "range": [ 6, 9 ] },
+                                "192.168.20.200"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 7 offset 167772161
+[
+    {
+        "dnat": {
+            "addr": {
+                "numgen": {
+                    "mod": 7,
+                    "mode": "inc",
+                    "offset": 167772161
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 255 offset 167772161
+[
+    {
+        "dnat": {
+            "addr": {
+                "numgen": {
+                    "mod": 255,
+                    "mode": "inc",
+                    "offset": 167772161
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/numgen.t.json.output b/tests/py/ip/numgen.t.json.output
new file mode 100644
index 0000000..06ad1ec
--- /dev/null
+++ b/tests/py/ip/numgen.t.json.output
@@ -0,0 +1,112 @@
+# ct mark set numgen inc mod 2
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "numgen": {
+                    "mod": 2,
+                    "mode": "inc",
+                    "offset": 0
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 }
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "numgen": {
+                            "mod": 2,
+                            "mode": "inc",
+                            "offset": 0
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                0,
+                                "192.168.10.100"
+                            ],
+                            [
+                                1,
+                                "192.168.20.200"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200}
+[
+    {
+        "dnat": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "numgen": {
+                            "mod": 10,
+                            "mode": "inc",
+                            "offset": 0
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                { "range": [ 0, 5 ] },
+                                "192.168.10.100"
+                            ],
+                            [
+                                { "range": [ 6, 9 ] },
+                                "192.168.20.200"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 7 offset 167772161
+[
+    {
+        "dnat": {
+            "addr": {
+                "numgen": {
+                    "mod": 7,
+                    "mode": "inc",
+                    "offset": 167772161
+                }
+            }
+        }
+    }
+]
+
+# dnat to numgen inc mod 255 offset 167772161
+[
+    {
+        "dnat": {
+            "addr": {
+                "numgen": {
+                    "mod": 255,
+                    "mode": "inc",
+                    "offset": 167772161
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/numgen.t.payload b/tests/py/ip/numgen.t.payload
new file mode 100644
index 0000000..b4eadf8
--- /dev/null
+++ b/tests/py/ip/numgen.t.payload
@@ -0,0 +1,40 @@
+# ct mark set numgen inc mod 2
+ip test-ip4 pre
+  [ numgen reg 1 = inc mod 2 ]
+  [ ct set mark with reg 1 ]
+
+# dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 }
+__map%d x b
+__map%d x 0
+        element 00000000  : 640aa8c0 0 [end]    element 00000001  : c814a8c0 0 [end]
+ip test-ip4 pre 
+  [ numgen reg 1 = inc mod 2 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200}
+__map%d test-ip4 f
+__map%d test-ip4 0
+        element 00000000  : 640aa8c0 0 [end]    element 06000000  : c814a8c0 0 [end]    element 0a000000  : 1 [end]
+ip test-ip4 pre
+  [ numgen reg 1 = inc mod 10 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# ct mark set numgen inc mod 2 offset 100
+ip test-ip4 pre
+  [ numgen reg 1 = inc mod 2 offset 100 ]
+  [ ct set mark with reg 1 ]
+
+# dnat to numgen inc mod 7 offset 167772161
+ip test-ip4 pre
+  [ numgen reg 1 = inc mod 7 offset 167772161 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ nat dnat ip addr_min reg 1 ]
+
+# dnat to numgen inc mod 255 offset 167772161
+ip test-ip4 pre
+  [ numgen reg 1 = inc mod 255 offset 167772161 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ nat dnat ip addr_min reg 1 ]
diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t
new file mode 100644
index 0000000..4fcde7c
--- /dev/null
+++ b/tests/py/ip/objects.t
@@ -0,0 +1,58 @@
+:output;type filter hook output priority 0
+
+*ip;test-ip4;output
+
+# counter
+%cnt1 type counter;ok
+%cnt2 type counter;ok
+
+ip saddr 192.168.1.3 counter name "cnt2";ok
+ip saddr 192.168.1.3 counter name "cnt3";fail
+counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"};ok
+
+# quota
+%qt1 type quota 25 mbytes;ok
+%qt2 type quota over 1 kbytes;ok
+
+ip saddr 192.168.1.3 quota name "qt1";ok
+ip saddr 192.168.1.3 quota name "qt3";fail
+quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"};ok
+
+# ct helper
+%cthelp1 type ct helper { type "ftp" protocol tcp; };ok
+%cthelp2 type ct helper { type "ftp" protocol tcp; l3proto ip6; };fail
+
+ct helper set "cthelp1";ok
+ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" };ok
+
+# limit
+%lim1 type limit rate 400/minute;ok
+%lim2 type limit rate over 1024 bytes/second burst 512 bytes;ok
+
+ip saddr 192.168.1.3 limit name "lim1";ok
+ip saddr 192.168.1.3 limit name "lim3";fail
+limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"};ok
+
+# ct timeout
+%cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok
+%cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail
+%cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok
+%cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok
+%cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail
+
+ct timeout set "cttime1";ok
+
+# ct expectation
+%ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok
+%ctexpect2 type ct expectation { protocol udp; };fail
+%ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail
+%ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail
+%ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok
+
+ct expectation set "ctexpect1";ok
+
+# synproxy
+%synproxy1 type synproxy mss 1460 wscale 7;ok
+%synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok
+
+synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok
diff --git a/tests/py/ip/objects.t.json b/tests/py/ip/objects.t.json
new file mode 100644
index 0000000..a70dd9e
--- /dev/null
+++ b/tests/py/ip/objects.t.json
@@ -0,0 +1,229 @@
+# ip saddr 192.168.1.3 counter name "cnt2"
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.1.3"
+        }
+    },
+    {
+        "counter": "cnt2"
+    }
+]
+
+# counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"}
+[
+    {
+        "counter": {
+            "map": {
+                "key": {
+                    "payload": {
+                        "field": "dport",
+                        "protocol": "tcp"
+                    }
+                },
+                "data": {
+                    "set": [
+                        [
+                            443,
+                            "cnt1"
+                        ],
+                        [
+                            80,
+                            "cnt2"
+                        ],
+                        [
+                            22,
+                            "cnt1"
+                        ]
+                    ]
+                }
+            }
+        }
+    }
+]
+
+# ip saddr 192.168.1.3 quota name "qt1"
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.1.3"
+        }
+    },
+    {
+        "quota": "qt1"
+    }
+]
+
+# quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"}
+[
+    {
+        "quota": {
+            "map": {
+                "key": {
+                    "payload": {
+                        "field": "dport",
+                        "protocol": "tcp"
+                    }
+                },
+                "data": {
+                    "set": [
+                        [
+                            443,
+                            "qt1"
+                        ],
+                        [
+                            80,
+                            "qt2"
+                        ],
+                        [
+                            22,
+                            "qt1"
+                        ]
+                    ]
+                }
+            }
+        }
+    }
+]
+
+# ct helper set "cthelp1"
+[
+    {
+        "ct helper": "cthelp1"
+    }
+]
+
+# ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" }
+[
+    {
+        "ct helper": {
+            "map": {
+                "key": {
+                    "payload": {
+                        "field": "dport",
+                        "protocol": "tcp"
+                    }
+                },
+                "data": {
+                    "set": [
+                        [
+                            21,
+                            "cthelp1"
+                        ],
+                        [
+                            2121,
+                            "cthelp1"
+                        ]
+                    ]
+                }
+            }
+        }
+    }
+]
+
+# ip saddr 192.168.1.3 limit name "lim1"
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.1.3"
+        }
+    },
+    {
+        "limit": "lim1"
+    }
+]
+
+# limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"}
+[
+    {
+        "limit": {
+            "map": {
+                "key": {
+                    "payload": {
+                        "field": "dport",
+                        "protocol": "tcp"
+                    }
+                },
+                "data": {
+                    "set": [
+                        [
+                            22,
+                            "lim1"
+                        ],
+                        [
+                            80,
+                            "lim2"
+                        ],
+                        [
+                            443,
+                            "lim1"
+                        ]
+                    ]
+                }
+            }
+        }
+    }
+]
+
+# ct timeout set "cttime1"
+[
+    {
+        "ct timeout": "cttime1"
+    }
+]
+
+# ct expectation set "ctexpect1"
+[
+    {
+        "ct expectation": "ctexpect1"
+    }
+]
+
+# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}
+[
+    {
+        "synproxy": {
+            "map": {
+                "key": {
+                    "payload": {
+                        "field": "dport",
+                        "protocol": "tcp"
+                    }
+                },
+                "data": {
+                    "set": [
+                        [
+                            80,
+                            "synproxy2"
+                        ],
+                        [
+                            443,
+                            "synproxy1"
+                        ]
+                    ]
+                }
+            }
+        }
+    }
+]
diff --git a/tests/py/ip/objects.t.json.output b/tests/py/ip/objects.t.json.output
new file mode 100644
index 0000000..ade195d
--- /dev/null
+++ b/tests/py/ip/objects.t.json.output
@@ -0,0 +1,64 @@
+# counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"}
+[
+    {
+        "counter": {
+            "map": {
+                "key": {
+                    "payload": {
+                        "field": "dport",
+                        "protocol": "tcp"
+                    }
+                },
+                "data": {
+                    "set": [
+                        [
+                            22,
+                            "cnt1"
+                        ],
+                        [
+                            80,
+                            "cnt2"
+                        ],
+                        [
+                            443,
+                            "cnt1"
+                        ]
+                    ]
+                }
+            }
+        }
+    }
+]
+
+# quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"}
+[
+    {
+        "quota": {
+            "map": {
+                "key": {
+                    "payload": {
+                        "field": "dport",
+                        "protocol": "tcp"
+                    }
+                },
+                "data": {
+                    "set": [
+                        [
+                            22,
+                            "qt1"
+                        ],
+                        [
+                            80,
+                            "qt2"
+                        ],
+                        [
+                            443,
+                            "qt1"
+                        ]
+                    ]
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/objects.t.payload b/tests/py/ip/objects.t.payload
new file mode 100644
index 0000000..5252724
--- /dev/null
+++ b/tests/py/ip/objects.t.payload
@@ -0,0 +1,79 @@
+# ip saddr 192.168.1.3 counter name "cnt2"
+ip test-ip4 output 
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0301a8c0 ]
+  [ objref type 1 name cnt2 ]
+
+# counter name tcp dport map {443 : "cnt1", 80 : "cnt2", 22 : "cnt1"}
+__objmap%d test-ip4 43
+__objmap%d test-ip4 0
+	element 0000bb01  : 0 [end]	element 00005000  : 0 [end]	element 00001600  : 0 [end]
+ip test-ip4 output 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ objref sreg 1 set __objmap%d ]
+
+# ip saddr 192.168.1.3 quota name "qt1"
+ip test-ip4 output 
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0301a8c0 ]
+  [ objref type 2 name qt1 ]
+
+# quota name tcp dport map {443 : "qt1", 80 : "qt2", 22 : "qt1"}
+__objmap%d test-ip4 43
+__objmap%d test-ip4 0
+	element 0000bb01  : 0 [end]	element 00005000  : 0 [end]	element 00001600  : 0 [end]
+ip test-ip4 output 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ objref sreg 1 set __objmap%d ]
+
+# ct helper set "cthelp1"
+ip test-ip4 output
+  [ objref type 3 name cthelp1 ]
+
+# ct helper set tcp dport map {21 : "cthelp1", 2121 : "cthelp1" }
+__objmap%d test-ip4 43
+__objmap%d test-ip4 0
+        element 00001500  : 0 [end]     element 00004908  : 0 [end]
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ objref sreg 1 set __objmap%d ]
+
+# ip saddr 192.168.1.3 limit name "lim1"
+ip test-ip4 output
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0301a8c0 ]
+  [ objref type 4 name lim1 ]
+
+# limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"}
+__objmap%d test-ip4 43 size 3
+__objmap%d test-ip4 0
+        element 0000bb01  : 0 [end]     element 00005000  : 0 [end]     element 00001600  : 0 [end]
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ objref sreg 1 set __objmap%d ]
+
+# ct timeout set "cttime1"
+ip test-ip4 output
+  [ objref type 7 name cttime1 ]
+
+# ct expectation set "ctexpect1"
+ip test-ip4 output
+  [ objref type 9 name ctexpect1 ]
+
+# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}
+__objmap%d test-ip4 43 size 2
+__objmap%d test-ip4 0
+	element 0000bb01  : 0 [end]	element 00005000  : 0 [end]
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ objref sreg 1 set __objmap%d ]
diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t
new file mode 100644
index 0000000..8c2b52f
--- /dev/null
+++ b/tests/py/ip/redirect.t
@@ -0,0 +1,51 @@
+:output;type nat hook output priority 0
+
+*ip;test-ip4;output
+
+# without arguments
+udp dport 53 redirect;ok
+
+# nf_nat flags combination
+udp dport 53 redirect random;ok
+udp dport 53 redirect random,persistent;ok
+udp dport 53 redirect random,persistent,fully-random;ok;udp dport 53 redirect random,fully-random,persistent
+udp dport 53 redirect random,fully-random;ok
+udp dport 53 redirect random,fully-random,persistent;ok
+udp dport 53 redirect persistent;ok
+udp dport 53 redirect persistent,random;ok;udp dport 53 redirect random,persistent
+udp dport 53 redirect persistent,random,fully-random;ok;udp dport 53 redirect random,fully-random,persistent
+udp dport 53 redirect persistent,fully-random;ok;udp dport 53 redirect fully-random,persistent
+udp dport 53 redirect persistent,fully-random,random;ok;udp dport 53 redirect random,fully-random,persistent
+
+# port specification
+tcp dport 22 redirect to :22;ok
+udp dport 1234 redirect to :4321;ok
+ip daddr 172.16.0.1 udp dport 9998 redirect to :6515;ok
+tcp dport 39128 redirect to :993;ok
+ip protocol tcp redirect to :100-200;ok;ip protocol 6 redirect to :100-200
+redirect to :1234;fail
+redirect to :12341111;fail
+
+# both port and nf_nat flags
+tcp dport 9128 redirect to :993 random;ok
+tcp dport 9128 redirect to :993 fully-random;ok
+tcp dport 9128 redirect to :123 persistent;ok
+tcp dport 9128 redirect to :123 random,persistent;ok
+
+# nf_nat flags is the last argument
+udp dport 1234 redirect random to 123;fail
+udp dport 21234 redirect persistent,fully-random to 431;fail
+
+# redirect is a terminal statement
+tcp dport 22 redirect counter packets 0 bytes 0 accept;fail
+tcp sport 22 redirect accept;fail
+ip saddr 10.1.1.1 redirect drop;fail
+
+# redirect with sets
+tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect;ok
+ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect;ok
+iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok
+
+# redirect with maps
+redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok
+
diff --git a/tests/py/ip/redirect.t.json b/tests/py/ip/redirect.t.json
new file mode 100644
index 0000000..2afdf9b
--- /dev/null
+++ b/tests/py/ip/redirect.t.json
@@ -0,0 +1,625 @@
+# udp dport 53 redirect
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": null
+    }
+]
+
+# udp dport 53 redirect random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": "random"
+        }
+    }
+]
+
+# udp dport 53 redirect random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect random,persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "persistent",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect random,fully-random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": "persistent"
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "fully-random",
+                "random"
+            ]
+        }
+    }
+]
+
+# tcp dport 22 redirect to :22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "redirect": {
+            "port": 22
+        }
+    }
+]
+
+# udp dport 1234 redirect to :4321
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 1234
+        }
+    },
+    {
+        "redirect": {
+            "port": 4321
+        }
+    }
+]
+
+# ip daddr 172.16.0.1 udp dport 9998 redirect to :6515
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "172.16.0.1"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 9998
+        }
+    },
+    {
+        "redirect": {
+            "port": 6515
+        }
+    }
+]
+
+# tcp dport 39128 redirect to :993
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 39128
+        }
+    },
+    {
+        "redirect": {
+            "port": 993
+        }
+    }
+]
+
+# ip protocol tcp redirect to :100-200
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "redirect": {
+            "port": {
+                "range": [ 100, 200 ]
+            }
+        }
+    }
+]
+
+# tcp dport 9128 redirect to :993 random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 9128
+        }
+    },
+    {
+        "redirect": {
+            "flags": "random",
+            "port": 993
+        }
+    }
+]
+
+# tcp dport 9128 redirect to :993 fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 9128
+        }
+    },
+    {
+        "redirect": {
+            "flags": "fully-random",
+            "port": 993
+        }
+    }
+]
+
+# tcp dport 9128 redirect to :123 persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 9128
+        }
+    },
+    {
+        "redirect": {
+            "flags": "persistent",
+            "port": 123
+        }
+    }
+]
+
+# tcp dport 9128 redirect to :123 random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 9128
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "persistent"
+            ],
+            "port": 123
+        }
+    }
+]
+
+# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1,
+                    2,
+                    3,
+                    4,
+                    5,
+                    6,
+                    7,
+                    8,
+                    101,
+                    202,
+                    303,
+                    1001,
+                    2002,
+                    3003
+                ]
+            }
+        }
+    },
+    {
+        "redirect": null
+    }
+]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "10.0.0.0", "10.2.3.4" ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "redirect": null
+    }
+]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": [
+                "established",
+                "new"
+            ]
+        }
+    },
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        22,
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        222,
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "redirect": null
+    }
+]
+
+# redirect to :tcp dport map { 22 : 8000, 80 : 8080}
+[
+    {
+        "redirect": {
+            "port": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "dport",
+                            "protocol": "tcp"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                22,
+                                8000
+                            ],
+                            [
+                                80,
+                                8080
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/redirect.t.json.output b/tests/py/ip/redirect.t.json.output
new file mode 100644
index 0000000..4646c60
--- /dev/null
+++ b/tests/py/ip/redirect.t.json.output
@@ -0,0 +1,146 @@
+# udp dport 53 redirect random,persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# ip protocol tcp redirect to :100-200
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "redirect": {
+            "port": {
+                "range": [ 100, 200 ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload
new file mode 100644
index 0000000..4bed47c
--- /dev/null
+++ b/tests/py/ip/redirect.t.payload
@@ -0,0 +1,220 @@
+# udp dport 53 redirect
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir ]
+
+# udp dport 53 redirect random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x4 ]
+
+# udp dport 53 redirect random,persistent
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0xc ]
+
+# udp dport 53 redirect random,persistent,fully-random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# udp dport 53 redirect random,fully-random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x14 ]
+
+# udp dport 53 redirect random,fully-random,persistent
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# udp dport 53 redirect persistent
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x8 ]
+
+# udp dport 53 redirect persistent,random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0xc ]
+
+# udp dport 53 redirect persistent,random,fully-random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# udp dport 53 redirect persistent,fully-random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x18 ]
+
+# udp dport 53 redirect persistent,fully-random,random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# tcp dport 22 redirect to :22
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ immediate reg 1 0x00001600 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# udp dport 1234 redirect to :4321
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000d204 ]
+  [ immediate reg 1 0x0000e110 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# ip daddr 172.16.0.1 udp dport 9998 redirect to :6515
+ip test-ip4 output
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x010010ac ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000e27 ]
+  [ immediate reg 1 0x00007319 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# tcp dport 39128 redirect to :993
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000d898 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# ip protocol tcp redirect to :100-200
+ip test-ip4 output
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00006400 ]
+  [ immediate reg 2 0x0000c800 ]
+  [ redir proto_min reg 1 proto_max reg 2 flags 0x2 ]
+
+# tcp dport 9128 redirect to :993 random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir proto_min reg 1 flags 0x6 ]
+
+# tcp dport 9128 redirect to :993 fully-random
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir proto_min reg 1 flags 0x12 ]
+
+# tcp dport 9128 redirect to :123 persistent
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x00007b00 ]
+  [ redir proto_min reg 1 flags 0xa ]
+
+# tcp dport 9128 redirect to :123 random,persistent
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x00007b00 ]
+  [ redir proto_min reg 1 flags 0xe ]
+
+# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]	element 00000800  : 0 [end]	element 00006500  : 0 [end]	element 0000ca00  : 0 [end]	element 00002f01  : 0 [end]	element 0000e903  : 0 [end]	element 0000d207  : 0 [end]	element 0000bb0b  : 0 [end]
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ redir ]
+
+# ip daddr 10.0.0.0-10.2.3.4 udp dport 53 counter redirect
+ip test-ip4 output
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp gte reg 1 0x0000000a ]
+  [ cmp lte reg 1 0x0403020a ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ counter pkts 0 bytes 0 ]
+  [ redir ]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect
+__map%d test-ip4 b
+__map%d test-ip4 0
+	element 00001600  : drop 0 [end]	element 0000de00  : drop 0 [end]
+ip test-ip4 output
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ redir ]
+
+# redirect to :tcp dport map { 22 : 8000, 80 : 8080}
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 00001600  : 0000401f 0 [end]    element 00005000  : 0000901f 0 [end]
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t
new file mode 100644
index 0000000..ad00994
--- /dev/null
+++ b/tests/py/ip/reject.t
@@ -0,0 +1,17 @@
+:output;type filter hook output priority 0
+
+*ip;test-ip4;output
+
+reject;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok;reject
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+reject with icmp 3;ok;reject
+mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset
+
+reject with icmp no-route;fail
+reject with icmpv6 no-route;fail
diff --git a/tests/py/ip/reject.t.json b/tests/py/ip/reject.t.json
new file mode 100644
index 0000000..3e1d28d
--- /dev/null
+++ b/tests/py/ip/reject.t.json
@@ -0,0 +1,105 @@
+# reject
+[
+    {
+        "reject": null
+    }
+]
+
+# reject with icmp host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-unreachable
+[
+    {
+        "reject": {
+            "expr": "net-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp prot-unreachable
+[
+    {
+        "reject": {
+            "expr": "prot-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-prohibited
+[
+    {
+        "reject": {
+            "expr": "net-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp host-prohibited
+[
+    {
+        "reject": {
+            "expr": "host-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp 3
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# mark 0x80000000 reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": "0x80000000"
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
diff --git a/tests/py/ip/reject.t.json.output b/tests/py/ip/reject.t.json.output
new file mode 100644
index 0000000..3917413
--- /dev/null
+++ b/tests/py/ip/reject.t.json.output
@@ -0,0 +1,28 @@
+# reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# mark 0x80000000 reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 2147483648
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
diff --git a/tests/py/ip/reject.t.payload b/tests/py/ip/reject.t.payload
new file mode 100644
index 0000000..5829065
--- /dev/null
+++ b/tests/py/ip/reject.t.payload
@@ -0,0 +1,44 @@
+# reject
+ip test-ip4 output
+  [ reject type 0 code 3 ]
+
+# reject with icmp host-unreachable
+ip test-ip4 output
+  [ reject type 0 code 1 ]
+
+# reject with icmp net-unreachable
+ip test-ip4 output
+  [ reject type 0 code 0 ]
+
+# reject with icmp prot-unreachable
+ip test-ip4 output
+  [ reject type 0 code 2 ]
+
+# reject with icmp port-unreachable
+ip test-ip4 output
+  [ reject type 0 code 3 ]
+
+# reject with icmp net-prohibited
+ip test-ip4 output
+  [ reject type 0 code 9 ]
+
+# reject with icmp host-prohibited
+ip test-ip4 output
+  [ reject type 0 code 10 ]
+
+# reject with icmp admin-prohibited
+ip test-ip4 output
+  [ reject type 0 code 13 ]
+
+# reject with icmp 3
+ip test-ip4 output
+  [ reject type 0 code 3 ]
+
+# mark 0x80000000 reject with tcp reset
+ip test-ip4 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x80000000 ]
+  [ reject type 1 code 0 ]
+
diff --git a/tests/py/ip/rt.t b/tests/py/ip/rt.t
new file mode 100644
index 0000000..986bf34
--- /dev/null
+++ b/tests/py/ip/rt.t
@@ -0,0 +1,7 @@
+:output;type filter hook input priority 0
+
+*ip;test-ip4;output
+
+rt nexthop 192.168.0.1;ok;rt ip nexthop 192.168.0.1
+rt nexthop fd00::1;fail
+rt ip6 nexthop fd00::1;fail
diff --git a/tests/py/ip/rt.t.json b/tests/py/ip/rt.t.json
new file mode 100644
index 0000000..41dbe34
--- /dev/null
+++ b/tests/py/ip/rt.t.json
@@ -0,0 +1,16 @@
+# rt nexthop 192.168.0.1
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "family": "ip",
+                    "key": "nexthop"
+                }
+            },
+	    "op": "==",
+            "right": "192.168.0.1"
+        }
+    }
+]
+
diff --git a/tests/py/ip/rt.t.payload b/tests/py/ip/rt.t.payload
new file mode 100644
index 0000000..93eef4a
--- /dev/null
+++ b/tests/py/ip/rt.t.payload
@@ -0,0 +1,5 @@
+# rt nexthop 192.168.0.1
+ip test-ip4 output
+  [ rt load nexthop4 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+
diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t
new file mode 100644
index 0000000..46d9686
--- /dev/null
+++ b/tests/py/ip/sets.t
@@ -0,0 +1,68 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+!w type ipv4_addr;ok
+!x type inet_proto;ok
+!y type inet_service;ok
+!z type time;ok
+
+!set1 type ipv4_addr;ok
+?set1 192.168.3.4;ok
+
+?set1 192.168.3.4;ok
+?set1 192.168.3.5, 192.168.3.6;ok
+?set1 192.168.3.5, 192.168.3.6;ok
+?set1 192.168.3.8, 192.168.3.9;ok
+?set1 192.168.3.10, 192.168.3.11;ok
+?set1 1234:1234:1234:1234:1234:1234:1234:1234;fail
+?set2 192.168.3.4;fail
+
+!set2 type ipv4_addr;ok
+?set2 192.168.3.4;ok
+?set2 192.168.3.5, 192.168.3.6;ok
+?set2 192.168.3.5, 192.168.3.6;ok
+?set2 192.168.3.8, 192.168.3.9;ok
+?set2 192.168.3.10, 192.168.3.11;ok
+
+ip saddr @set1 drop;ok
+ip saddr != @set1 drop;ok
+ip saddr @set2 drop;ok
+ip saddr != @set2 drop;ok
+ip saddr @set33 drop;fail
+ip saddr != @set33 drop;fail
+
+!set3 type ipv4_addr flags interval;ok
+?set3 192.168.0.0/16;ok
+?set3 172.16.0.0/12;ok
+?set3 10.0.0.0/8;ok
+
+!set4 type ipv4_addr flags interval;ok
+?set4 192.168.1.0/24;ok
+?set4 192.168.0.0/24;ok
+?set4 192.168.2.0/24;ok
+?set4 192.168.1.1;fail
+?set4 192.168.3.0/24;ok
+
+!set5 type ipv4_addr . ipv4_addr;ok
+ip saddr . ip daddr @set5 drop;ok
+add @set5 { ip saddr . ip daddr };ok
+
+!map1 type ipv4_addr . ipv4_addr : mark;ok
+add @map1 { ip saddr . ip daddr : meta mark };ok
+
+# test nested anonymous sets
+ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 };ok;ip saddr { 1.1.1.0, 2.2.2.0, 3.3.3.0 }
+ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 };ok;ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 }
+
+!set6 type ipv4_addr;ok
+?set6 192.168.3.5, *;ok
+ip saddr @set6 drop;ok
+
+ip saddr vmap { 1.1.1.1 : drop, * : accept };ok
+meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 };ok
+
diff --git a/tests/py/ip/sets.t.json b/tests/py/ip/sets.t.json
new file mode 100644
index 0000000..44ca152
--- /dev/null
+++ b/tests/py/ip/sets.t.json
@@ -0,0 +1,305 @@
+# ip saddr @set1 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "@set1"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip saddr != @set1 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "@set1"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip saddr @set2 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "@set2"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip saddr != @set2 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "@set2"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip saddr . ip daddr @set5 drop
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    }
+                ]
+            },
+	    "op": "==",
+            "right": "@set5"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# add @set5 { ip saddr . ip daddr }
+[
+    {
+        "set": {
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    }
+                ]
+            },
+            "op": "add",
+            "set": "@set5"
+        }
+    }
+]
+
+# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "1.1.1.0",
+                    "2.2.2.0",
+                    "3.3.3.0"
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "prefix": {
+                            "addr": "1.1.1.0",
+                            "len": 24
+                        }
+                    },
+                    {
+                        "prefix": {
+                            "addr": "2.2.2.0",
+                            "len": 24
+                        }
+                    },
+                    {
+                        "prefix": {
+                            "addr": "3.3.3.0",
+                            "len": 24
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ip saddr @set6 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": "@set6"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip saddr vmap { 1.1.1.1 : drop, * : accept }
+[
+    {
+        "vmap": {
+            "data": {
+                "set": [
+                    [
+                        "1.1.1.1",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "*",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            },
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip"
+                }
+            }
+        }
+    }
+]
+
+# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "1.1.1.1",
+                                1
+                            ],
+                            [
+                                "*",
+                                2
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            }
+        }
+    }
+]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+[
+    {
+        "map": {
+            "data": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    }
+                ]
+            },
+            "map": "@map1",
+            "op": "add"
+        }
+    }
+]
+
diff --git a/tests/py/ip/sets.t.json.got b/tests/py/ip/sets.t.json.got
new file mode 100644
index 0000000..8fae580
--- /dev/null
+++ b/tests/py/ip/sets.t.json.got
@@ -0,0 +1,62 @@
+# add @map1 { ip saddr . ip daddr : meta mark }
+[
+    {
+        "set": {
+            "data": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    }
+                ]
+            },
+            "map": "@map1",
+            "op": "add"
+        }
+    }
+]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+[
+    {
+        "map": {
+            "data": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip"
+                        }
+                    }
+                ]
+            },
+            "map": "@map1",
+            "op": "add"
+        }
+    }
+]
+
diff --git a/tests/py/ip/sets.t.json.payload.got b/tests/py/ip/sets.t.json.payload.got
new file mode 100644
index 0000000..daf27aa
--- /dev/null
+++ b/tests/py/ip/sets.t.json.payload.got
@@ -0,0 +1,157 @@
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet
new file mode 100644
index 0000000..fd6517a
--- /dev/null
+++ b/tests/py/ip/sets.t.payload.inet
@@ -0,0 +1,106 @@
+# ip saddr @set1 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr != @set1 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr @set2 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr != @set2 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr . ip daddr @set5 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set set5 ]
+  [ immediate reg 0 drop ]
+
+# add @set5 { ip saddr . ip daddr }
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ dynset add reg_key 1 set set5 ]
+
+# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }
+__set%d t 3
+__set%d t 0
+	element 00010101  : 0 [end]	element 00030303  : 0 [end]	element 00020202  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
+__set%d t 7
+__set%d t 0
+	element 00000000  : 1 [end]	element 00010101  : 0 [end]	element 00020101  : 1 [end]	element 00020202  : 0 [end]	element 00030202  : 1 [end]	element 00030303  : 0 [end]	element 00040303  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr @set6 drop
+inet
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set6 ]
+  [ immediate reg 0 drop ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
+# ip saddr vmap { 1.1.1.1 : drop, * : accept }
+__map%d test-inet b
+__map%d test-inet 0
+        element 01010101  : drop 0 [end]        element  : accept 2 [end]
+inet
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }
+__map%d test-inet b
+__map%d test-inet 0
+        element 01010101  : 00000001 0 [end]    element  : 00000002 2 [end]
+inet
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip
new file mode 100644
index 0000000..d9cc32b
--- /dev/null
+++ b/tests/py/ip/sets.t.payload.ip
@@ -0,0 +1,83 @@
+# ip saddr @set1 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr != @set1 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr @set2 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr != @set2 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr . ip daddr @set5 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set set5 ]
+  [ immediate reg 0 drop ]
+
+# add @set5 { ip saddr . ip daddr }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ dynset add reg_key 1 set set5 ]
+
+# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00010101  : 0 [end]	element 00030303  : 0 [end]	element 00020202  : 0 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00010101  : 0 [end]	element 00020101  : 1 [end]	element 00020202  : 0 [end]	element 00030202  : 1 [end]	element 00030303  : 0 [end]	element 00040303  : 1 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr @set6 drop
+ip
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set6 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr vmap { 1.1.1.1 : drop, * : accept }
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 01010101  : drop 0 [end]        element  : accept 2 [end]
+ip
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 01010101  : 00000001 0 [end]    element  : 00000002 2 [end]
+ip
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
diff --git a/tests/py/ip/sets.t.payload.ip.got b/tests/py/ip/sets.t.payload.ip.got
new file mode 100644
index 0000000..c43a0c5
--- /dev/null
+++ b/tests/py/ip/sets.t.payload.ip.got
@@ -0,0 +1,14 @@
+# add @map5 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map5 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
diff --git a/tests/py/ip/sets.t.payload.netdev b/tests/py/ip/sets.t.payload.netdev
new file mode 100644
index 0000000..d41b9e8
--- /dev/null
+++ b/tests/py/ip/sets.t.payload.netdev
@@ -0,0 +1,107 @@
+# ip saddr @set1 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr != @set1 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr @set2 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr != @set2 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr . ip daddr @set5 drop
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ lookup reg 1 set set5 ]
+  [ immediate reg 0 drop ]
+
+# add @set5 { ip saddr . ip daddr }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ dynset add reg_key 1 set set5 ]
+
+# ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00010101  : 0 [end]	element 00030303  : 0 [end]	element 00020202  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00010101  : 0 [end]	element 00020101  : 1 [end]	element 00020202  : 0 [end]	element 00030202  : 1 [end]	element 00030303  : 0 [end]	element 00040303  : 1 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip saddr @set6 drop
+netdev
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set6 ]
+  [ immediate reg 0 drop ]
+
+# ip saddr vmap { 1.1.1.1 : drop, * : accept }
+__map%d test-netdev b
+__map%d test-netdev 0
+        element 01010101  : drop 0 [end]        element  : accept 2 [end]
+netdev
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }
+__map%d test-netdev b
+__map%d test-netdev 0
+        element 01010101  : 00000001 0 [end]    element  : 00000002 2 [end]
+netdev
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
diff --git a/tests/py/ip/sets.t.payload.netdev.got b/tests/py/ip/sets.t.payload.netdev.got
new file mode 100644
index 0000000..4c80527
--- /dev/null
+++ b/tests/py/ip/sets.t.payload.netdev.got
@@ -0,0 +1,18 @@
+# add @map5 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map5 sreg_data 10 ]
+
+# add @map1 { ip saddr . ip daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 4b @ network header + 16 => reg 9 ]
+  [ meta load mark => reg 10 ]
+  [ dynset add reg_key 1 set map1 sreg_data 10 ]
+
diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t
new file mode 100644
index 0000000..d4b0d2c
--- /dev/null
+++ b/tests/py/ip/snat.t
@@ -0,0 +1,21 @@
+:postrouting;type nat hook postrouting priority 0
+
+*ip;test-ip4;postrouting
+
+iifname "eth0" tcp dport 80-90 snat to 192.168.3.2;ok
+iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2;ok
+iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2;ok
+iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok
+iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255;ok;iifname "eth0" tcp dport 80-90 snat to 192.168.3.0/24
+iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240;ok
+
+iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2;ok
+
+meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };ok
+snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 };ok
+snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 };ok
+snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 };ok
+
+meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80};ok
+snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };fail
+snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80 };fail
diff --git a/tests/py/ip/snat.t.json b/tests/py/ip/snat.t.json
new file mode 100644
index 0000000..967560e
--- /dev/null
+++ b/tests/py/ip/snat.t.json
@@ -0,0 +1,530 @@
+# iifname "eth0" tcp dport 80-90 snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    80,
+                    90,
+                    23
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    80,
+                    90,
+                    23
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 23, 34 ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    80,
+                    90
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "prefix": {
+                    "addr": "192.168.3.0",
+                    "len": 24
+                }
+            }
+        }
+    }
+]
+
+# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "iifname"
+                }
+            },
+            "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    80,
+                    90
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "range": [
+                    "192.168.3.15",
+                    "192.168.3.240"
+                ]
+            }
+        }
+    }
+]
+
+# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+[
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "10.141.11.4",
+                                {
+                                    "concat": [
+                                        "192.168.2.3",
+                                        80
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip",
+            "type_flags": "concat"
+        }
+    }
+]
+
+# snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
+[
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "10.141.11.4",
+                                {
+                                    "range": [
+                                        "192.168.2.2",
+                                        "192.168.2.4"
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip",
+            "type_flags": "interval"
+        }
+    }
+]
+
+# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }
+[
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "prefix": {
+                                        "addr": "10.141.11.0",
+                                        "len": 24
+                                    }
+                                },
+                                {
+                                    "prefix": {
+                                        "addr": "192.168.2.0",
+                                        "len": 24
+                                    }
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip",
+            "flags": "netmap",
+            "type_flags": [
+                "interval",
+                "prefix"
+            ]
+        }
+    }
+]
+
+# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": "udp"
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "10.141.11.4",
+                                {
+                                    "concat": [
+                                        "192.168.2.3",
+                                        80
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
+[
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "10.141.11.4",
+                                {
+                                    "range": [
+                                        "192.168.2.2",
+                                        "192.168.2.4"
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 }
+[
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "10.141.12.14",
+                                {
+                                    "prefix": {
+                                        "addr": "192.168.2.0",
+                                        "len": 24
+                                    }
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80}
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "tcp",
+                    "udp"
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        "10.141.11.4",
+                                        20
+                                    ]
+                                },
+                                {
+                                    "concat": [
+                                        "192.168.2.3",
+                                        80
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "dport",
+                                    "protocol": "th"
+                                }
+                            }
+                        ]
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
diff --git a/tests/py/ip/snat.t.json.output b/tests/py/ip/snat.t.json.output
new file mode 100644
index 0000000..2a99780
--- /dev/null
+++ b/tests/py/ip/snat.t.json.output
@@ -0,0 +1,249 @@
+# iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    23,
+                    80,
+                    90
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    23,
+                    80,
+                    90
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": "192.168.3.2"
+        }
+    }
+]
+
+# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+[
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "10.141.11.4",
+                                {
+                                    "concat": [
+                                        "192.168.2.3",
+                                        80
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                "10.141.11.4",
+                                {
+                                    "concat": [
+                                        "192.168.2.3",
+                                        80
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80}
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17
+                ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "concat": [
+                                        "10.141.11.4",
+                                        20
+                                    ]
+                                },
+                                {
+                                    "concat": [
+                                        "192.168.2.3",
+                                        80
+                                    ]
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip"
+                                }
+                            },
+                            {
+                                "payload": {
+                                    "field": "dport",
+                                    "protocol": "th"
+                                }
+                            }
+                        ]
+                    }
+                }
+            },
+            "family": "ip"
+        }
+    }
+]
+
+# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }
+[
+    {
+        "snat": {
+            "addr": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [
+                                {
+                                    "prefix": {
+                                        "addr": "10.141.11.0",
+                                        "len": 24
+                                    }
+                                },
+                                {
+                                    "prefix": {
+                                        "addr": "192.168.2.0",
+                                        "len": 24
+                                    }
+                                }
+                            ]
+                        ]
+                    },
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip"
+                        }
+                    }
+                }
+            },
+            "family": "ip",
+            "flags": "netmap",
+            "type_flags": "prefix"
+        }
+    }
+]
+
diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload
new file mode 100644
index 0000000..71a5e2f
--- /dev/null
+++ b/tests/py/ip/snat.t.payload
@@ -0,0 +1,154 @@
+# iifname "eth0" tcp dport 80-90 snat to 192.168.3.2
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00005000 0x00005a00 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x00001700 0x00002200 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 80-90 snat to 192.168.3.0-192.168.3.255
+ip
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0003a8c0 ]
+  [ immediate reg 2 0xff03a8c0 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 2 ]
+
+# iifname "eth0" tcp dport 80-90 snat to 192.168.3.15-192.168.3.240
+ip
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x0f03a8c0 ]
+  [ immediate reg 2 0xf003a8c0 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 2 ]
+
+# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+	element 040b8d0a  : 0302a8c0 00005000 0 [end]
+ip
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat snat ip addr_min reg 1 proto_min reg 9 ]
+
+# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+	element 040b8d0a  : 0202a8c0 0402a8c0 0 [end]
+ip 
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 9 ]
+
+# snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }
+__map%d test-ip4 f size 3
+__map%d test-ip4 0
+	element 00000000  : 1 [end]	element 000b8d0a  : 0002a8c0 ff02a8c0 0 [end]	element 000c8d0a  : 1 [end]
+ip 
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 9 flags 0x40 ]
+
+# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+        element 0e0c8d0a  : 0002a8c0 ff02a8c0 0 [end]
+ip
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 9 ]
+
+# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+        element 00000006  : 0 [end]     element 00000011  : 0 [end]
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+        element 040b8d0a 00001400  : 0302a8c0 00005000 0 [end]
+ip
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat snat ip addr_min reg 1 proto_min reg 9 ]
+
+# ip daddr 192.168.0.1 dnat to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 }
+__map%d x b size 2
+__map%d x 0
+        element 0000bb01  : 040a8d0a 0000fb20 0 [end]   element 00005000  : 040a8d0a 0000901f 0 [end]
+ip
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 9 ]
+
diff --git a/tests/py/ip/tcp.t b/tests/py/ip/tcp.t
new file mode 100644
index 0000000..4dcfcb6
--- /dev/null
+++ b/tests/py/ip/tcp.t
@@ -0,0 +1,6 @@
+:input;type filter hook input priority 0
+
+*ip;test-ip;input
+
+ip protocol tcp tcp dport ssh accept;ok;tcp dport 22 accept
+ip protocol ne tcp udp dport ssh accept;ok;ip protocol != 6 udp dport 22 accept
diff --git a/tests/py/ip/tcp.t.json b/tests/py/ip/tcp.t.json
new file mode 100644
index 0000000..d2c0915
--- /dev/null
+++ b/tests/py/ip/tcp.t.json
@@ -0,0 +1,62 @@
+# ip protocol tcp tcp dport ssh accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": "ssh"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip protocol ne tcp udp dport ssh accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": "tcp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": "ssh"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/ip/tcp.t.json.output b/tests/py/ip/tcp.t.json.output
new file mode 100644
index 0000000..7e89854
--- /dev/null
+++ b/tests/py/ip/tcp.t.json.output
@@ -0,0 +1,50 @@
+# ip protocol tcp tcp dport ssh accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# ip protocol ne tcp udp dport ssh accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "!=",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/ip/tcp.t.payload b/tests/py/ip/tcp.t.payload
new file mode 100644
index 0000000..58956d9
--- /dev/null
+++ b/tests/py/ip/tcp.t.payload
@@ -0,0 +1,18 @@
+# ip protocol tcp tcp dport ssh accept
+ip test-ip input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ immediate reg 0 accept ]
+
+# ip protocol ne tcp udp dport ssh accept
+ip test-ip input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp neq reg 1 0x00000006 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ immediate reg 0 accept ]
+
diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t
new file mode 100644
index 0000000..544c519
--- /dev/null
+++ b/tests/py/ip/tproxy.t
@@ -0,0 +1,14 @@
+:y;type filter hook prerouting priority -150
+
+*ip;x;y
+
+tproxy;fail
+tproxy to 192.0.2.1;fail
+tproxy to 192.0.2.1:50080;fail
+tproxy to :50080;fail
+meta l4proto 17 tproxy to 192.0.2.1;ok
+meta l4proto 6 tproxy to 192.0.2.1:50080;ok
+ip protocol 6 tproxy to :50080;ok
+meta l4proto 17 tproxy ip to 192.0.2.1;ok;meta l4proto 17 tproxy to 192.0.2.1
+meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok;meta l4proto 6 tproxy to 192.0.2.1:50080
+ip protocol 6 tproxy ip to :50080;ok;ip protocol 6 tproxy to :50080
diff --git a/tests/py/ip/tproxy.t.json b/tests/py/ip/tproxy.t.json
new file mode 100644
index 0000000..4635fc1
--- /dev/null
+++ b/tests/py/ip/tproxy.t.json
@@ -0,0 +1,126 @@
+# meta l4proto 17 tproxy to 192.0.2.1
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1"
+        }
+    }
+]
+
+# meta l4proto 6 tproxy to 192.0.2.1:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1",
+            "port": 50080
+        }
+    }
+]
+
+# ip protocol 6 tproxy to :50080
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 17 tproxy ip to 192.0.2.1
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1",
+            "family": "ip"
+        }
+    }
+]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1",
+            "family": "ip",
+            "port": 50080
+        }
+    }
+]
+
+# ip protocol 6 tproxy ip to :50080
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "family": "ip",
+            "port": 50080
+        }
+    }
+]
diff --git a/tests/py/ip/tproxy.t.json.output b/tests/py/ip/tproxy.t.json.output
new file mode 100644
index 0000000..2690f22
--- /dev/null
+++ b/tests/py/ip/tproxy.t.json.output
@@ -0,0 +1,61 @@
+# meta l4proto 17 tproxy ip to 192.0.2.1
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1"
+        }
+    }
+]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "192.0.2.1",
+            "port": 50080
+        }
+    }
+]
+
+# ip protocol 6 tproxy ip to :50080
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "protocol",
+                    "protocol": "ip"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "port": 50080
+        }
+    }
+]
diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload
new file mode 100644
index 0000000..dfe830e
--- /dev/null
+++ b/tests/py/ip/tproxy.t.payload
@@ -0,0 +1,44 @@
+# meta l4proto 17 tproxy to 192.0.2.1
+ip x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x010200c0 ]
+  [ tproxy ip addr reg 1 ]
+
+# meta l4proto 6 tproxy to 192.0.2.1:50080
+ip x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x010200c0 ]
+  [ immediate reg 2 0x0000a0c3 ]
+  [ tproxy ip addr reg 1 port reg 2 ]
+
+# ip protocol 6 tproxy to :50080
+ip x y 
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip port reg 1 ]
+
+# meta l4proto 17 tproxy ip to 192.0.2.1
+ip x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x010200c0 ]
+  [ tproxy ip addr reg 1 ]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+ip x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x010200c0 ]
+  [ immediate reg 2 0x0000a0c3 ]
+  [ tproxy ip addr reg 1 port reg 2 ]
+
+# ip protocol 6 tproxy ip to :50080
+ip x y 
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip port reg 1 ]
+
diff --git a/tests/py/ip6/chains.t b/tests/py/ip6/chains.t
new file mode 100644
index 0000000..e78f9e0
--- /dev/null
+++ b/tests/py/ip6/chains.t
@@ -0,0 +1,17 @@
+# filter chains available are: input, output, forward, forward, prerouting and postrouting.
+:filter-input;type filter hook input priority 0
+:filter-prer;type filter hook prerouting priority 0
+:filter-forw-t;type filter hook forward priority 0
+:filter-out-t;type filter hook output priority 0
+:filter-post-t;type filter hook postrouting priority 0
+
+# nat chains available are: input, output, forward, prerouting and postrouting.
+:nat-input;type nat hook input priority 0
+:nat-prerouting;type nat hook prerouting priority 0
+:nat-output;type nat hook output priority 0
+:nat-postrou;type nat hook postrouting priority 0
+
+# route chain available is output.
+:route-out;type route hook output priority 0
+
+*ip6;test-ip6;filter-input,filter-prer,filter-forw-t,filter-out-t,filter-post-t,nat-input,nat-prerouting,nat-output,nat-postrou,route-out
diff --git a/tests/py/ip6/ct.t b/tests/py/ip6/ct.t
new file mode 100644
index 0000000..c06fd6a
--- /dev/null
+++ b/tests/py/ip6/ct.t
@@ -0,0 +1,9 @@
+:output;type filter hook output priority 0
+
+*ip6;test-ip6;output
+
+ct mark set ip6 dscp << 2 | 0x10;ok
+ct mark set ip6 dscp << 26 | 0x10;ok
+ct mark set ip6 dscp | 0x04;ok
+ct mark set ip6 dscp | 0xff000000;ok
+ct mark set ip6 dscp & 0x0f << 2;ok;ct mark set ip6 dscp & 0x3c
diff --git a/tests/py/ip6/ct.t.json b/tests/py/ip6/ct.t.json
new file mode 100644
index 0000000..7d8c88b
--- /dev/null
+++ b/tests/py/ip6/ct.t.json
@@ -0,0 +1,293 @@
+# ct mark set ip6 dscp lshift 2 or 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            2
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp lshift 26 or 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            26
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp << 2 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            2
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp << 26 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            26
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp | 0x04
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp | 0xff000000
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    4278190080
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp << 2 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            2
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp << 26 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            26
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp | 0x04
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp | 0xff000000
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    4278190080
+                ]
+            }
+        }
+    }
+]
+
+# ct mark set ip6 dscp & 0x0f << 2
+[
+    {
+        "mangle": {
+            "key": {
+                "ct": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "&": [
+                    {
+                        "payload": {
+                            "field": "dscp",
+                            "protocol": "ip6"
+                        }
+                    },
+                    60
+                ]
+            }
+        }
+    }
+]
diff --git a/tests/py/ip6/ct.t.payload b/tests/py/ip6/ct.t.payload
new file mode 100644
index 0000000..944208f
--- /dev/null
+++ b/tests/py/ip6/ct.t.payload
@@ -0,0 +1,46 @@
+# ct mark set ip6 dscp << 2 | 0x10
+ip6 test-ip6 output
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip6 dscp << 26 | 0x10
+ip6 test-ip6 output
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip6 dscp | 0x04
+ip6 test-ip6 output
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xfffffffb ) ^ 0x00000004 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip6 dscp | 0xff000000
+ip6 test-ip6 output
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffffff ) ^ 0xff000000 ]
+  [ ct set mark with reg 1 ]
+
+# ct mark set ip6 dscp & 0x0f << 2
+ip6 test-ip6 output
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000003c ) ^ 0x00000000 ]
+  [ ct set mark with reg 1 ]
diff --git a/tests/py/ip6/dnat.t b/tests/py/ip6/dnat.t
new file mode 100644
index 0000000..89d5a5f
--- /dev/null
+++ b/tests/py/ip6/dnat.t
@@ -0,0 +1,9 @@
+:prerouting;type nat hook prerouting priority 0
+
+*ip6;test-ip6;prerouting
+
+tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok
+tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok
+tcp dport 80-90 dnat to [2001:838:35f:1::]:80;ok
+dnat to [2001:838:35f:1::]/64;ok;dnat to 2001:838:35f:1::/64
+dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff;ok;dnat to 2001:838:35f:1::/64
diff --git a/tests/py/ip6/dnat.t.json b/tests/py/ip6/dnat.t.json
new file mode 100644
index 0000000..cbfdb68
--- /dev/null
+++ b/tests/py/ip6/dnat.t.json
@@ -0,0 +1,106 @@
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": {
+                "range": [ "2001:838:35f:1::", "2001:838:35f:2::" ]
+            },
+            "port": {
+                "range": [ 80, 100 ]
+            }
+        }
+    }
+]
+
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": {
+                "range": [ "2001:838:35f:1::", "2001:838:35f:2::" ]
+            },
+            "port": 100
+        }
+    }
+]
+
+# tcp dport 80-90 dnat to [2001:838:35f:1::]:80
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "dnat": {
+            "addr": "2001:838:35f:1::",
+            "port": 80
+        }
+    }
+]
+
+# dnat to [2001:838:35f:1::]/64
+[
+    {
+        "dnat": {
+            "addr": {
+                "prefix": {
+                    "addr": "2001:838:35f:1::",
+                    "len": 64
+                }
+            }
+        }
+    }
+]
+
+# dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff
+[
+    {
+        "dnat": {
+            "addr": {
+                "prefix": {
+                    "addr": "2001:838:35f:1::",
+                    "len": 64
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6
new file mode 100644
index 0000000..004ffde
--- /dev/null
+++ b/tests/py/ip6/dnat.t.payload.ip6
@@ -0,0 +1,47 @@
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
+ip6 test-ip6 prerouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ]
+  [ immediate reg 3 0x00005000 ]
+  [ immediate reg 4 0x00006400 ]
+  [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ]
+
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
+ip6 test-ip6 prerouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ]
+  [ immediate reg 3 0x00006400 ]
+  [ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ]
+
+# tcp dport 80-90 dnat to [2001:838:35f:1::]:80
+ip6 test-ip6 prerouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x00005000 ]
+  [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# dnat to [2001:838:35f:1::]/64
+ip6 test-ip6 prerouting
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x38080120 0x01005f03 0xffffffff 0xffffffff ]
+  [ nat dnat ip6 addr_min reg 1 addr_max reg 2 ]
+
+# dnat to 2001:838:35f:1::-2001:838:35f:1:ffff:ffff:ffff:ffff
+ip6 test-ip6 prerouting
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x38080120 0x01005f03 0xffffffff 0xffffffff ]
+  [ nat dnat ip6 addr_min reg 1 addr_max reg 2 ]
diff --git a/tests/py/ip6/dst.t b/tests/py/ip6/dst.t
new file mode 100644
index 0000000..cd1fd3b
--- /dev/null
+++ b/tests/py/ip6/dst.t
@@ -0,0 +1,21 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+*inet;test-inet;input
+
+dst nexthdr 22;ok
+dst nexthdr != 233;ok
+dst nexthdr 33-45;ok
+dst nexthdr != 33-45;ok
+dst nexthdr { 33, 55, 67, 88};ok
+dst nexthdr != { 33, 55, 67, 88};ok
+dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr { 51, 50, 17, 136, 58, 6, 33, 132, 108}
+dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr != { 51, 50, 17, 136, 58, 6, 33, 132, 108}
+dst nexthdr icmp;ok;dst nexthdr 1
+dst nexthdr != icmp;ok;dst nexthdr != 1
+
+dst hdrlength 22;ok
+dst hdrlength != 233;ok
+dst hdrlength 33-45;ok
+dst hdrlength != 33-45;ok
+dst hdrlength { 33, 55, 67, 88};ok
diff --git a/tests/py/ip6/dst.t.json b/tests/py/ip6/dst.t.json
new file mode 100644
index 0000000..e947a76
--- /dev/null
+++ b/tests/py/ip6/dst.t.json
@@ -0,0 +1,315 @@
+# dst nexthdr 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# dst nexthdr != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# dst nexthdr 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# dst nexthdr != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# dst nexthdr { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# dst nexthdr != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "udplite",
+                    "ipcomp",
+                    "udp",
+                    "ah",
+                    "sctp",
+                    "esp",
+                    "dccp",
+                    "tcp",
+                    "ipv6-icmp"
+                ]
+            }
+        }
+    }
+]
+
+# dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "udplite",
+                    "ipcomp",
+                    "udp",
+                    "ah",
+                    "sctp",
+                    "esp",
+                    "dccp",
+                    "tcp",
+                    "ipv6-icmp"
+                ]
+            }
+        }
+    }
+]
+
+# dst nexthdr icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": "icmp"
+        }
+    }
+]
+
+# dst nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": "icmp"
+        }
+    }
+]
+
+# dst hdrlength 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# dst hdrlength != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# dst hdrlength 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# dst hdrlength != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# dst hdrlength { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# dst hdrlength != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
diff --git a/tests/py/ip6/dst.t.json.output b/tests/py/ip6/dst.t.json.output
new file mode 100644
index 0000000..69d8f68
--- /dev/null
+++ b/tests/py/ip6/dst.t.json.output
@@ -0,0 +1,88 @@
+# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    58,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    58,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# dst nexthdr icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# dst nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "dst"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet
new file mode 100644
index 0000000..90d6bda
--- /dev/null
+++ b/tests/py/ip6/dst.t.payload.inet
@@ -0,0 +1,131 @@
+# dst nexthdr 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# dst nexthdr != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# dst nexthdr 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# dst nexthdr != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# dst nexthdr { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dst nexthdr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# dst nexthdr icmp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# dst nexthdr != icmp
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# dst hdrlength 22
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# dst hdrlength != 233
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# dst hdrlength 33-45
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# dst hdrlength != 33-45
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# dst hdrlength { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dst hdrlength != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6
new file mode 100644
index 0000000..941140d
--- /dev/null
+++ b/tests/py/ip6/dst.t.payload.ip6
@@ -0,0 +1,99 @@
+# dst nexthdr 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# dst nexthdr != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# dst nexthdr 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# dst nexthdr != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# dst nexthdr { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dst nexthdr != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# dst nexthdr icmp
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# dst nexthdr != icmp
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# dst hdrlength 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# dst hdrlength != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# dst hdrlength 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# dst hdrlength != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# dst hdrlength { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# dst hdrlength != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
diff --git a/tests/py/ip6/dup.t b/tests/py/ip6/dup.t
new file mode 100644
index 0000000..72cc5d5
--- /dev/null
+++ b/tests/py/ip6/dup.t
@@ -0,0 +1,7 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+
+dup to abcd::1;ok
+dup to abcd::1 device "lo";ok
+dup to ip6 saddr map { abcd::1 : cafe::cafe } device "lo";ok
diff --git a/tests/py/ip6/dup.t.json b/tests/py/ip6/dup.t.json
new file mode 100644
index 0000000..8a9493b
--- /dev/null
+++ b/tests/py/ip6/dup.t.json
@@ -0,0 +1,46 @@
+# dup to abcd::1
+[
+    {
+        "dup": {
+            "addr": "abcd::1"
+        }
+    }
+]
+
+# dup to abcd::1 device "lo"
+[
+    {
+        "dup": {
+            "addr": "abcd::1",
+            "dev": "lo"
+        }
+    }
+]
+
+# dup to ip6 saddr map { abcd::1 : cafe::cafe } device "lo"
+[
+    {
+        "dup": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip6"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "abcd::1",
+                                "cafe::cafe"
+                            ]
+                        ]
+                    }
+                }
+            },
+            "dev": "lo"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/dup.t.payload b/tests/py/ip6/dup.t.payload
new file mode 100644
index 0000000..c441d4b
--- /dev/null
+++ b/tests/py/ip6/dup.t.payload
@@ -0,0 +1,21 @@
+# dup to abcd::1
+ip6 test test 
+  [ immediate reg 1 0x0000cdab 0x00000000 0x00000000 0x01000000 ]
+  [ dup sreg_addr 1 ]
+
+# dup to abcd::1 device "lo"
+ip6 test test 
+  [ immediate reg 1 0x0000cdab 0x00000000 0x00000000 0x01000000 ]
+  [ immediate reg 2 0x00000001 ]
+  [ dup sreg_addr 1 sreg_dev 2 ]
+
+# dup to ip6 saddr map { abcd::1 : cafe::cafe } device "lo"
+__map%d test-ip6 b
+__map%d test-ip6 0
+        element 0000cdab 00000000 00000000 01000000  : 0000feca 00000000 00000000 feca0000 0 [end]
+ip6 test-ip6 input 
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ immediate reg 2 0x00000001 ]
+  [ dup sreg_addr 1 sreg_dev 2 ]
+
diff --git a/tests/py/ip6/ether.t b/tests/py/ip6/ether.t
new file mode 100644
index 0000000..49d7d06
--- /dev/null
+++ b/tests/py/ip6/ether.t
@@ -0,0 +1,8 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+
+tcp dport 22 iiftype ether ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04 accept
+tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04;ok
+tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2;ok
+ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2 accept;ok
diff --git a/tests/py/ip6/ether.t.json b/tests/py/ip6/ether.t.json
new file mode 100644
index 0000000..5e4b43b
--- /dev/null
+++ b/tests/py/ip6/ether.t.json
@@ -0,0 +1,163 @@
+# tcp dport 22 iiftype ether ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iiftype" }
+            },
+	    "op": "==",
+            "right": "ether"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1::2"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1::2"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    }
+]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1::2"
+        }
+    }
+]
+
+# ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1::2"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/ip6/ether.t.json.output b/tests/py/ip6/ether.t.json.output
new file mode 100644
index 0000000..7ace627
--- /dev/null
+++ b/tests/py/ip6/ether.t.json.output
@@ -0,0 +1,43 @@
+# tcp dport 22 iiftype ether ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:4 accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1::2"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ether"
+                }
+            },
+	    "op": "==",
+            "right": "00:0f:54:0c:11:04"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
diff --git a/tests/py/ip6/ether.t.payload b/tests/py/ip6/ether.t.payload
new file mode 100644
index 0000000..592b4ea
--- /dev/null
+++ b/tests/py/ip6/ether.t.payload
@@ -0,0 +1,49 @@
+# tcp dport 22 iiftype ether ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:4 accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 0x00000000 0x00000000 0x02000000 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ immediate reg 0 accept ]
+
+# tcp dport 22 ip6 daddr 1::2 ether saddr 00:0f:54:0c:11:04
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 0x00000000 0x00000000 0x02000000 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 0x00000000 0x00000000 0x02000000 ]
+
+# ether saddr 00:0f:54:0c:11:04 ip6 daddr 1::2 accept
+ip6 test-ip6 input
+  [ meta load iiftype => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 6b @ link header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 0x00000000 0x00000000 0x02000000 ]
+  [ immediate reg 0 accept ]
diff --git a/tests/py/ip6/exthdr.t b/tests/py/ip6/exthdr.t
new file mode 100644
index 0000000..a6c2d2b
--- /dev/null
+++ b/tests/py/ip6/exthdr.t
@@ -0,0 +1,19 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+
+exthdr hbh exists;ok
+exthdr rt exists;ok
+exthdr frag exists;ok
+exthdr dst exists;ok
+exthdr mh exists;ok
+
+exthdr hbh missing;ok
+
+exthdr hbh == exists;ok;exthdr hbh exists
+exthdr hbh == missing;ok;exthdr hbh missing
+exthdr hbh != exists;ok
+exthdr hbh != missing;ok
+
+exthdr hbh 1;ok;exthdr hbh exists
+exthdr hbh 0;ok;exthdr hbh missing
diff --git a/tests/py/ip6/exthdr.t.json b/tests/py/ip6/exthdr.t.json
new file mode 100644
index 0000000..4ca77d6
--- /dev/null
+++ b/tests/py/ip6/exthdr.t.json
@@ -0,0 +1,180 @@
+# exthdr hbh exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr rt exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr frag exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr dst exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "dst"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr mh exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr hbh missing
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": false
+        }
+    }
+]
+
+# exthdr hbh == exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr hbh == missing
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": false
+        }
+    }
+]
+
+# exthdr hbh != exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": true
+        }
+    }
+]
+
+# exthdr hbh != missing
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": false
+        }
+    }
+]
+
+# exthdr hbh 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# exthdr hbh 0
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
diff --git a/tests/py/ip6/exthdr.t.json.output b/tests/py/ip6/exthdr.t.json.output
new file mode 100644
index 0000000..c9f5b49
--- /dev/null
+++ b/tests/py/ip6/exthdr.t.json.output
@@ -0,0 +1,60 @@
+# exthdr hbh == exists
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr hbh == missing
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": false
+        }
+    }
+]
+
+# exthdr hbh 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": true
+        }
+    }
+]
+
+# exthdr hbh 0
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": false
+        }
+    }
+]
+
diff --git a/tests/py/ip6/exthdr.t.payload.ip6 b/tests/py/ip6/exthdr.t.payload.ip6
new file mode 100644
index 0000000..be10d61
--- /dev/null
+++ b/tests/py/ip6/exthdr.t.payload.ip6
@@ -0,0 +1,60 @@
+# exthdr hbh exists
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# exthdr rt exists
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# exthdr frag exists
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 44 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# exthdr dst exists
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 60 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# exthdr mh exists
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# exthdr hbh missing
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# exthdr hbh == exists
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# exthdr hbh == missing
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# exthdr hbh != exists
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# exthdr hbh != missing
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
+# exthdr hbh 1
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# exthdr hbh 0
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 0 + 0 present => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
diff --git a/tests/py/ip6/flowtable.t b/tests/py/ip6/flowtable.t
new file mode 100644
index 0000000..e58d51b
--- /dev/null
+++ b/tests/py/ip6/flowtable.t
@@ -0,0 +1,6 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+
+meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter };ok;meter acct_out size 4096 { iif . ip6 saddr timeout 10m counter }
+meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter };ok;meter acct_out size 12345 { ip6 saddr . iif timeout 10m counter }
diff --git a/tests/py/ip6/flowtable.t.json b/tests/py/ip6/flowtable.t.json
new file mode 100644
index 0000000..d0b3a95
--- /dev/null
+++ b/tests/py/ip6/flowtable.t.json
@@ -0,0 +1,62 @@
+# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter }
+[
+    {
+        "meter": {
+            "key": {
+                "elem": {
+                    "timeout": 600,
+                    "val": {
+                        "concat": [
+                            {
+                                "meta": { "key": "iif" }
+                            },
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip6"
+                                }
+                            }
+                        ]
+                    }
+                }
+            },
+            "name": "acct_out",
+            "size": 4096,
+            "stmt": {
+                "counter": null
+            }
+        }
+    }
+]
+
+# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter }
+[
+    {
+        "meter": {
+            "key": {
+                "elem": {
+                    "timeout": 600,
+                    "val": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            {
+                                "meta": { "key": "iif" }
+                            }
+                        ]
+                    }
+                }
+            },
+            "name": "acct_out",
+            "size": 12345,
+            "stmt": {
+                "counter": null
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/flowtable.t.json.output b/tests/py/ip6/flowtable.t.json.output
new file mode 100644
index 0000000..d0b3a95
--- /dev/null
+++ b/tests/py/ip6/flowtable.t.json.output
@@ -0,0 +1,62 @@
+# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter }
+[
+    {
+        "meter": {
+            "key": {
+                "elem": {
+                    "timeout": 600,
+                    "val": {
+                        "concat": [
+                            {
+                                "meta": { "key": "iif" }
+                            },
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip6"
+                                }
+                            }
+                        ]
+                    }
+                }
+            },
+            "name": "acct_out",
+            "size": 4096,
+            "stmt": {
+                "counter": null
+            }
+        }
+    }
+]
+
+# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter }
+[
+    {
+        "meter": {
+            "key": {
+                "elem": {
+                    "timeout": 600,
+                    "val": {
+                        "concat": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            {
+                                "meta": { "key": "iif" }
+                            }
+                        ]
+                    }
+                }
+            },
+            "name": "acct_out",
+            "size": 12345,
+            "stmt": {
+                "counter": null
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/flowtable.t.payload b/tests/py/ip6/flowtable.t.payload
new file mode 100644
index 0000000..559475f
--- /dev/null
+++ b/tests/py/ip6/flowtable.t.payload
@@ -0,0 +1,16 @@
+# meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter }
+acct_out test-ip6 31
+acct_out test-ip6 0
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ payload load 16b @ network header + 8 => reg 9 ]
+  [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ]
+
+# meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter }
+acct_out test-ip6 31
+acct_out test-ip6 0
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ meta load iif => reg 2 ]
+  [ dynset update reg_key 1 set acct_out timeout 600000ms expr [ counter pkts 0 bytes 0 ] ]
+
diff --git a/tests/py/ip6/frag.t b/tests/py/ip6/frag.t
new file mode 100644
index 0000000..6bbd6ac
--- /dev/null
+++ b/tests/py/ip6/frag.t
@@ -0,0 +1,40 @@
+:output;type filter hook output priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip6;test-ip6;output
+*inet;test-inet;output
+*netdev;test-netdev;ingress,egress
+
+frag nexthdr tcp;ok;frag nexthdr 6
+frag nexthdr != icmp;ok;frag nexthdr != 1
+frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;frag nexthdr { 51, 136, 132, 6, 108, 50, 17, 33}
+frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;frag nexthdr != { 51, 136, 132, 6, 108, 50, 17, 33}
+frag nexthdr esp;ok;frag nexthdr 50
+frag nexthdr ah;ok;frag nexthdr 51
+
+frag reserved 22;ok
+frag reserved != 233;ok
+frag reserved 33-45;ok
+frag reserved != 33-45;ok
+frag reserved { 33, 55, 67, 88};ok
+frag reserved != { 33, 55, 67, 88};ok
+
+frag frag-off 22;ok
+frag frag-off != 233;ok
+frag frag-off 33-45;ok
+frag frag-off != 33-45;ok
+frag frag-off { 33, 55, 67, 88};ok
+frag frag-off != { 33, 55, 67, 88};ok
+
+frag reserved2 1;ok
+frag more-fragments 0;ok
+frag more-fragments 1;ok
+
+frag id 1;ok
+frag id 22;ok
+frag id != 33;ok
+frag id 33-45;ok
+frag id != 33-45;ok
+frag id { 33, 55, 67, 88};ok
+frag id != { 33, 55, 67, 88};ok
diff --git a/tests/py/ip6/frag.t.json b/tests/py/ip6/frag.t.json
new file mode 100644
index 0000000..b8c06df
--- /dev/null
+++ b/tests/py/ip6/frag.t.json
@@ -0,0 +1,644 @@
+# frag nexthdr tcp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    }
+]
+
+# frag nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": "icmp"
+        }
+    }
+]
+
+# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp"
+                ]
+            }
+        }
+    }
+]
+
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp"
+                ]
+            }
+        }
+    }
+]
+
+# frag nexthdr esp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": "esp"
+        }
+    }
+]
+
+# frag nexthdr ah
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": "ah"
+        }
+    }
+]
+
+# frag reserved 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# frag reserved != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# frag reserved 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# frag reserved != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# frag reserved { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# frag reserved != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# frag reserved { 33-55}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# frag reserved != { 33-55}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# frag frag-off 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# frag frag-off != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# frag frag-off 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# frag frag-off != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# frag frag-off { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# frag frag-off != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# frag frag-off { 33-55}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# frag frag-off != { 33-55}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "frag-off",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# frag reserved2 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved2",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# frag more-fragments 0
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "more-fragments",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# frag more-fragments 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "more-fragments",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# frag id 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# frag id 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# frag id != 33
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": 33
+        }
+    }
+]
+
+# frag id 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# frag id != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# frag id { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# frag id != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# frag id { 33-55}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
+# frag id != { 33-55}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "id",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 33, 55 ] }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/frag.t.json.output b/tests/py/ip6/frag.t.json.output
new file mode 100644
index 0000000..68d382b
--- /dev/null
+++ b/tests/py/ip6/frag.t.json.output
@@ -0,0 +1,118 @@
+# frag nexthdr tcp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    }
+]
+
+# frag nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# frag nexthdr esp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 50
+        }
+    }
+]
+
+# frag nexthdr ah
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "frag"
+                }
+            },
+	    "op": "==",
+            "right": 51
+        }
+    }
+]
+
diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet
new file mode 100644
index 0000000..20334f4
--- /dev/null
+++ b/tests/py/ip6/frag.t.payload.inet
@@ -0,0 +1,232 @@
+# frag nexthdr tcp
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# frag nexthdr != icmp
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag nexthdr esp
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# frag nexthdr ah
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+
+# frag reserved 22
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# frag reserved != 233
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# frag reserved 33-45
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# frag reserved != 33-45
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# frag reserved { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag reserved != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag frag-off 22
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000b000 ]
+
+# frag frag-off != 233
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00004807 ]
+
+# frag frag-off 33-45
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp gte reg 1 0x00000801 ]
+  [ cmp lte reg 1 0x00006801 ]
+
+# frag frag-off != 33-45
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ range neq reg 1 0x00000801 0x00006801 ]
+
+# frag frag-off { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag frag-off != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag id 1
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# frag id 22
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# frag id != 33
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp neq reg 1 0x21000000 ]
+
+# frag id 33-45
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# frag id != 33-45
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# frag id { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag id != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag reserved2 1
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# frag more-fragments 0
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# frag more-fragments 1
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000001 ]
+
diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6
new file mode 100644
index 0000000..7c3e7a4
--- /dev/null
+++ b/tests/py/ip6/frag.t.payload.ip6
@@ -0,0 +1,176 @@
+# frag nexthdr tcp
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# frag nexthdr != icmp
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag nexthdr esp
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# frag nexthdr ah
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+
+# frag reserved 22
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# frag reserved != 233
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# frag reserved 33-45
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# frag reserved != 33-45
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# frag reserved { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag reserved != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag frag-off 22
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000b000 ]
+
+# frag frag-off != 233
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00004807 ]
+
+# frag frag-off 33-45
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp gte reg 1 0x00000801 ]
+  [ cmp lte reg 1 0x00006801 ]
+
+# frag frag-off != 33-45
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ range neq reg 1 0x00000801 0x00006801 ]
+
+# frag frag-off { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag frag-off != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag id 1
+ip6 test-ip6 output
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# frag id 22
+ip6 test-ip6 output
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# frag id != 33
+ip6 test-ip6 output
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp neq reg 1 0x21000000 ]
+
+# frag id 33-45
+ip6 test-ip6 output
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# frag id != 33-45
+ip6 test-ip6 output
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# frag id { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag id != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag reserved2 1
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# frag more-fragments 0
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# frag more-fragments 1
+ip6 test-ip6 output
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000001 ]
+
diff --git a/tests/py/ip6/frag.t.payload.ip6.got b/tests/py/ip6/frag.t.payload.ip6.got
new file mode 100644
index 0000000..db439da
--- /dev/null
+++ b/tests/py/ip6/frag.t.payload.ip6.got
@@ -0,0 +1,43 @@
+# frag frag-off 0x16
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000b000 ]
+
+# frag frag-off != 0xe9
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00004807 ]
+
+# frag frag-off 0x21-0x2d
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp gte reg 1 0x00000801 ]
+  [ cmp lte reg 1 0x00006801 ]
+
+# frag frag-off != 0x21-0x2d
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ range neq reg 1 0x00000801 0x00006801 ]
+
+# frag frag-off { 0x21, 0x37, 0x43, 0x58}
+__set%d test-ip6 3 size 4
+__set%d test-ip6 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag frag-off != { 0x21, 0x37, 0x43, 0x58}
+__set%d test-ip6 3 size 4
+__set%d test-ip6 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/frag.t.payload.netdev b/tests/py/ip6/frag.t.payload.netdev
new file mode 100644
index 0000000..0562075
--- /dev/null
+++ b/tests/py/ip6/frag.t.payload.netdev
@@ -0,0 +1,232 @@
+# frag nexthdr tcp
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# frag nexthdr != icmp
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-netdev 3 size 8
+__set%d test-netdev 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-netdev 3 size 8
+__set%d test-netdev 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag nexthdr esp
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# frag nexthdr ah
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+
+# frag reserved 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# frag reserved != 233
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# frag reserved 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# frag reserved != 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# frag reserved { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag reserved != { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag frag-off 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000b000 ]
+
+# frag frag-off != 233
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00004807 ]
+
+# frag frag-off 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp gte reg 1 0x00000801 ]
+  [ cmp lte reg 1 0x00006801 ]
+
+# frag frag-off != 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ range neq reg 1 0x00000801 0x00006801 ]
+
+# frag frag-off { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag frag-off != { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag reserved2 1
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# frag more-fragments 0
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# frag more-fragments 1
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# frag id 1
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# frag id 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# frag id != 33
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp neq reg 1 0x21000000 ]
+
+# frag id 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# frag id != 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# frag id { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag id != { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/frag.t.payload.netdev.got b/tests/py/ip6/frag.t.payload.netdev.got
new file mode 100644
index 0000000..0562075
--- /dev/null
+++ b/tests/py/ip6/frag.t.payload.netdev.got
@@ -0,0 +1,232 @@
+# frag nexthdr tcp
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+
+# frag nexthdr != icmp
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-netdev 3 size 8
+__set%d test-netdev 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-netdev 3 size 8
+__set%d test-netdev 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag nexthdr esp
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# frag nexthdr ah
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+
+# frag reserved 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# frag reserved != 233
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# frag reserved 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# frag reserved != 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# frag reserved { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag reserved != { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag frag-off 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000b000 ]
+
+# frag frag-off != 233
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00004807 ]
+
+# frag frag-off 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ cmp gte reg 1 0x00000801 ]
+  [ cmp lte reg 1 0x00006801 ]
+
+# frag frag-off != 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ range neq reg 1 0x00000801 0x00006801 ]
+
+# frag frag-off { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag frag-off != { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# frag reserved2 1
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000006 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# frag more-fragments 0
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# frag more-fragments 1
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000001 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# frag id 1
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x01000000 ]
+
+# frag id 22
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# frag id != 33
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp neq reg 1 0x21000000 ]
+
+# frag id 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# frag id != 33-45
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# frag id { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# frag id != { 33, 55, 67, 88}
+__set%d test-netdev 3 size 4
+__set%d test-netdev 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/hbh.t b/tests/py/ip6/hbh.t
new file mode 100644
index 0000000..fce5fea
--- /dev/null
+++ b/tests/py/ip6/hbh.t
@@ -0,0 +1,22 @@
+:filter-input;type filter hook input priority 0
+
+*ip6;test-ip6;filter-input
+*inet;test-inet;filter-input
+
+hbh hdrlength 22;ok
+hbh hdrlength != 233;ok
+hbh hdrlength 33-45;ok
+hbh hdrlength != 33-45;ok
+hbh hdrlength {33, 55, 67, 88};ok
+hbh hdrlength != {33, 55, 67, 88};ok
+
+hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr { 58, 136, 51, 50, 6, 17, 132, 33, 108}
+hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr != { 58, 136, 51, 50, 6, 17, 132, 33, 108}
+hbh nexthdr 22;ok
+hbh nexthdr != 233;ok
+hbh nexthdr 33-45;ok
+hbh nexthdr != 33-45;ok
+hbh nexthdr {33, 55, 67, 88};ok
+hbh nexthdr != {33, 55, 67, 88};ok
+hbh nexthdr ip;ok;hbh nexthdr 0
+hbh nexthdr != ip;ok;hbh nexthdr != 0
diff --git a/tests/py/ip6/hbh.t.json b/tests/py/ip6/hbh.t.json
new file mode 100644
index 0000000..68670a3
--- /dev/null
+++ b/tests/py/ip6/hbh.t.json
@@ -0,0 +1,316 @@
+# hbh hdrlength 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# hbh hdrlength != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# hbh hdrlength 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# hbh hdrlength != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# hbh hdrlength {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# hbh hdrlength != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp",
+                    "icmpv6"
+                ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp",
+                    "icmpv6"
+                ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# hbh nexthdr != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# hbh nexthdr 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr ip
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": "ip"
+        }
+    }
+]
+
+# hbh nexthdr != ip
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": "ip"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/hbh.t.json.output b/tests/py/ip6/hbh.t.json.output
new file mode 100644
index 0000000..190f0fc
--- /dev/null
+++ b/tests/py/ip6/hbh.t.json.output
@@ -0,0 +1,68 @@
+# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [ 6, 17, 33, 50, 51, 58, 108, 132, 136 ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [ 6, 17, 33, 50, 51, 58, 108, 132, 136 ]
+            }
+        }
+    }
+]
+
+# hbh nexthdr ip
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# hbh nexthdr != ip
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "hbh"
+                }
+            },
+            "op": "!=",
+            "right": 0
+        }
+    }
+]
+
diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet
new file mode 100644
index 0000000..63afd83
--- /dev/null
+++ b/tests/py/ip6/hbh.t.payload.inet
@@ -0,0 +1,132 @@
+# hbh hdrlength 22
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# hbh hdrlength != 233
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# hbh hdrlength 33-45
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# hbh hdrlength != 33-45
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# hbh hdrlength {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# hbh hdrlength != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# hbh nexthdr 22
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# hbh nexthdr != 233
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# hbh nexthdr 33-45
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# hbh nexthdr != 33-45
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# hbh nexthdr {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# hbh nexthdr != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# hbh nexthdr ip
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# hbh nexthdr != ip
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6
new file mode 100644
index 0000000..913505a
--- /dev/null
+++ b/tests/py/ip6/hbh.t.payload.ip6
@@ -0,0 +1,100 @@
+# hbh hdrlength 22
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# hbh hdrlength != 233
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# hbh hdrlength 33-45
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# hbh hdrlength != 33-45
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# hbh hdrlength {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# hbh hdrlength != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# hbh nexthdr 22
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# hbh nexthdr != 233
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# hbh nexthdr 33-45
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# hbh nexthdr != 33-45
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# hbh nexthdr {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# hbh nexthdr != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# hbh nexthdr ip
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# hbh nexthdr != ip
+ip6 test-ip6 filter-input
+  [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000000 ]
+
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
new file mode 100644
index 0000000..35dad2b
--- /dev/null
+++ b/tests/py/ip6/icmpv6.t
@@ -0,0 +1,99 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+# BUG: There is a bug with icmpv6 and inet tables
+# *inet;test-inet;input
+
+icmpv6 type destination-unreachable accept;ok
+icmpv6 type packet-too-big accept;ok
+icmpv6 type time-exceeded accept;ok
+icmpv6 type echo-request accept;ok
+icmpv6 type echo-reply accept;ok
+icmpv6 type mld-listener-query accept;ok
+icmpv6 type mld-listener-report accept;ok
+icmpv6 type mld-listener-done accept;ok
+icmpv6 type mld-listener-reduction accept;ok;icmpv6 type mld-listener-done accept
+icmpv6 type nd-router-solicit accept;ok
+icmpv6 type nd-router-advert accept;ok
+icmpv6 type nd-neighbor-solicit accept;ok
+icmpv6 type nd-neighbor-advert accept;ok
+icmpv6 type nd-redirect accept;ok
+icmpv6 type parameter-problem accept;ok
+icmpv6 type router-renumbering accept;ok
+icmpv6 type ind-neighbor-solicit accept;ok
+icmpv6 type ind-neighbor-advert accept;ok
+icmpv6 type mld2-listener-report accept;ok
+icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept;ok
+icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-solicit} accept;ok
+icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
+icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
+
+icmpv6 code 4;ok;icmpv6 code port-unreachable
+icmpv6 code 3-66;ok
+icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept
+icmpv6 code != {policy-fail, reject-route, 7} accept;ok
+
+icmpv6 checksum 2222 log;ok
+icmpv6 checksum != 2222 log;ok
+icmpv6 checksum 222-226;ok
+icmpv6 checksum != 222-226;ok
+icmpv6 checksum { 222, 226};ok
+icmpv6 checksum != { 222, 226};ok
+
+# BUG: icmpv6 parameter-problem, pptr
+# [ICMP6HDR_PPTR]         = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 35
+# <cmdline>:1:53-53: Error: syntax error, unexpected end of file
+# add rule ip6 test6 input icmpv6 parameter-problem 35
+#                                                    ^
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem
+# <cmdline>:1:26-31: Error: Value 58 exceeds valid range 0-0
+# add rule ip6 test6 input icmpv6 parameter-problem
+#                         ^^^^^^
+# $ sudo nft add rule ip6 test6 input icmpv6 parameter-problem 2-4
+# <cmdline>:1:54-54: Error: syntax error, unexpected end of file
+# add rule ip6 test6 input icmpv6 parameter-problem 2-4
+
+icmpv6 mtu 22;ok
+icmpv6 mtu != 233;ok
+icmpv6 mtu 33-45;ok
+icmpv6 mtu != 33-45;ok
+icmpv6 mtu {33, 55, 67, 88};ok
+icmpv6 mtu != {33, 55, 67, 88};ok
+icmpv6 type packet-too-big icmpv6 mtu 1280;ok;icmpv6 mtu 1280
+
+icmpv6 id 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 33-45
+icmpv6 id != 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != 33-45
+icmpv6 id {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33, 55, 67, 88}
+icmpv6 id != {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33, 55, 67, 88}
+
+icmpv6 id 1;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 1
+icmpv6 type echo-reply icmpv6 id 65534;ok
+
+icmpv6 sequence 2;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2
+icmpv6 sequence {3, 4, 5, 6, 7} accept;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 3, 4, 5, 6, 7} accept
+
+
+icmpv6 sequence {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 2, 4}
+icmpv6 sequence != {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2, 4}
+icmpv6 sequence 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2-4
+icmpv6 sequence != 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != 2-4
+
+icmpv6 max-delay 33-45;ok
+icmpv6 max-delay != 33-45;ok
+icmpv6 max-delay {33, 55, 67, 88};ok
+icmpv6 max-delay != {33, 55, 67, 88};ok
+
+icmpv6 type parameter-problem icmpv6 code no-route;ok
+
+icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133;ok
+icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133;ok
+icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133;ok
+icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133
+
+icmpv6 taddr 2001:db8::133;ok;icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133
+
+icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133;ok
+icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133;ok
+icmpv6 daddr 2001:db8::133;ok
+icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133;ok;icmpv6 daddr 2001:db8::133
diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json
new file mode 100644
index 0000000..224a8e8
--- /dev/null
+++ b/tests/py/ip6/icmpv6.t.json
@@ -0,0 +1,1425 @@
+# icmpv6 type destination-unreachable accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "destination-unreachable"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type packet-too-big accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "packet-too-big"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type time-exceeded accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "time-exceeded"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type echo-request accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type echo-reply accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "echo-reply"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type mld-listener-query accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "mld-listener-query"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type mld-listener-report accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "mld-listener-report"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type mld-listener-done accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "mld-listener-done"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type mld-listener-reduction accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "mld-listener-reduction"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type nd-router-solicit accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-solicit"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type nd-router-advert accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type nd-neighbor-solicit accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-neighbor-solicit"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type nd-neighbor-advert accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-neighbor-advert"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type nd-redirect accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-redirect"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type parameter-problem accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "parameter-problem"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type router-renumbering accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "router-renumbering"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type ind-neighbor-solicit accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "ind-neighbor-solicit"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type ind-neighbor-advert accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "ind-neighbor-advert"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type mld2-listener-report accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "mld2-listener-report"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "destination-unreachable",
+                    "time-exceeded",
+                    "nd-router-solicit"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-solicit} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "router-renumbering",
+                    "mld-listener-done",
+                    "time-exceeded",
+                    "nd-router-solicit"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "mld-listener-query",
+                    "time-exceeded",
+                    "nd-router-advert"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "mld-listener-query",
+                    "time-exceeded",
+                    "nd-router-advert"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 code 4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": 4
+        }
+    }
+]
+
+# icmpv6 code 3-66
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 3, 66 ]
+            }
+        }
+    }
+]
+
+# icmpv6 code {5, 6, 7} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    5,
+                    6,
+                    7
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 code != {policy-fail, reject-route, 7} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "policy-fail",
+                    "reject-route",
+                    7
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 checksum 2222 log
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": 2222
+        }
+    },
+    {
+        "log": null
+    }
+]
+
+# icmpv6 checksum != 2222 log
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": 2222
+        }
+    },
+    {
+        "log": null
+    }
+]
+
+# icmpv6 checksum 222-226
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 222, 226 ]
+            }
+        }
+    }
+]
+
+# icmpv6 checksum != 222-226
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "!=",
+            "right": {
+                "range": [ 222, 226 ]
+            }
+        }
+    }
+]
+
+# icmpv6 checksum { 222, 226}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    222,
+                    226
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 checksum != { 222, 226}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "checksum",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    222,
+                    226
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 mtu 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# icmpv6 mtu != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# icmpv6 mtu 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# icmpv6 mtu != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# icmpv6 mtu {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 mtu != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# icmpv6 id != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# icmpv6 id {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# icmpv6 type echo-reply icmpv6 id 65534
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "echo-reply"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": 65534
+        }
+    }
+]
+
+# icmpv6 sequence 2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# icmpv6 sequence {3, 4, 5, 6, 7} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    3,
+                    4,
+                    5,
+                    6,
+                    7
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 sequence {2, 4}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    2,
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence != {2, 4}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    2,
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence 2-4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 2, 4 ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence != 2-4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 2, 4 ]
+            }
+        }
+    }
+]
+
+# icmpv6 max-delay 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "max-delay",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# icmpv6 max-delay != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "max-delay",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# icmpv6 max-delay {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "max-delay",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 max-delay != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "max-delay",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 type packet-too-big icmpv6 mtu 1280
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "mtu",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": 1280
+        }
+    }
+]
+
+# icmpv6 type parameter-problem icmpv6 code no-route
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "parameter-problem"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "no-route"
+        }
+    }
+]
+
+# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "mld-listener-query"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "taddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "nd-neighbor-solicit"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "taddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "nd-neighbor-advert"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "taddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 taddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "mld-listener-query",
+                    "mld-listener-report",
+                    "mld-listener-done",
+                    "nd-neighbor-solicit",
+                    "nd-neighbor-advert",
+                    "nd-redirect"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "taddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 taddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "mld-listener-query",
+                    "mld-listener-report",
+                    "mld-listener-done",
+                    "nd-neighbor-solicit",
+                    "nd-neighbor-advert",
+                    "nd-redirect"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "taddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "mld-listener-query",
+                    "mld-listener-report",
+                    "mld-listener-done",
+                    "nd-neighbor-solicit",
+                    "nd-neighbor-advert",
+                    "nd-redirect"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "taddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "nd-neighbor-solicit",
+                    "nd-neighbor-advert"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "taddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 daddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
+
+# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "2001:db8::133"
+        }
+    }
+]
diff --git a/tests/py/ip6/icmpv6.t.json.output b/tests/py/ip6/icmpv6.t.json.output
new file mode 100644
index 0000000..7b8f5c1
--- /dev/null
+++ b/tests/py/ip6/icmpv6.t.json.output
@@ -0,0 +1,760 @@
+# icmpv6 type mld-listener-reduction accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "mld-listener-done"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-solicit} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "time-exceeded",
+                    "mld-listener-done",
+                    "nd-router-solicit",
+                    "router-renumbering"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "time-exceeded",
+                    "mld-listener-query",
+                    "nd-router-advert"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "time-exceeded",
+                    "mld-listener-query",
+                    "nd-router-advert"
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 code 4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": "port-unreachable"
+        }
+    }
+]
+
+# icmpv6 code 3-66
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    "addr-unreachable",
+                    66
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 code {5, 6, 7} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "policy-fail",
+                    "reject-route",
+                    7
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 code { 3-66}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "range": [
+                            "addr-unreachable",
+                            66
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 code != { 3-66}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "code",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    {
+                        "range": [
+                            "addr-unreachable",
+                            66
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    33,
+                    45
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id {33-55}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "range": [
+                            33,
+                            55
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 id != {33-55}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "id",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    {
+                        "range": [
+                            33,
+                            55
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence 2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": 2
+        }
+    }
+]
+
+# icmpv6 sequence {3, 4, 5, 6, 7} accept
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    3,
+                    4,
+                    5,
+                    6,
+                    7
+                ]
+            }
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# icmpv6 sequence {2, 4}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    2,
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence != {2, 4}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    2,
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence 2-4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    2,
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence != 2-4
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [
+                    2,
+                    4
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence { 2-4}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    {
+                        "range": [
+                            2,
+                            4
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# icmpv6 sequence != { 2-4}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "echo-request",
+                    "echo-reply"
+                ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "sequence",
+                    "protocol": "icmpv6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    {
+                        "range": [
+                            2,
+                            4
+                        ]
+                    }
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
new file mode 100644
index 0000000..fcaf481
--- /dev/null
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
@@ -0,0 +1,643 @@
+# icmpv6 type destination-unreachable accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type packet-too-big accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type time-exceeded accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000003 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type echo-request accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000080 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type echo-reply accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type mld-listener-query accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000082 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type mld-listener-report accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000083 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type mld-listener-done accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type mld-listener-reduction accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type nd-router-solicit accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000085 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type nd-router-advert accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type nd-neighbor-solicit accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000087 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type nd-neighbor-advert accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type nd-redirect accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000089 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type parameter-problem accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000004 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type router-renumbering accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000008a ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type ind-neighbor-solicit accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000008d ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type ind-neighbor-advert accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000008e ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type mld2-listener-report accept
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x0000008f ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000001  : 0 [end]	element 00000003  : 0 [end]	element 00000085  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type {router-renumbering, mld-listener-done, time-exceeded, nd-router-solicit} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 0000008a  : 0 [end]	element 00000084  : 0 [end]	element 00000003  : 0 [end]	element 00000085  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000082  : 0 [end]	element 00000003  : 0 [end]	element 00000086  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000082  : 0 [end]	element 00000003  : 0 [end]	element 00000086  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 code 4
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000004 ]
+
+# icmpv6 code 3-66
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000003 ]
+  [ cmp lte reg 1 0x00000042 ]
+
+# icmpv6 code {5, 6, 7} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 code != {policy-fail, reject-route, 7} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 checksum 2222 log
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000ae08 ]
+  [ log ]
+
+# icmpv6 checksum != 2222 log
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000ae08 ]
+  [ log ]
+
+# icmpv6 checksum 222-226
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x0000de00 ]
+  [ cmp lte reg 1 0x0000e200 ]
+
+# icmpv6 checksum != 222-226
+ip6
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ range neq reg 1 0x0000de00 0x0000e200 ]
+
+# icmpv6 checksum { 222, 226}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 0000de00  : 0 [end]	element 0000e200  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmpv6 checksum != { 222, 226}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 0000de00  : 0 [end]	element 0000e200  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmpv6 mtu 22
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x16000000 ]
+
+# icmpv6 mtu != 233
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp neq reg 1 0xe9000000 ]
+
+# icmpv6 mtu 33-45
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x21000000 ]
+  [ cmp lte reg 1 0x2d000000 ]
+
+# icmpv6 mtu != 33-45
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# icmpv6 mtu {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmpv6 mtu != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmpv6 type packet-too-big icmpv6 mtu 1280
+ip6 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00050000 ]
+
+# icmpv6 id 33-45
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmpv6 id != 33-45
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# icmpv6 id {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmpv6 id != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmpv6 id 1
+__set%d test-ip6 3 size 2
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+ip6
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000100 ]
+
+# icmpv6 type echo-reply icmpv6 id 65534
+ip6
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000081 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x0000feff ]
+
+# icmpv6 sequence 2
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000200 ]
+
+# icmpv6 sequence {3, 4, 5, 6, 7} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]
+
+# icmpv6 sequence {2, 4}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000200  : 0 [end]	element 00000400  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmpv6 sequence != {2, 4}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000200  : 0 [end]	element 00000400  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmpv6 sequence 2-4
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00000200 ]
+  [ cmp lte reg 1 0x00000400 ]
+
+# icmpv6 sequence != 2-4
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000080  : 0 [end]	element 00000081  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ range neq reg 1 0x00000200 0x00000400 ]
+
+# icmpv6 max-delay 33-45
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000082 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# icmpv6 max-delay != 33-45
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000082 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# icmpv6 max-delay {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000082 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# icmpv6 max-delay != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000082 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# icmpv6 type parameter-problem icmpv6 code no-route
+ip6 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000004 ]
+
+# icmpv6 type mld-listener-query icmpv6 taddr 2001:db8::133
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000082 ]
+  [ payload load 16b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
+
+# icmpv6 type nd-neighbor-solicit icmpv6 taddr 2001:db8::133
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000087 ]
+  [ payload load 16b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
+
+# icmpv6 type nd-neighbor-advert icmpv6 taddr 2001:db8::133
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 16b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
+
+# icmpv6 taddr 2001:db8::133
+__set%d test-ip6 3 size 6
+__set%d test-ip6 0
+	element 00000082  : 0 [end]	element 00000083  : 0 [end]	element 00000084  : 0 [end]	element 00000087  : 0 [end]	element 00000088  : 0 [end]	element 00000089  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 16b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
+
+# icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect} icmpv6 taddr 2001:db8::133
+__set%d test-ip6 3 size 6
+__set%d test-ip6 0
+	element 00000082  : 0 [end]	element 00000083  : 0 [end]	element 00000084  : 0 [end]	element 00000087  : 0 [end]	element 00000088  : 0 [end]	element 00000089  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 16b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
+
+# icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } icmpv6 taddr 2001:db8::133
+__set%d test-ip6 3 size 2
+__set%d test-ip6 0
+	element 00000087  : 0 [end]	element 00000088  : 0 [end]
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 16b @ transport header + 8 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
+
+# icmpv6 daddr 2001:db8::133
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000089 ]
+  [ payload load 16b @ transport header + 24 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
+
+# icmpv6 type nd-redirect icmpv6 daddr 2001:db8::133
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000089 ]
+  [ payload load 16b @ transport header + 24 => reg 1 ]
+  [ cmp eq reg 1 0xb80d0120 0x00000000 0x00000000 0x33010000 ]
diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t
new file mode 100644
index 0000000..2ffe318
--- /dev/null
+++ b/tests/py/ip6/ip6.t
@@ -0,0 +1,153 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+*inet;test-inet;input
+
+# BUG: Problem with version, priority
+# <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
+# add rule ip6 test6 input ip6 version 1
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- ip6 version 6;ok
+
+ip6 dscp cs1;ok
+ip6 dscp != cs1;ok
+ip6 dscp 0x38;ok;ip6 dscp cs7
+ip6 dscp != 0x20;ok;ip6 dscp != cs4
+ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
+ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter;ok
+
+ip6 flowlabel 22;ok
+ip6 flowlabel != 233;ok
+- ip6 flowlabel 33-45;ok
+- ip6 flowlabel != 33-45;ok
+ip6 flowlabel { 33, 55, 67, 88};ok
+# BUG ip6 flowlabel { 5046528, 2883584, 13522432 }
+ip6 flowlabel != { 33, 55, 67, 88};ok
+ip6 flowlabel vmap { 0 : accept, 2 : continue };ok
+
+ip6 length 22;ok
+ip6 length != 233;ok
+ip6 length 33-45;ok
+ip6 length != 33-45;ok
+ip6 length { 33, 55, 67, 88};ok
+ip6 length != {33, 55, 67, 88};ok
+
+ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp};ok;ip6 nexthdr { 132, 51, 108, 136, 17, 33, 6}
+ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr { 6, 136, 108, 33, 50, 17, 132, 58, 51}
+ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr != { 6, 136, 108, 33, 50, 17, 132, 58, 51}
+ip6 nexthdr esp;ok;ip6 nexthdr 50
+ip6 nexthdr != esp;ok;ip6 nexthdr != 50
+ip6 nexthdr 33-44;ok
+ip6 nexthdr != 33-44;ok
+
+ip6 hoplimit 1;ok
+ip6 hoplimit != 233;ok
+ip6 hoplimit 33-45;ok
+ip6 hoplimit != 33-45;ok
+ip6 hoplimit {33, 55, 67, 88};ok
+ip6 hoplimit != {33, 55, 67, 88};ok
+
+# from src/scanner.l
+# v680		(({hex4}:){7}{hex4})
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234;ok
+# v670		((:)(:{hex4}{7}))
+ip6 saddr ::1234:1234:1234:1234:1234:1234:1234;ok;ip6 saddr 0:1234:1234:1234:1234:1234:1234:1234
+# v671		((({hex4}:){1})(:{hex4}{6}))
+ip6 saddr 1234::1234:1234:1234:1234:1234:1234;ok;ip6 saddr 1234:0:1234:1234:1234:1234:1234:1234
+# v672		((({hex4}:){2})(:{hex4}{5}))
+ip6 saddr 1234:1234::1234:1234:1234:1234:1234;ok;ip6 saddr 1234:1234:0:1234:1234:1234:1234:1234
+ip6 saddr 1234:1234:0:1234:1234:1234:1234:1234;ok
+# v673		((({hex4}:){3})(:{hex4}{4}))
+ip6 saddr 1234:1234:1234::1234:1234:1234:1234;ok;ip6 saddr 1234:1234:1234:0:1234:1234:1234:1234
+# v674		((({hex4}:){4})(:{hex4}{3}))
+ip6 saddr 1234:1234:1234:1234:0:1234:1234:1234;ok
+# v675		((({hex4}:){5})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234:1234:1234::1234:1234;ok;ip6 saddr 1234:1234:1234:1234:1234:0:1234:1234
+# v676		((({hex4}:){6})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234:1234:1234:0:1234;ok
+# v677		((({hex4}:){7})(:))
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234::;ok;ip6 saddr 1234:1234:1234:1234:1234:1234:1234:0
+# v67		({v670}|{v671}|{v672}|{v673}|{v674}|{v675}|{v676}|{v677})
+# v660		((:)(:{hex4}{6}))
+ip6 saddr ::1234:1234:1234:1234:1234:1234;ok
+# v661		((({hex4}:){1})(:{hex4}{5}))
+ip6 saddr 1234::1234:1234:1234:1234:1234;ok
+# v662		((({hex4}:){2})(:{hex4}{4}))
+ip6 saddr 1234:1234::1234:1234:1234:1234;ok
+# v663		((({hex4}:){3})(:{hex4}{3}))
+ip6 saddr 1234:1234:1234::1234:1234:1234;ok
+# v664		((({hex4}:){4})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234:1234::1234:1234;ok
+# v665		((({hex4}:){5})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234:1234::1234;ok
+# v666		((({hex4}:){6})(:))
+ip6 saddr 1234:1234:1234:1234:1234:1234::;ok
+# v66		({v660}|{v661}|{v662}|{v663}|{v664}|{v665}|{v666})
+# v650		((:)(:{hex4}{5}))
+ip6 saddr ::1234:1234:1234:1234:1234;ok
+# v651		((({hex4}:){1})(:{hex4}{4}))
+ip6 saddr 1234::1234:1234:1234:1234;ok
+# v652		((({hex4}:){2})(:{hex4}{3}))
+ip6 saddr 1234:1234::1234:1234:1234;ok
+# v653		((({hex4}:){3})(:{hex4}{2}))
+ip6 saddr 1234:1234:1234::1234:1234;ok
+# v654		((({hex4}:){4})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234:1234::1234;ok
+# v655		((({hex4}:){5})(:))
+ip6 saddr 1234:1234:1234:1234:1234::;ok
+# v65		({v650}|{v651}|{v652}|{v653}|{v654}|{v655})
+# v640		((:)(:{hex4}{4}))
+ip6 saddr ::1234:1234:1234:1234;ok
+# v641		((({hex4}:){1})(:{hex4}{3}))
+ip6 saddr 1234::1234:1234:1234;ok
+# v642		((({hex4}:){2})(:{hex4}{2}))
+ip6 saddr 1234:1234::1234:1234;ok
+# v643		((({hex4}:){3})(:{hex4}{1}))
+ip6 saddr 1234:1234:1234::1234;ok
+# v644		((({hex4}:){4})(:))
+ip6 saddr 1234:1234:1234:1234::;ok
+# v64		({v640}|{v641}|{v642}|{v643}|{v644})
+# v630		((:)(:{hex4}{3}))
+ip6 saddr ::1234:1234:1234;ok
+# v631		((({hex4}:){1})(:{hex4}{2}))
+ip6 saddr 1234::1234:1234;ok
+# v632		((({hex4}:){2})(:{hex4}{1}))
+ip6 saddr 1234:1234::1234;ok
+# v633		((({hex4}:){3})(:))
+ip6 saddr 1234:1234:1234::;ok
+# v63		({v630}|{v631}|{v632}|{v633})
+# v620		((:)(:{hex4}{2}))
+ip6 saddr ::1234:1234;ok;ip6 saddr ::18.52.18.52
+# v621		((({hex4}:){1})(:{hex4}{1}))
+ip6 saddr 1234::1234;ok
+# v622		((({hex4}:){2})(:))
+ip6 saddr 1234:1234::;ok
+# v62		({v620}|{v621}|{v622})
+# v610		((:)(:{hex4}{1}))
+ip6 saddr ::1234;ok
+# v611		((({hex4}:){1})(:))
+ip6 saddr 1234::;ok
+# v61		({v610}|{v611})
+# v60		(::)
+ip6 saddr ::/64;ok
+ip6 saddr ::1 ip6 daddr ::2;ok
+
+ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 };ok;ip6 daddr != {0:1234:1234:1234:1234:1234:1234:1234, 1234:1234:0:1234:1234:1234:1234:1234}
+ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234;ok;ip6 daddr != 0:1234:1234:1234:1234:1234:1234:1234-1234:1234:0:1234:1234:1234:1234:1234
+
+# limit impact to lo
+iif "lo" ip6 daddr set ::1;ok
+iif "lo" ip6 hoplimit set 1;ok
+iif "lo" ip6 dscp set af42;ok
+iif "lo" ip6 dscp set 63;ok;iif "lo" ip6 dscp set 0x3f
+iif "lo" ip6 ecn set ect0;ok
+iif "lo" ip6 ecn set ce;ok
+
+iif "lo" ip6 flowlabel set 0;ok
+iif "lo" ip6 flowlabel set 12345;ok
+iif "lo" ip6 flowlabel set 0xfffff;ok;iif "lo" ip6 flowlabel set 1048575
+
+iif "lo" ip6 ecn set 4;fail
+iif "lo" ip6 dscp set 64;fail
+iif "lo" ip6 flowlabel set 1048576;fail
diff --git a/tests/py/ip6/ip6.t.json b/tests/py/ip6/ip6.t.json
new file mode 100644
index 0000000..cf80217
--- /dev/null
+++ b/tests/py/ip6/ip6.t.json
@@ -0,0 +1,1559 @@
+# ip6 dscp cs1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "cs1"
+        }
+    }
+]
+
+# ip6 dscp != cs1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": "cs1"
+        }
+    }
+]
+
+# ip6 dscp 0x38
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "0x38"
+        }
+    }
+]
+
+# ip6 dscp != 0x20
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": "0x20"
+        }
+    }
+]
+
+# ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "cs0",
+                    "cs1",
+                    "cs2",
+                    "cs3",
+                    "cs4",
+                    "cs5",
+                    "cs6",
+                    "cs7",
+                    "af11",
+                    "af12",
+                    "af13",
+                    "af21",
+                    "af22",
+                    "af23",
+                    "af31",
+                    "af32",
+                    "af33",
+                    "af41",
+                    "af42",
+                    "af43",
+                    "ef"
+                ]
+            }
+        }
+    }
+]
+
+# ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "0x04",
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        "0x3f",
+                        {
+                            "continue": null
+                        }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "counter": null
+    }
+]
+
+# ip6 flowlabel 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip6 flowlabel != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ip6 flowlabel { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip6 flowlabel != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip6 flowlabel vmap { 0 : accept, 2 : continue } 
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        0,
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        2,
+                        {
+                            "continue": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 length 22
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# ip6 length != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ip6 length 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip6 length != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip6 length { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip6 length != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "length",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "udp",
+                    "ah",
+                    "comp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp"
+                ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp",
+                    "icmpv6"
+                ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "esp",
+                    "ah",
+                    "comp",
+                    "udp",
+                    "udplite",
+                    "tcp",
+                    "dccp",
+                    "sctp",
+                    "icmpv6"
+                ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr esp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "esp"
+        }
+    }
+]
+
+# ip6 nexthdr != esp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": "esp"
+        }
+    }
+]
+
+# ip6 nexthdr { 33-44}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    { "range": [ 33, 44 ] }
+                ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr != { 33-44}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    { "range": [ 33, 44 ] }
+                ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr 33-44
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 44 ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr != 33-44
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 44 ]
+            }
+        }
+    }
+]
+
+# ip6 hoplimit 1
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hoplimit",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ip6 hoplimit != 233
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hoplimit",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# ip6 hoplimit 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hoplimit",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip6 hoplimit != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hoplimit",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# ip6 hoplimit {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hoplimit",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip6 hoplimit != {33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "hoplimit",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1234:1234:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::1234:1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234::1234:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234::1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234::1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:0:1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:0:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234::1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234::1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:0:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:0:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234::1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:0:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234:1234:0:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234:1234:1234::"
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1234:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234::1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234::1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234::1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234::1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234::1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234::1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234::1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234::1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234:1234::"
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234::1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234::1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234::1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234::1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234::1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234::1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234::"
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234::1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234::1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234::1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234::1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234::"
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234::1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234::1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234::1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234::"
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234::1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234::"
+        }
+    }
+]
+
+# ip6 saddr ::1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234::"
+        }
+    }
+]
+
+# ip6 saddr ::/64
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "prefix": {
+                    "addr": "::",
+                    "len": 64
+                }
+            }
+        }
+    }
+]
+
+# ip6 saddr ::1 ip6 daddr ::2
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::1"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::2"
+        }
+    }
+]
+
+# ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "::1234:1234:1234:1234:1234:1234:1234",
+                    "1234:1234::1234:1234:1234:1234:1234"
+                ]
+            }
+        }
+    }
+]
+
+# ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "::1234:1234:1234:1234:1234:1234:1234", "1234:1234::1234:1234:1234:1234:1234" ]
+            }
+        }
+    }
+]
+
+# iif "lo" ip6 daddr set ::1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+            "value": "::1"
+        }
+    }
+]
+
+# iif "lo" ip6 hoplimit set 1
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "hoplimit",
+                    "protocol": "ip6"
+                }
+            },
+            "value": 1
+        }
+    }
+]
+
+# iif "lo" ip6 dscp set af42
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+            "value": "af42"
+        }
+    }
+]
+
+# iif "lo" ip6 dscp set 63
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+            "value": 63
+        }
+    }
+]
+
+# iif "lo" ip6 ecn set ect0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "ecn",
+                    "protocol": "ip6"
+                }
+            },
+            "value": "ect0"
+        }
+    }
+]
+
+# iif "lo" ip6 ecn set ce
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "ecn",
+                    "protocol": "ip6"
+                }
+            },
+            "value": "ce"
+        }
+    }
+]
+
+# iif "lo" ip6 flowlabel set 0
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+            "value": 0
+        }
+    }
+]
+
+# iif "lo" ip6 flowlabel set 12345
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+            "value": 12345
+        }
+    }
+]
+
+# iif "lo" ip6 flowlabel set 0xfffff
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+            "value": "0xfffff"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/ip6.t.json.output b/tests/py/ip6/ip6.t.json.output
new file mode 100644
index 0000000..6c20939
--- /dev/null
+++ b/tests/py/ip6/ip6.t.json.output
@@ -0,0 +1,374 @@
+# ip6 dscp 0x38
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "cs7"
+        }
+    }
+]
+
+# ip6 dscp != 0x20
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": "cs4"
+        }
+    }
+]
+
+# ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "cs0",
+                    "cs1",
+                    "af11",
+                    "af12",
+                    "af13",
+                    "cs2",
+                    "af21",
+                    "af22",
+                    "af23",
+                    "cs3",
+                    "af31",
+                    "af32",
+                    "af33",
+                    "cs4",
+                    "af41",
+                    "af42",
+                    "af43",
+                    "cs5",
+                    "ef",
+                    "cs6",
+                    "cs7"
+                ]
+            }
+        }
+    }
+]
+
+# ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dscp",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        4,
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        63,
+                        {
+                            "continue": null
+                        }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "counter": null
+    }
+]
+
+# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    51,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [ 6, 17, 33, 50, 51, 58, 108, 132, 136 ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [ 6, 17, 33, 50, 51, 58, 108, 132, 136 ]
+            }
+        }
+    }
+]
+
+# ip6 nexthdr esp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": 50
+        }
+    }
+]
+
+# ip6 nexthdr != esp
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": 50
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "0:1234:1234:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234::1234:1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:0:1234:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234::1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:0:1234:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234::1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:0:1234:1234:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234:0:1234:1234"
+        }
+    }
+]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:1234::
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "1234:1234:1234:1234:1234:1234:1234:0"
+        }
+    }
+]
+
+# ip6 saddr ::1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "::18.52.18.52"
+        }
+    }
+]
+
+# ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 }
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "0:1234:1234:1234:1234:1234:1234:1234",
+                    "1234:1234:0:1234:1234:1234:1234:1234"
+                ]
+            }
+        }
+    }
+]
+
+# ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ "0:1234:1234:1234:1234:1234:1234:1234", "1234:1234:0:1234:1234:1234:1234:1234" ]
+            }
+        }
+    }
+]
+
+# iif "lo" ip6 flowlabel set 0xfffff
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iif" }
+            },
+	    "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "mangle": {
+            "key": {
+                "payload": {
+                    "field": "flowlabel",
+                    "protocol": "ip6"
+                }
+            },
+            "value": 1048575
+        }
+    }
+]
+
diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
new file mode 100644
index 0000000..20dfe54
--- /dev/null
+++ b/tests/py/ip6/ip6.t.payload.inet
@@ -0,0 +1,641 @@
+# ip6 dscp cs1
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# ip6 dscp != cs1
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# ip6 dscp 0x38
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000e ]
+
+# ip6 dscp != 0x20
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000008 ]
+
+# ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000000  : 0 [end]     element 00000002  : 0 [end]     element 00000004  : 0 [end]     element 00000006  : 0 [end]    element 00000008  : 0 [end]      element 0000000a  : 0 [end]     element 0000000c  : 0 [end]     element 0000000e  : 0 [end]     element 00008002  : 0 [end]     element 00000003  : 0 [end]     element 00008003  : 0 [end]     element 00008004  : 0 [end]     element 00000005  : 0 [end]     element 00008005  : 0 [end]     element 00008006  : 0 [end]     element 00000007  : 0 [end]     element 00008007  : 0 [end]     element 00008008  : 0 [end]     element 00000009  : 0 [end]     element 00008009  : 0 [end]     element 0000800b  : 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter
+__map%d test-inet b size 2
+__map%d test-inet 0
+	element 00000001  : accept 0 [end]	element 0000c00f  : continue 0 [end]
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ip6 flowlabel 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00160000 ]
+
+# ip6 flowlabel != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00e90000 ]
+
+# ip6 flowlabel { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00210000  : 0 [end]	element 00370000  : 0 [end]	element 00430000  : 0 [end]	element 00580000  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 flowlabel != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00210000  : 0 [end]	element 00370000  : 0 [end]	element 00430000  : 0 [end]	element 00580000  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 flowlabel vmap { 0 : accept, 2 : continue }
+__map%d test-inet b size 2
+__map%d test-inet 0
+	element 00000000  : accept 0 [end]	element 00020000  : continue 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 length 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip6 length != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip6 length 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip6 length != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip6 length { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 length != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 nexthdr esp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# ip6 nexthdr != esp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000032 ]
+
+# ip6 nexthdr 33-44
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002c ]
+
+# ip6 nexthdr != 33-44
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002c ]
+
+# ip6 hoplimit 1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ip6 hoplimit != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# ip6 hoplimit 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# ip6 hoplimit != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# ip6 hoplimit {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 hoplimit != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:0:1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:0:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234::1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00003412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:0:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:1234::
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x00003412 ]
+
+# ip6 saddr ::1234:1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234::1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234::1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00003412 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234::
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x00000000 ]
+
+# ip6 saddr ::1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234::1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234::
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00003412 0x00000000 ]
+
+# ip6 saddr ::1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234::
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234::
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234::1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234::
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234::
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x00000000 0x00000000 ]
+
+# ip6 saddr ::/64
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 8b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1 ip6 daddr ::2
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ]
+
+# ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 34120000 34123412 34123412 34123412  : 0 [end]	element 34123412 34120000 34123412 34123412  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ range neq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 0x34123412 0x34120000 0x34123412 0x34123412 ]
+
+# iif "lo" ip6 daddr set ::1
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+  [ payload write reg 1 => 16b @ network header + 24 csum_type 0 csum_off 0 csum_flags 0x1 ]
+
+# iif "lo" ip6 hoplimit set 1
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ immediate reg 1 0x00000001 ]
+  [ payload write reg 1 => 1b @ network header + 7 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 dscp set af42
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x00000009 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 dscp set 63
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x0000c00f ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 ecn set ect0
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000020 ]
+  [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 ecn set ce
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000030 ]
+  [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 flowlabel set 0
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 flowlabel set 12345
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00393000 ]
+  [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 flowlabel set 0xfffff
+inet test-inet input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00ffff0f ]
+  [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6
new file mode 100644
index 0000000..f8e3ca3
--- /dev/null
+++ b/tests/py/ip6/ip6.t.payload.ip6
@@ -0,0 +1,481 @@
+# ip6 dscp cs1
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000002 ]
+
+# ip6 dscp != cs1
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000002 ]
+
+# ip6 dscp 0x38
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x0000000e ]
+
+# ip6 dscp != 0x20
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000008 ]
+
+# ip6 dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}
+__set%d test-ip6 3
+__set%d test-ip6 0
+        element 00000002  : 0 [end]     element 00000004  : 0 [end]     element 00000006  : 0 [end]     element 00000008  : 0 [end]    element 0000000a  : 0 [end]      element 0000000c  : 0 [end]     element 0000000e  : 0 [end]     element 00000000  : 0 [end]     element 00008002  : 0 [end]     element 00000003  : 0 [end]     element 00008003  : 0 [end]     element 00008004  : 0 [end]     element 00000005  : 0 [end]     element 00008005  : 0 [end]     element 00008006  : 0 [end]     element 00000007  : 0 [end]     element 00008007  : 0 [end]     element 00008008  : 0 [end]     element 00000009  : 0 [end]     element 00008009  : 0 [end]     element 0000800b  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 dscp vmap { 0x04 : accept, 0x3f : continue } counter
+__map%d test-ip6 b size 2
+__map%d test-ip6 0
+	element 00000001  : accept 0 [end]	element 0000c00f  : continue 0 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ counter pkts 0 bytes 0 ]
+
+# ip6 flowlabel 22
+ip6 test-ip6 input
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00160000 ]
+
+# ip6 flowlabel != 233
+ip6 test-ip6 input
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00e90000 ]
+
+# ip6 flowlabel { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00210000  : 0 [end]	element 00370000  : 0 [end]	element 00430000  : 0 [end]	element 00580000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 flowlabel != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00210000  : 0 [end]	element 00370000  : 0 [end]	element 00430000  : 0 [end]	element 00580000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 flowlabel vmap { 0 : accept, 2 : continue }
+__map%d test-ip6 b size 2
+__map%d test-ip6 0
+	element 00000000  : accept 0 [end]	element 00020000  : continue 0 [end]
+ip6 test-ip6 input 
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 length 22
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# ip6 length != 233
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# ip6 length 33-45
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# ip6 length != 33-45
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ip6 length { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 length != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 nexthdr esp
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+
+# ip6 nexthdr != esp
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp neq reg 1 0x00000032 ]
+
+# ip6 nexthdr 33-44
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002c ]
+
+# ip6 nexthdr != 33-44
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002c ]
+
+# ip6 hoplimit 1
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ip6 hoplimit != 233
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# ip6 hoplimit 33-45
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# ip6 hoplimit != 33-45
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# ip6 hoplimit {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 hoplimit != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:0:1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:0:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234::1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00003412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:0:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234:1234::
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x00003412 ]
+
+# ip6 saddr ::1234:1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x34123412 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234::1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234::1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00003412 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234:1234::
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x34123412 0x00000000 ]
+
+# ip6 saddr ::1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x34120000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234:1234::1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234:1234::
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00003412 0x00000000 ]
+
+# ip6 saddr ::1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x34123412 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234:1234::1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234:1234::
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x34123412 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x34120000 0x34123412 ]
+
+# ip6 saddr 1234::1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234:1234::1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234:1234::
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00003412 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x34123412 ]
+
+# ip6 saddr 1234::1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234:1234::
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x34123412 0x00000000 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x34120000 ]
+
+# ip6 saddr 1234::
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00003412 0x00000000 0x00000000 0x00000000 ]
+
+# ip6 saddr ::/64
+ip6 test-ip6 input
+  [ payload load 8b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 ]
+
+# ip6 saddr ::1 ip6 daddr ::2
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ]
+
+# ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 34120000 34123412 34123412 34123412  : 0 [end]	element 34123412 34120000 34123412 34123412  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ range neq reg 1 0x34120000 0x34123412 0x34123412 0x34123412 0x34123412 0x34120000 0x34123412 0x34123412 ]
+
+# iif "lo" ip6 daddr set ::1
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+  [ payload write reg 1 => 16b @ network header + 24 csum_type 0 csum_off 0 csum_flags 0x1 ]
+
+# iif "lo" ip6 hoplimit set 1
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 1 0x00000001 ]
+  [ payload write reg 1 => 1b @ network header + 7 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 dscp set af42
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x00000009 ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 dscp set 63
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00003ff0 ) ^ 0x0000c00f ]
+  [ payload write reg 1 => 2b @ network header + 0 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 ecn set ect0
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000020 ]
+  [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 ecn set ce
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000cf ) ^ 0x00000030 ]
+  [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 flowlabel set 0
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+  [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 flowlabel set 12345
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00393000 ]
+  [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
+# iif "lo" ip6 flowlabel set 0xfffff
+ip6 test-ip6 input
+  [ meta load iif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00ffff0f ]
+  [ payload write reg 1 => 3b @ network header + 1 csum_type 0 csum_off 0 csum_flags 0x0 ]
+
diff --git a/tests/py/ip6/map.t b/tests/py/ip6/map.t
new file mode 100644
index 0000000..4d06e87
--- /dev/null
+++ b/tests/py/ip6/map.t
@@ -0,0 +1,5 @@
+:input;type filter hook input priority 0
+*ip6;test-ip6;input
+
+mark set ip6 saddr and ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017};ok;meta mark set ip6 saddr & ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017}
+
diff --git a/tests/py/ip6/map.t.json b/tests/py/ip6/map.t.json
new file mode 100644
index 0000000..78a01c6
--- /dev/null
+++ b/tests/py/ip6/map.t.json
@@ -0,0 +1,38 @@
+# mark set ip6 saddr and ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017}
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "&": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            "::ffff"
+                        ]
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "::2",
+                                "0x0000002a"
+                            ],
+                            [
+                                "::ffff",
+                                "0x00000017"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/map.t.json.output b/tests/py/ip6/map.t.json.output
new file mode 100644
index 0000000..9280d55
--- /dev/null
+++ b/tests/py/ip6/map.t.json.output
@@ -0,0 +1,38 @@
+# mark set ip6 saddr and ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017}
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": { "key": "mark" }
+            },
+            "value": {
+                "map": {
+                    "key": {
+                        "&": [
+                            {
+                                "payload": {
+                                    "field": "saddr",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            "::ffff"
+                        ]
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "::2",
+                                42
+                            ],
+                            [
+                                "::ffff",
+                                23
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/map.t.payload b/tests/py/ip6/map.t.payload
new file mode 100644
index 0000000..8e900c1
--- /dev/null
+++ b/tests/py/ip6/map.t.payload
@@ -0,0 +1,10 @@
+# mark set ip6 saddr and ::ffff map { ::2 : 0x0000002a, ::ffff : 0x00000017}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00000000 00000000 00000000 02000000  : 0000002a 0 [end]	element 00000000 00000000 00000000 ffff0000  : 00000017 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x00000000 0x00000000 0x00000000 0xffff0000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
diff --git a/tests/py/ip6/masquerade.t b/tests/py/ip6/masquerade.t
new file mode 100644
index 0000000..4eb0467
--- /dev/null
+++ b/tests/py/ip6/masquerade.t
@@ -0,0 +1,30 @@
+:postrouting;type nat hook postrouting priority 0
+
+*ip6;test-ip6;postrouting
+
+# nf_nat flags combination
+udp dport 53 masquerade;ok
+udp dport 53 masquerade random;ok
+udp dport 53 masquerade random,persistent;ok
+udp dport 53 masquerade random,persistent,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent
+udp dport 53 masquerade random,fully-random;ok
+udp dport 53 masquerade random,fully-random,persistent;ok
+udp dport 53 masquerade persistent;ok
+udp dport 53 masquerade persistent,random;ok;udp dport 53 masquerade random,persistent
+udp dport 53 masquerade persistent,random,fully-random;ok;udp dport 53 masquerade random,fully-random,persistent
+udp dport 53 masquerade persistent,fully-random;ok;udp dport 53 masquerade fully-random,persistent
+udp dport 53 masquerade persistent,fully-random,random;ok;udp dport 53 masquerade random,fully-random,persistent
+
+# using ports
+meta l4proto 6 masquerade to :1024;ok
+meta l4proto 6 masquerade to :1024-2048;ok
+
+# masquerade is a terminal statement
+tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail
+tcp sport 22 masquerade accept;fail
+ip6 saddr ::1 masquerade drop;fail
+
+# masquerade with sets
+tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade;ok
+ip6 daddr fe00::1-fe00::200 udp dport 53 counter masquerade;ok
+iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade;ok
diff --git a/tests/py/ip6/masquerade.t.json b/tests/py/ip6/masquerade.t.json
new file mode 100644
index 0000000..824b44f
--- /dev/null
+++ b/tests/py/ip6/masquerade.t.json
@@ -0,0 +1,423 @@
+# udp dport 53 masquerade
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": null
+    }
+]
+
+# udp dport 53 masquerade random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": "random"
+        }
+    }
+]
+
+# udp dport 53 masquerade random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade random,persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade random,fully-random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": "persistent"
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "persistent",
+                "fully-random",
+                "random"
+            ]
+        }
+    }
+]
+
+# meta l4proto 6 masquerade to :1024
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "masquerade": {
+            "port": 1024
+        }
+    }
+]
+
+# meta l4proto 6 masquerade to :1024-2048
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "masquerade": {
+            "port": {
+                "range": [ 1024, 2048 ]
+            }
+        }
+    }
+]
+
+# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1,
+                    2,
+                    3,
+                    4,
+                    5,
+                    6,
+                    7,
+                    8,
+                    101,
+                    202,
+                    303,
+                    1001,
+                    2002,
+                    3003
+                ]
+            }
+        }
+    },
+    {
+        "masquerade": null
+    }
+]
+
+# ip6 daddr fe00::1-fe00::200 udp dport 53 counter masquerade
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "fe00::1", "fe00::200" ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "masquerade": null
+    }
+]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": [
+                "established",
+                "new"
+            ]
+        }
+    },
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        22,
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        222,
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "masquerade": null
+    }
+]
+
diff --git a/tests/py/ip6/masquerade.t.json.output b/tests/py/ip6/masquerade.t.json.output
new file mode 100644
index 0000000..31d0cd9
--- /dev/null
+++ b/tests/py/ip6/masquerade.t.json.output
@@ -0,0 +1,98 @@
+# udp dport 53 masquerade persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 masquerade persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "masquerade": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
diff --git a/tests/py/ip6/masquerade.t.payload.ip6 b/tests/py/ip6/masquerade.t.payload.ip6
new file mode 100644
index 0000000..43ae2ae
--- /dev/null
+++ b/tests/py/ip6/masquerade.t.payload.ip6
@@ -0,0 +1,142 @@
+# udp dport 53 masquerade
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq ]
+
+# udp dport 53 masquerade random
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x4 ]
+
+# udp dport 53 masquerade random,persistent
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0xc ]
+
+# udp dport 53 masquerade random,persistent,fully-random
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade random,fully-random
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x14 ]
+
+# udp dport 53 masquerade random,fully-random,persistent
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x8 ]
+
+# udp dport 53 masquerade persistent,random
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0xc ]
+
+# udp dport 53 masquerade persistent,random,fully-random
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# udp dport 53 masquerade persistent,fully-random
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x18 ]
+
+# udp dport 53 masquerade persistent,fully-random,random
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ masq flags 0x1c ]
+
+# tcp dport { 1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]	element 00000800  : 0 [end]	element 00006500  : 0 [end]	element 0000ca00  : 0 [end]	element 00002f01  : 0 [end]	element 0000e903  : 0 [end]	element 0000d207  : 0 [end]	element 0000bb0b  : 0 [end]
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ masq ]
+
+# ip6 daddr fe00::1-fe00::200 udp dport 53 counter masquerade
+ip6 test-ip6 postrouting
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp gte reg 1 0x000000fe 0x00000000 0x00000000 0x01000000 ]
+  [ cmp lte reg 1 0x000000fe 0x00000000 0x00000000 0x00020000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ counter pkts 0 bytes 0 ]
+  [ masq ]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00001600  : drop 0 [end]	element 0000de00  : drop 0 [end]
+ip6 test-ip6 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ masq ]
+
+# meta l4proto 6 masquerade to :1024
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00000004 ]
+  [ masq proto_min reg 1 flags 0x2 ]
+
+# meta l4proto 6 masquerade to :1024-2048
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00000004 ]
+  [ immediate reg 2 0x00000008 ]
+  [ masq proto_min reg 1 proto_max reg 2 flags 0x2 ]
+
diff --git a/tests/py/ip6/meta.t b/tests/py/ip6/meta.t
new file mode 100644
index 0000000..c177b08
--- /dev/null
+++ b/tests/py/ip6/meta.t
@@ -0,0 +1,19 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+
+icmpv6 type nd-router-advert;ok
+meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert
+
+meta l4proto icmp icmp type echo-request;ok;icmp type echo-request
+meta l4proto 1 icmp type echo-request;ok;icmp type echo-request
+icmp type echo-request;ok
+
+meta protocol ip udp dport 67;ok
+meta protocol ip6 udp dport 67;ok;udp dport 67
+
+meta sdif "lo" accept;ok
+meta sdifname != "vrf1" accept;ok
+
+meta mark set ip6 dscp << 2 | 0x10;ok
+meta mark set ip6 dscp << 26 | 0x10;ok
diff --git a/tests/py/ip6/meta.t.json b/tests/py/ip6/meta.t.json
new file mode 100644
index 0000000..1a2394d
--- /dev/null
+++ b/tests/py/ip6/meta.t.json
@@ -0,0 +1,313 @@
+# icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
+# meta l4proto ipv6-icmp icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": "ipv6-icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
+# meta l4proto icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": "icmp"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta l4proto 1 icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "l4proto" }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta sdif "lo" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "sdif"
+                }
+            },
+            "op": "==",
+            "right": "lo"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta sdifname != "vrf1" accept
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "sdifname"
+                }
+            },
+            "op": "!=",
+            "right": "vrf1"
+        }
+    },
+    {
+        "accept": null
+    }
+]
+
+# meta protocol ip udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
+
+# meta protocol ip6 udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
+
+# meta mark set ip6 dscp lshift 2 or 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            2
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp lshift 26 or 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            26
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp << 2 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            2
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
+# meta mark set ip6 dscp << 26 | 0x10
+[
+    {
+        "mangle": {
+            "key": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "value": {
+                "|": [
+                    {
+                        "<<": [
+                            {
+                                "payload": {
+                                    "field": "dscp",
+                                    "protocol": "ip6"
+                                }
+                            },
+                            26
+                        ]
+                    },
+                    16
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/meta.t.json.output b/tests/py/ip6/meta.t.json.output
new file mode 100644
index 0000000..61adf18
--- /dev/null
+++ b/tests/py/ip6/meta.t.json.output
@@ -0,0 +1,64 @@
+# meta l4proto ipv6-icmp icmpv6 type nd-router-advert
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmpv6"
+                }
+            },
+	    "op": "==",
+            "right": "nd-router-advert"
+        }
+    }
+]
+
+# meta l4proto icmp icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta l4proto 1 icmp type echo-request
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "icmp"
+                }
+            },
+	    "op": "==",
+            "right": "echo-request"
+        }
+    }
+]
+
+# meta protocol ip6 udp dport 67
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+            "op": "==",
+            "right": 67
+        }
+    }
+]
+
diff --git a/tests/py/ip6/meta.t.payload b/tests/py/ip6/meta.t.payload
new file mode 100644
index 0000000..6a37f1d
--- /dev/null
+++ b/tests/py/ip6/meta.t.payload
@@ -0,0 +1,82 @@
+# icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+
+# meta l4proto ipv6-icmp icmpv6 type nd-router-advert
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000086 ]
+
+# meta l4proto icmp icmp type echo-request
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta l4proto 1 icmp type echo-request
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# icmp type echo-request
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+
+# meta sdif "lo" accept
+ip6 test-ip6 input
+  [ meta load sdif => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ immediate reg 0 accept ]
+
+# meta sdifname != "vrf1" accept
+ip6 test-ip6 input
+  [ meta load sdifname => reg 1 ]
+  [ cmp neq reg 1 0x31667276 0x00000000 0x00000000 0x00000000 ]
+  [ immediate reg 0 accept ]
+
+# meta protocol ip udp dport 67
+ip6 test-ip6 input
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00004300 ]
+
+# meta protocol ip6 udp dport 67
+ip6 test-ip6 input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00004300 ]
+
+# meta mark set ip6 dscp << 2 | 0x10
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x00000002 ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp << 26 | 0x10
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+  [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+  [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+  [ bitwise reg 1 = ( reg 1 << 0x0000001a ) ]
+  [ bitwise reg 1 = ( reg 1 & 0xffffffef ) ^ 0x00000010 ]
+  [ meta set mark with reg 1 ]
diff --git a/tests/py/ip6/mh.t b/tests/py/ip6/mh.t
new file mode 100644
index 0000000..46f4ba0
--- /dev/null
+++ b/tests/py/ip6/mh.t
@@ -0,0 +1,42 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+*inet;test-inet;input
+
+mh nexthdr 1;ok
+mh nexthdr != 1;ok
+mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp };ok;mh nexthdr { 58, 17, 108, 6, 51, 136, 50, 132, 33}
+mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp };ok;mh nexthdr != { 58, 17, 108, 6, 51, 136, 50, 132, 33}
+mh nexthdr icmp;ok;mh nexthdr 1
+mh nexthdr != icmp;ok;mh nexthdr != 1
+mh nexthdr 22;ok
+mh nexthdr != 233;ok
+mh nexthdr 33-45;ok
+mh nexthdr != 33-45;ok
+mh nexthdr { 33, 55, 67, 88 };ok
+mh nexthdr != { 33, 55, 67, 88 };ok
+
+mh hdrlength 22;ok
+mh hdrlength != 233;ok
+mh hdrlength 33-45;ok
+mh hdrlength != 33-45;ok
+mh hdrlength { 33, 55, 67, 88 };ok
+mh hdrlength != { 33, 55, 67, 88 };ok
+
+mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok
+mh type home-agent-switch-message;ok
+mh type != home-agent-switch-message;ok
+
+mh reserved 22;ok
+mh reserved != 233;ok
+mh reserved 33-45;ok
+mh reserved != 33-45;ok
+mh reserved { 33, 55, 67, 88};ok
+mh reserved != { 33, 55, 67, 88};ok
+
+mh checksum 22;ok
+mh checksum != 233;ok
+mh checksum 33-45;ok
+mh checksum != 33-45;ok
+mh checksum { 33, 55, 67, 88};ok
+mh checksum != { 33, 55, 67, 88};ok
diff --git a/tests/py/ip6/mh.t.json b/tests/py/ip6/mh.t.json
new file mode 100644
index 0000000..3159b14
--- /dev/null
+++ b/tests/py/ip6/mh.t.json
@@ -0,0 +1,640 @@
+# mh nexthdr 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# mh nexthdr != 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "udplite",
+                    "ipcomp",
+                    "udp",
+                    "ah",
+                    "sctp",
+                    "esp",
+                    "dccp",
+                    "tcp",
+                    "ipv6-icmp"
+                ]
+            }
+        }
+    }
+]
+
+# mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "udplite",
+                    "ipcomp",
+                    "udp",
+                    "ah",
+                    "sctp",
+                    "esp",
+                    "dccp",
+                    "tcp",
+                    "ipv6-icmp"
+                ]
+            }
+        }
+    }
+]
+
+# mh nexthdr icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": "icmp"
+        }
+    }
+]
+
+# mh nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": "icmp"
+        }
+    }
+]
+
+# mh nexthdr 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# mh nexthdr != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# mh nexthdr 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh nexthdr != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh nexthdr { 33, 55, 67, 88 }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# mh nexthdr != { 33, 55, 67, 88 }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# mh hdrlength 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# mh hdrlength != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# mh hdrlength 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh hdrlength != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh hdrlength { 33, 55, 67, 88 }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# mh hdrlength != { 33, 55, 67, 88 }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "binding-refresh-request",
+                    "home-test-init",
+                    "careof-test-init",
+                    "home-test",
+                    "careof-test",
+                    "binding-update",
+                    "binding-acknowledgement",
+                    "binding-error",
+                    "fast-binding-update",
+                    "fast-binding-acknowledgement",
+                    "fast-binding-advertisement",
+                    "experimental-mobility-header",
+                    "home-agent-switch-message"
+                ]
+            }
+        }
+    }
+]
+
+# mh type home-agent-switch-message
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": "home-agent-switch-message"
+        }
+    }
+]
+
+# mh type != home-agent-switch-message
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": "home-agent-switch-message"
+        }
+    }
+]
+
+# mh reserved 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# mh reserved != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# mh reserved 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh reserved != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh reserved { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# mh reserved != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "reserved",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# mh checksum 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "checksum",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# mh checksum != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "checksum",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# mh checksum 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "checksum",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh checksum != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "checksum",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# mh checksum { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "checksum",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# mh checksum != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "checksum",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/mh.t.json.output b/tests/py/ip6/mh.t.json.output
new file mode 100644
index 0000000..a851804
--- /dev/null
+++ b/tests/py/ip6/mh.t.json.output
@@ -0,0 +1,88 @@
+# mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    58,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    58,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# mh nexthdr icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# mh nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "mh"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet
new file mode 100644
index 0000000..54eaa70
--- /dev/null
+++ b/tests/py/ip6/mh.t.payload.inet
@@ -0,0 +1,267 @@
+# mh nexthdr 1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# mh nexthdr != 1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh nexthdr icmp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# mh nexthdr != icmp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# mh nexthdr 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# mh nexthdr != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# mh nexthdr 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# mh nexthdr != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# mh nexthdr { 33, 55, 67, 88 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh nexthdr != { 33, 55, 67, 88 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh hdrlength 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# mh hdrlength != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# mh hdrlength 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# mh hdrlength != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# mh hdrlength { 33, 55, 67, 88 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh hdrlength != { 33, 55, 67, 88 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000000  : 0 [end]	element 00000001  : 0 [end]	element 00000002  : 0 [end]	element 00000003  : 0 [end]	element 00000004  : 0 [end]	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 0 [end]	element 00000008  : 0 [end]	element 00000009  : 0 [end]	element 0000000a  : 0 [end]	element 0000000b  : 0 [end]	element 0000000c  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh type home-agent-switch-message
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000000c ]
+
+# mh type != home-agent-switch-message
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000000c ]
+
+# mh reserved 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# mh reserved != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# mh reserved 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# mh reserved != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# mh reserved { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh reserved != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh checksum 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# mh checksum != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# mh checksum 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# mh checksum != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# mh checksum { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6
new file mode 100644
index 0000000..73bd422
--- /dev/null
+++ b/tests/py/ip6/mh.t.payload.ip6
@@ -0,0 +1,201 @@
+# mh nexthdr 1
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# mh nexthdr != 1
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh nexthdr icmp
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# mh nexthdr != icmp
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# mh nexthdr 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# mh nexthdr != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# mh nexthdr 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# mh nexthdr != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# mh nexthdr { 33, 55, 67, 88 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh nexthdr != { 33, 55, 67, 88 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh hdrlength 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# mh hdrlength != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# mh hdrlength 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# mh hdrlength != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# mh hdrlength { 33, 55, 67, 88 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh hdrlength != { 33, 55, 67, 88 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000000  : 0 [end]	element 00000001  : 0 [end]	element 00000002  : 0 [end]	element 00000003  : 0 [end]	element 00000004  : 0 [end]	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 0 [end]	element 00000008  : 0 [end]	element 00000009  : 0 [end]	element 0000000a  : 0 [end]	element 0000000b  : 0 [end]	element 0000000c  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh type home-agent-switch-message
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000000c ]
+
+# mh type != home-agent-switch-message
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 2 => reg 1 ]
+  [ cmp neq reg 1 0x0000000c ]
+
+# mh reserved 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# mh reserved != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# mh reserved 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# mh reserved != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# mh reserved { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh reserved != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# mh checksum 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00001600 ]
+
+# mh checksum != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ cmp neq reg 1 0x0000e900 ]
+
+# mh checksum 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ cmp gte reg 1 0x00002100 ]
+  [ cmp lte reg 1 0x00002d00 ]
+
+# mh checksum != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# mh checksum { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# mh checksum != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
diff --git a/tests/py/ip6/redirect.t b/tests/py/ip6/redirect.t
new file mode 100644
index 0000000..70ef7f9
--- /dev/null
+++ b/tests/py/ip6/redirect.t
@@ -0,0 +1,49 @@
+:output;type nat hook output priority 0
+
+*ip6;test-ip6;output
+
+# with no arguments
+redirect;ok
+udp dport 954 redirect;ok
+ip6 saddr fe00::cafe counter redirect;ok
+
+# nf_nat flags combination
+udp dport 53 redirect random;ok
+udp dport 53 redirect random,persistent;ok
+udp dport 53 redirect random,persistent,fully-random;ok;udp dport 53 redirect random,fully-random,persistent
+udp dport 53 redirect random,fully-random;ok
+udp dport 53 redirect random,fully-random,persistent;ok
+udp dport 53 redirect persistent;ok
+udp dport 53 redirect persistent,random;ok;udp dport 53 redirect random,persistent
+udp dport 53 redirect persistent,random,fully-random;ok;udp dport 53 redirect random,fully-random,persistent
+udp dport 53 redirect persistent,fully-random;ok;udp dport 53 redirect fully-random,persistent
+udp dport 53 redirect persistent,fully-random,random;ok;udp dport 53 redirect random,fully-random,persistent
+
+# port specification
+udp dport 1234 redirect to :1234;ok
+ip6 daddr fe00::cafe udp dport 9998 redirect to :6515;ok
+ip6 nexthdr tcp redirect to :100-200;ok;ip6 nexthdr 6 redirect to :100-200
+tcp dport 39128 redirect to :993;ok
+redirect to :1234;fail
+redirect to :12341111;fail
+
+# both port and nf_nat flags
+tcp dport 9128 redirect to :993 random;ok
+tcp dport 9128 redirect to :993 fully-random,persistent;ok
+
+# nf_nat flags are the last argument
+tcp dport 9128 redirect persistent to 123;fail
+tcp dport 9128 redirect random,persistent to 123;fail
+
+# redirect is a terminal statement
+tcp dport 22 redirect counter packets 0 bytes 0 accept;fail
+tcp sport 22 redirect accept;fail
+ip6 saddr ::1 redirect drop;fail
+
+# redirect with sets
+tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect;ok
+ip6 daddr fe00::1-fe00::200 udp dport 53 counter redirect;ok
+iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect;ok
+
+# redirect with maps
+redirect to :tcp dport map { 22 : 8000, 80 : 8080};ok
diff --git a/tests/py/ip6/redirect.t.json b/tests/py/ip6/redirect.t.json
new file mode 100644
index 0000000..c18223f
--- /dev/null
+++ b/tests/py/ip6/redirect.t.json
@@ -0,0 +1,589 @@
+# redirect
+[
+    {
+        "redirect": null
+    }
+]
+
+# udp dport 954 redirect
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 954
+        }
+    },
+    {
+        "redirect": null
+    }
+]
+
+# ip6 saddr fe00::cafe counter redirect
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "fe00::cafe"
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "redirect": null
+    }
+]
+
+# udp dport 53 redirect random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": "random"
+        }
+    }
+]
+
+# udp dport 53 redirect random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect random,persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "persistent",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect random,fully-random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": "persistent"
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "random",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "fully-random"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "persistent",
+                "fully-random",
+                "random"
+            ]
+        }
+    }
+]
+
+# udp dport 1234 redirect to :1234
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 1234
+        }
+    },
+    {
+        "redirect": {
+            "port": 1234
+        }
+    }
+]
+
+# ip6 daddr fe00::cafe udp dport 9998 redirect to :6515
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "fe00::cafe"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 9998
+        }
+    },
+    {
+        "redirect": {
+            "port": 6515
+        }
+    }
+]
+
+# ip6 nexthdr tcp redirect to :100-200
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "tcp"
+        }
+    },
+    {
+        "redirect": {
+            "port": {
+                "range": [ 100, 200 ]
+            }
+        }
+    }
+]
+
+# tcp dport 39128 redirect to :993
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 39128
+        }
+    },
+    {
+        "redirect": {
+            "port": 993
+        }
+    }
+]
+
+# tcp dport 9128 redirect to :993 random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 9128
+        }
+    },
+    {
+        "redirect": {
+            "flags": "random",
+            "port": 993
+        }
+    }
+]
+
+# tcp dport 9128 redirect to :993 fully-random,persistent
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": 9128
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "fully-random",
+                "persistent"
+            ],
+            "port": 993
+        }
+    }
+]
+
+# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    1,
+                    2,
+                    3,
+                    4,
+                    5,
+                    6,
+                    7,
+                    8,
+                    101,
+                    202,
+                    303,
+                    1001,
+                    2002,
+                    3003
+                ]
+            }
+        }
+    },
+    {
+        "redirect": null
+    }
+]
+
+# ip6 daddr fe00::1-fe00::200 udp dport 53 counter redirect
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "daddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ "fe00::1", "fe00::200" ]
+            }
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "counter": null
+    },
+    {
+        "redirect": null
+    }
+]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "iifname" }
+            },
+	    "op": "==",
+            "right": "eth0"
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "ct": {
+                    "key": "state"
+                }
+            },
+	    "op": "in",
+            "right": [
+                "established",
+                "new"
+            ]
+        }
+    },
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        22,
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        222,
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    },
+    {
+        "redirect": null
+    }
+]
+
+# redirect to :tcp dport map { 22 : 8000, 80 : 8080}
+[
+    {
+        "redirect": {
+            "port": {
+                "map": {
+                    "key": {
+                        "payload": {
+                            "field": "dport",
+                            "protocol": "tcp"
+                        }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                22,
+                                8000
+                            ],
+                            [
+                                80,
+                                8080
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/redirect.t.json.output b/tests/py/ip6/redirect.t.json.output
new file mode 100644
index 0000000..0174cc7
--- /dev/null
+++ b/tests/py/ip6/redirect.t.json.output
@@ -0,0 +1,146 @@
+# udp dport 53 redirect random,persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,random,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# udp dport 53 redirect persistent,fully-random,random
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "udp"
+                }
+            },
+	    "op": "==",
+            "right": 53
+        }
+    },
+    {
+        "redirect": {
+            "flags": [
+                "random",
+                "fully-random",
+                "persistent"
+            ]
+        }
+    }
+]
+
+# ip6 nexthdr tcp redirect to :100-200
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "nexthdr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "redirect": {
+            "port": {
+                "range": [ 100, 200 ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/redirect.t.payload.ip6 b/tests/py/ip6/redirect.t.payload.ip6
new file mode 100644
index 0000000..cfc2901
--- /dev/null
+++ b/tests/py/ip6/redirect.t.payload.ip6
@@ -0,0 +1,204 @@
+# redirect
+ip6 test-ip6 output
+  [ redir ]
+
+# udp dport 954 redirect
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000ba03 ]
+  [ redir ]
+
+# ip6 saddr fe00::cafe counter redirect
+ip6 test-ip6 output
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ cmp eq reg 1 0x000000fe 0x00000000 0x00000000 0xfeca0000 ]
+  [ counter pkts 0 bytes 0 ]
+  [ redir ]
+
+# udp dport 53 redirect random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x4 ]
+
+# udp dport 53 redirect random,persistent
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0xc ]
+
+# udp dport 53 redirect random,persistent,fully-random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# udp dport 53 redirect random,fully-random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x14 ]
+
+# udp dport 53 redirect random,fully-random,persistent
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# udp dport 53 redirect persistent
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x8 ]
+
+# udp dport 53 redirect persistent,random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0xc ]
+
+# udp dport 53 redirect persistent,random,fully-random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# udp dport 53 redirect persistent,fully-random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x18 ]
+
+# udp dport 53 redirect persistent,fully-random,random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ redir flags 0x1c ]
+
+# udp dport 1234 redirect to :1234
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000d204 ]
+  [ immediate reg 1 0x0000d204 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# ip6 daddr fe00::cafe udp dport 9998 redirect to :6515
+ip6 test-ip6 output
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp eq reg 1 0x000000fe 0x00000000 0x00000000 0xfeca0000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000e27 ]
+  [ immediate reg 1 0x00007319 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# ip6 nexthdr tcp redirect to :100-200
+ip6 test-ip6 output
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x00006400 ]
+  [ immediate reg 2 0x0000c800 ]
+  [ redir proto_min reg 1 proto_max reg 2 flags 0x2 ]
+
+# tcp dport 39128 redirect to :993
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000d898 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
+# tcp dport 9128 redirect to :993 random
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir proto_min reg 1 flags 0x6 ]
+
+# tcp dport 9128 redirect to :993 fully-random,persistent
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x0000a823 ]
+  [ immediate reg 1 0x0000e103 ]
+  [ redir proto_min reg 1 flags 0x1a ]
+
+# tcp dport { 1, 2, 3, 4, 5, 6, 7, 8, 101, 202, 303, 1001, 2002, 3003} redirect
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000100  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]	element 00000800  : 0 [end]	element 00006500  : 0 [end]	element 0000ca00  : 0 [end]	element 00002f01  : 0 [end]	element 0000e903  : 0 [end]	element 0000d207  : 0 [end]	element 0000bb0b  : 0 [end]
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ redir ]
+
+# ip6 daddr fe00::1-fe00::200 udp dport 53 counter redirect
+ip6 test-ip6 output
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ cmp gte reg 1 0x000000fe 0x00000000 0x00000000 0x01000000 ]
+  [ cmp lte reg 1 0x000000fe 0x00000000 0x00000000 0x00020000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00003500 ]
+  [ counter pkts 0 bytes 0 ]
+  [ redir ]
+
+# iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } redirect
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00001600  : drop 0 [end]	element 0000de00  : drop 0 [end]
+ip6 test-ip6 output
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ ct load state => reg 1 ]
+  [ bitwise reg 1 = ( reg 1 & 0x0000000a ) ^ 0x00000000 ]
+  [ cmp neq reg 1 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+  [ redir ]
+
+# redirect to :tcp dport map { 22 : 8000, 80 : 8080}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00001600  : 0000401f 0 [end]	element 00005000  : 0000901f 0 [end]
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ redir proto_min reg 1 flags 0x2 ]
+
diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t
new file mode 100644
index 0000000..bfdd094
--- /dev/null
+++ b/tests/py/ip6/reject.t
@@ -0,0 +1,16 @@
+:output;type filter hook output priority 0
+
+*ip6;test-ip6;output
+
+reject;ok
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok;reject
+reject with icmpv6 policy-fail;ok
+reject with icmpv6 reject-route;ok
+reject with icmpv6 3;ok;reject with icmpv6 addr-unreachable
+mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset
+
+reject with icmpv6 host-unreachable;fail
+reject with icmp host-unreachable;fail
diff --git a/tests/py/ip6/reject.t.json b/tests/py/ip6/reject.t.json
new file mode 100644
index 0000000..312a7da
--- /dev/null
+++ b/tests/py/ip6/reject.t.json
@@ -0,0 +1,95 @@
+# reject
+[
+    {
+        "reject": null
+    }
+]
+
+# reject with icmpv6 no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 addr-unreachable
+[
+    {
+        "reject": {
+            "expr": "addr-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 policy-fail
+[
+    {
+        "reject": {
+            "expr": "policy-fail",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 reject-route
+[
+    {
+        "reject": {
+            "expr": "reject-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 3
+[
+    {
+        "reject": {
+            "expr": "addr-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# mark 0x80000000 reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": "0x80000000"
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/reject.t.json.output b/tests/py/ip6/reject.t.json.output
new file mode 100644
index 0000000..04f12f5
--- /dev/null
+++ b/tests/py/ip6/reject.t.json.output
@@ -0,0 +1,28 @@
+# reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# mark 0x80000000 reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": { "key": "mark" }
+            },
+	    "op": "==",
+            "right": 2147483648
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/reject.t.payload.ip6 b/tests/py/ip6/reject.t.payload.ip6
new file mode 100644
index 0000000..3d4321b
--- /dev/null
+++ b/tests/py/ip6/reject.t.payload.ip6
@@ -0,0 +1,40 @@
+# reject
+ip6 test-ip6 output
+  [ reject type 0 code 4 ]
+
+# reject with icmpv6 no-route
+ip6 test-ip6 output
+  [ reject type 0 code 0 ]
+
+# reject with icmpv6 admin-prohibited
+ip6 test-ip6 output
+  [ reject type 0 code 1 ]
+
+# reject with icmpv6 addr-unreachable
+ip6 test-ip6 output
+  [ reject type 0 code 3 ]
+
+# reject with icmpv6 port-unreachable
+ip6 test-ip6 output
+  [ reject type 0 code 4 ]
+
+# reject with icmpv6 policy-fail
+ip6 test-ip6 output
+  [ reject type 0 code 5 ]
+
+# reject with icmpv6 reject-route
+ip6 test-ip6 output
+  [ reject type 0 code 6 ]
+
+# reject with icmpv6 3
+ip6 test-ip6 output
+  [ reject type 0 code 3 ]
+
+# mark 0x80000000 reject with tcp reset
+ip6 test-ip6 output
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x80000000 ]
+  [ reject type 1 code 0 ]
+
diff --git a/tests/py/ip6/rt.t b/tests/py/ip6/rt.t
new file mode 100644
index 0000000..c33d38a
--- /dev/null
+++ b/tests/py/ip6/rt.t
@@ -0,0 +1,38 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+*inet;test-inet;input
+
+rt nexthdr 1;ok
+rt nexthdr != 1;ok
+rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;rt nexthdr { 33, 136, 50, 132, 51, 17, 108, 6, 58}
+rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;rt nexthdr != { 33, 136, 50, 132, 51, 17, 108, 6, 58}
+rt nexthdr icmp;ok;rt nexthdr 1
+rt nexthdr != icmp;ok;rt nexthdr != 1
+rt nexthdr 22;ok
+rt nexthdr != 233;ok
+rt nexthdr 33-45;ok
+rt nexthdr != 33-45;ok
+rt nexthdr { 33, 55, 67, 88};ok
+rt nexthdr != { 33, 55, 67, 88};ok
+
+rt hdrlength 22;ok
+rt hdrlength != 233;ok
+rt hdrlength 33-45;ok
+rt hdrlength != 33-45;ok
+rt hdrlength { 33, 55, 67, 88};ok
+rt hdrlength != { 33, 55, 67, 88};ok
+
+rt type 22;ok
+rt type != 233;ok
+rt type 33-45;ok
+rt type != 33-45;ok
+rt type { 33, 55, 67, 88};ok
+rt type != { 33, 55, 67, 88};ok
+
+rt seg-left 22;ok
+rt seg-left != 233;ok
+rt seg-left 33-45;ok
+rt seg-left != 33-45;ok
+rt seg-left { 33, 55, 67, 88};ok
+rt seg-left != { 33, 55, 67, 88};ok
diff --git a/tests/py/ip6/rt.t.json b/tests/py/ip6/rt.t.json
new file mode 100644
index 0000000..b12873d
--- /dev/null
+++ b/tests/py/ip6/rt.t.json
@@ -0,0 +1,576 @@
+# rt nexthdr 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# rt nexthdr != 1
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
+# rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    "udplite",
+                    "ipcomp",
+                    "udp",
+                    "ah",
+                    "sctp",
+                    "esp",
+                    "dccp",
+                    "tcp",
+                    "ipv6-icmp"
+                ]
+            }
+        }
+    }
+]
+
+# rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    "udplite",
+                    "ipcomp",
+                    "udp",
+                    "ah",
+                    "sctp",
+                    "esp",
+                    "dccp",
+                    "tcp",
+                    "ipv6-icmp"
+                ]
+            }
+        }
+    }
+]
+
+# rt nexthdr icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": "icmp"
+        }
+    }
+]
+
+# rt nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": "icmp"
+        }
+    }
+]
+
+# rt nexthdr 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# rt nexthdr != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# rt nexthdr 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt nexthdr != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt nexthdr { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# rt nexthdr != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# rt hdrlength 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# rt hdrlength != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# rt hdrlength 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt hdrlength != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt hdrlength { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# rt hdrlength != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "hdrlength",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# rt type 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# rt type != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# rt type 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt type != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt type { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# rt type != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "type",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# rt seg-left 22
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "seg-left",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": 22
+        }
+    }
+]
+
+# rt seg-left != 233
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "seg-left",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": 233
+        }
+    }
+]
+
+# rt seg-left 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "seg-left",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt seg-left != 33-45
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "seg-left",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "range": [ 33, 45 ]
+            }
+        }
+    }
+]
+
+# rt seg-left { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "seg-left",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
+# rt seg-left != { 33, 55, 67, 88}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "seg-left",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    33,
+                    55,
+                    67,
+                    88
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/rt.t.json.output b/tests/py/ip6/rt.t.json.output
new file mode 100644
index 0000000..be5db0e
--- /dev/null
+++ b/tests/py/ip6/rt.t.json.output
@@ -0,0 +1,88 @@
+# rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    58,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": {
+                "set": [
+                    6,
+                    17,
+                    33,
+                    50,
+                    51,
+                    58,
+                    108,
+                    132,
+                    136
+                ]
+            }
+        }
+    }
+]
+
+# rt nexthdr icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+	    "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# rt nexthdr != icmp
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "nexthdr",
+                    "name": "rt"
+                }
+            },
+            "op": "!=",
+            "right": 1
+        }
+    }
+]
+
diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet
new file mode 100644
index 0000000..864d311
--- /dev/null
+++ b/tests/py/ip6/rt.t.payload.inet
@@ -0,0 +1,244 @@
+# rt nexthdr 1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt nexthdr != 1
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt nexthdr icmp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt nexthdr != icmp
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# rt nexthdr 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt nexthdr != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt nexthdr 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt nexthdr != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt nexthdr { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt nexthdr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt hdrlength 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt hdrlength != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt hdrlength 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt hdrlength != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt hdrlength { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt hdrlength != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt type 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt type != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt type 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt type != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt type { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt type != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt seg-left 22
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt seg-left != 233
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt seg-left 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt seg-left != 33-45
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt seg-left { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt seg-left != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6
new file mode 100644
index 0000000..c7b52f8
--- /dev/null
+++ b/tests/py/ip6/rt.t.payload.ip6
@@ -0,0 +1,184 @@
+# rt nexthdr 1
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt nexthdr != 1
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt nexthdr icmp
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# rt nexthdr != icmp
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x00000001 ]
+
+# rt nexthdr 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt nexthdr != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt nexthdr 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt nexthdr != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt nexthdr { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt nexthdr != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt hdrlength 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt hdrlength != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt hdrlength 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt hdrlength != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt hdrlength { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt hdrlength != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt type 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt type != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt type 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt type != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt type { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt type != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# rt seg-left 22
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ cmp eq reg 1 0x00000016 ]
+
+# rt seg-left != 233
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ cmp neq reg 1 0x000000e9 ]
+
+# rt seg-left 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ cmp gte reg 1 0x00000021 ]
+  [ cmp lte reg 1 0x0000002d ]
+
+# rt seg-left != 33-45
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ range neq reg 1 0x00000021 0x0000002d ]
+
+# rt seg-left { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# rt seg-left != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/rt0.t b/tests/py/ip6/rt0.t
new file mode 100644
index 0000000..1d50a89
--- /dev/null
+++ b/tests/py/ip6/rt0.t
@@ -0,0 +1,6 @@
+:output;type filter hook input priority 0
+
+*ip6;test-ip6;output
+
+rt nexthop 192.168.0.1;fail
+rt nexthop fd00::1;ok;rt ip6 nexthop fd00::1
diff --git a/tests/py/ip6/rt0.t.json b/tests/py/ip6/rt0.t.json
new file mode 100644
index 0000000..75ff923
--- /dev/null
+++ b/tests/py/ip6/rt0.t.json
@@ -0,0 +1,16 @@
+# rt nexthop fd00::1
+[
+    {
+        "match": {
+            "left": {
+                "rt": {
+                    "family": "ip6",
+                    "key": "nexthop"
+                }
+            },
+	    "op": "==",
+            "right": "fd00::1"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/rt0.t.payload b/tests/py/ip6/rt0.t.payload
new file mode 100644
index 0000000..464b7f2
--- /dev/null
+++ b/tests/py/ip6/rt0.t.payload
@@ -0,0 +1,5 @@
+# rt nexthop fd00::1
+ip6 test-ip6 output
+  [ rt load nexthop6 => reg 1 ]
+  [ cmp eq reg 1 0x000000fd 0x00000000 0x00000000 0x01000000 ]
+
diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t
new file mode 100644
index 0000000..17fd62f
--- /dev/null
+++ b/tests/py/ip6/sets.t
@@ -0,0 +1,48 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+!w type ipv6_addr;ok
+!x type inet_proto;ok
+!y type inet_service;ok
+!z type time;ok
+
+?set2 192.168.3.4;fail
+!set2 type ipv6_addr;ok
+?set2 1234:1234::1234:1234:1234:1234:1234;ok
+?set2 1234:1234::1234:1234:1234:1234:1234;ok
+?set2 1234::1234:1234:1234;ok
+?set2 1234:1234:1234:1234:1234::1234:1234, 1234:1234::123;ok
+?set2 192.168.3.8, 192.168.3.9;fail
+?set2 1234:1234::1234:1234:1234:1234;ok
+?set2 1234:1234::1234:1234:1234:1234;ok
+?set2 1234:1234:1234::1234;ok
+
+ip6 saddr @set2 drop;ok
+ip6 saddr != @set2 drop;ok
+ip6 saddr @set33 drop;fail
+ip6 saddr != @set33 drop;fail
+
+!set3 type ipv6_addr flags interval;ok
+?set3 1234:1234:1234:1234::/64;ok
+?set3 1324:1234:1234:1235::/64;ok
+?set3 1324:1234:1234:1233::/64;ok
+?set3 1234:1234:1234:1234:1234:1234:/96;fail
+?set3 1324:1234:1234:1236::/64;ok
+
+!set4 type ipv6_addr flags interval;ok
+?set4 1234:1234:1234:1234::/64,4321:1234:1234:1234::/64;ok
+?set4 4321:1234:1234:1234:1234:1234::/96;fail
+
+!set5 type ipv6_addr . ipv6_addr;ok
+ip6 saddr . ip6 daddr @set5 drop;ok
+add @set5 { ip6 saddr . ip6 daddr };ok
+
+!map1 type ipv6_addr . ipv6_addr : mark;ok
+add @map1 { ip6 saddr . ip6 daddr : meta mark };ok
+
+delete @set5 { ip6 saddr . ip6 daddr };ok
diff --git a/tests/py/ip6/sets.t.json b/tests/py/ip6/sets.t.json
new file mode 100644
index 0000000..2029d2b
--- /dev/null
+++ b/tests/py/ip6/sets.t.json
@@ -0,0 +1,150 @@
+# ip6 saddr @set2 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+	    "op": "==",
+            "right": "@set2"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip6 saddr != @set2 drop
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "op": "!=",
+            "right": "@set2"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# ip6 saddr . ip6 daddr @set5 drop
+[
+    {
+        "match": {
+            "left": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip6"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip6"
+                        }
+                    }
+                ]
+            },
+	    "op": "==",
+            "right": "@set5"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# add @set5 { ip6 saddr . ip6 daddr }
+[
+    {
+        "set": {
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip6"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip6"
+                        }
+                    }
+                ]
+            },
+            "op": "add",
+            "set": "@set5"
+        }
+    }
+]
+
+# delete @set5 { ip6 saddr . ip6 daddr }
+[
+    {
+        "set": {
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip6"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip6"
+                        }
+                    }
+                ]
+            },
+            "op": "delete",
+            "set": "@set5"
+        }
+    }
+]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+[
+    {
+        "map": {
+            "data": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip6"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip6"
+                        }
+                    }
+                ]
+            },
+            "map": "@map1",
+            "op": "add"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/sets.t.json.got b/tests/py/ip6/sets.t.json.got
new file mode 100644
index 0000000..114b17c
--- /dev/null
+++ b/tests/py/ip6/sets.t.json.got
@@ -0,0 +1,31 @@
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+[
+    {
+        "map": {
+            "data": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "elem": {
+                "concat": [
+                    {
+                        "payload": {
+                            "field": "saddr",
+                            "protocol": "ip6"
+                        }
+                    },
+                    {
+                        "payload": {
+                            "field": "daddr",
+                            "protocol": "ip6"
+                        }
+                    }
+                ]
+            },
+            "map": "@map1",
+            "op": "add"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/sets.t.json.payload.got b/tests/py/ip6/sets.t.json.payload.got
new file mode 100644
index 0000000..18ac33b
--- /dev/null
+++ b/tests/py/ip6/sets.t.json.payload.got
@@ -0,0 +1,107 @@
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev egress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
diff --git a/tests/py/ip6/sets.t.payload b/tests/py/ip6/sets.t.payload
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/py/ip6/sets.t.payload
diff --git a/tests/py/ip6/sets.t.payload.inet b/tests/py/ip6/sets.t.payload.inet
new file mode 100644
index 0000000..2bbd557
--- /dev/null
+++ b/tests/py/ip6/sets.t.payload.inet
@@ -0,0 +1,49 @@
+# ip6 saddr @set2 drop
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
+# ip6 saddr != @set2 drop
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 saddr . ip6 daddr @set5 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ lookup reg 1 set set5 ]
+  [ immediate reg 0 drop ]
+
+# add @set5 { ip6 saddr . ip6 daddr }
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ dynset add reg_key 1 set set5 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
+# delete @set5 { ip6 saddr . ip6 daddr }
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ dynset delete reg_key 1 set set5 ]
diff --git a/tests/py/ip6/sets.t.payload.inet.got b/tests/py/ip6/sets.t.payload.inet.got
new file mode 100644
index 0000000..4cfa6a4
--- /dev/null
+++ b/tests/py/ip6/sets.t.payload.inet.got
@@ -0,0 +1,9 @@
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
diff --git a/tests/py/ip6/sets.t.payload.ip6 b/tests/py/ip6/sets.t.payload.ip6
new file mode 100644
index 0000000..c59f7b5
--- /dev/null
+++ b/tests/py/ip6/sets.t.payload.ip6
@@ -0,0 +1,38 @@
+# ip6 saddr @set2 drop
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
+# ip6 saddr != @set2 drop
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 saddr . ip6 daddr @set5 drop
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ lookup reg 1 set set5 ]
+  [ immediate reg 0 drop ]
+
+# add @set5 { ip6 saddr . ip6 daddr }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ dynset add reg_key 1 set set5 ]
+
+# delete @set5 { ip6 saddr . ip6 daddr }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ dynset delete reg_key 1 set set5 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
diff --git a/tests/py/ip6/sets.t.payload.ip6.got b/tests/py/ip6/sets.t.payload.ip6.got
new file mode 100644
index 0000000..8c0ee0d
--- /dev/null
+++ b/tests/py/ip6/sets.t.payload.ip6.got
@@ -0,0 +1,7 @@
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
diff --git a/tests/py/ip6/sets.t.payload.netdev b/tests/py/ip6/sets.t.payload.netdev
new file mode 100644
index 0000000..1866d26
--- /dev/null
+++ b/tests/py/ip6/sets.t.payload.netdev
@@ -0,0 +1,50 @@
+# ip6 saddr @set2 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 ]
+  [ immediate reg 0 drop ]
+
+# ip6 saddr != @set2 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
+# ip6 saddr . ip6 daddr @set5 drop
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ lookup reg 1 set set5 ]
+  [ immediate reg 0 drop ]
+
+# add @set5 { ip6 saddr . ip6 daddr }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ dynset add reg_key 1 set set5 ]
+
+# delete @set5 { ip6 saddr . ip6 daddr }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ dynset delete reg_key 1 set set5 ]
+
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
diff --git a/tests/py/ip6/sets.t.payload.netdev.got b/tests/py/ip6/sets.t.payload.netdev.got
new file mode 100644
index 0000000..792d841
--- /dev/null
+++ b/tests/py/ip6/sets.t.payload.netdev.got
@@ -0,0 +1,9 @@
+# add @map1 { ip6 saddr . ip6 daddr : meta mark }
+netdev test-netdev ingress
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ payload load 16b @ network header + 24 => reg 2 ]
+  [ meta load mark => reg 3 ]
+  [ dynset add reg_key 1 set map1 sreg_data 3 ]
+
diff --git a/tests/py/ip6/snat.t b/tests/py/ip6/snat.t
new file mode 100644
index 0000000..564f089
--- /dev/null
+++ b/tests/py/ip6/snat.t
@@ -0,0 +1,6 @@
+:postrouting;type nat hook postrouting priority 0
+
+*ip6;test-ip6;postrouting
+
+tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok
+tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok
diff --git a/tests/py/ip6/snat.t.json b/tests/py/ip6/snat.t.json
new file mode 100644
index 0000000..58b0980
--- /dev/null
+++ b/tests/py/ip6/snat.t.json
@@ -0,0 +1,54 @@
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "range": [ "2001:838:35f:1::", "2001:838:35f:2::" ]
+            },
+            "port": {
+                "range": [ 80, 100 ]
+            }
+        }
+    }
+]
+
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "dport",
+                    "protocol": "tcp"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "range": [ 80, 90 ]
+            }
+        }
+    },
+    {
+        "snat": {
+            "addr": {
+                "range": [ "2001:838:35f:1::", "2001:838:35f:2::" ]
+            },
+            "port": 100
+        }
+    }
+]
+
diff --git a/tests/py/ip6/snat.t.payload.ip6 b/tests/py/ip6/snat.t.payload.ip6
new file mode 100644
index 0000000..66a2967
--- /dev/null
+++ b/tests/py/ip6/snat.t.payload.ip6
@@ -0,0 +1,25 @@
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ]
+  [ immediate reg 3 0x00005000 ]
+  [ immediate reg 4 0x00006400 ]
+  [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ]
+
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
+ip6 test-ip6 postrouting
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ cmp gte reg 1 0x00005000 ]
+  [ cmp lte reg 1 0x00005a00 ]
+  [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+  [ immediate reg 2 0x38080120 0x02005f03 0x00000000 0x00000000 ]
+  [ immediate reg 3 0x00006400 ]
+  [ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ]
+
diff --git a/tests/py/ip6/srh.t b/tests/py/ip6/srh.t
new file mode 100644
index 0000000..fbaff41
--- /dev/null
+++ b/tests/py/ip6/srh.t
@@ -0,0 +1,22 @@
+:input;type filter hook input priority 0
+
+*ip6;test-ip6;input
+
+srh last-entry 0;ok
+srh last-entry 127;ok
+srh last-entry { 0, 4-127, 255 };ok
+
+srh flags 0;ok
+srh flags 127;ok
+srh flags { 0, 4-127, 255 };ok
+
+srh tag 0;ok
+srh tag 127;ok
+srh tag { 0, 4-127, 0xffff };ok;srh tag { 0, 4-127, 65535 }
+
+srh sid[1] dead::beef;ok
+srh sid[2] dead::beef;ok
+
+srh last-entry { 0, 4-127, 256 };fail
+srh flags { 0, 4-127, 256 };fail
+srh tag { 0, 4-127, 0x10000 };fail
diff --git a/tests/py/ip6/srh.t.json b/tests/py/ip6/srh.t.json
new file mode 100644
index 0000000..2d16f1c
--- /dev/null
+++ b/tests/py/ip6/srh.t.json
@@ -0,0 +1,194 @@
+# srh last-entry 0
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "last-entry",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# srh last-entry 127
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "last-entry",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": 127
+        }
+    }
+]
+
+# srh last-entry { 0, 4-127, 255 }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "last-entry",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    0,
+                    { "range": [ 4, 127 ] },
+                    255
+                ]
+            }
+        }
+    }
+]
+
+# srh flags 0
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "flags",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# srh flags 127
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "flags",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": 127
+        }
+    }
+]
+
+# srh flags { 0, 4-127, 255 }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "flags",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    0,
+                    { "range": [ 4, 127 ] },
+                    255
+                ]
+            }
+        }
+    }
+]
+
+# srh tag 0
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "tag",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": 0
+        }
+    }
+]
+
+# srh tag 127
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "tag",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": 127
+        }
+    }
+]
+
+# srh tag { 0, 4-127, 0xffff }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "tag",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    0,
+                    { "range": [ 4, 127 ] },
+                    "0xffff"
+                ]
+            }
+        }
+    }
+]
+
+# srh sid[1] dead::beef
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "sid[1]",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": "dead::beef"
+        }
+    }
+]
+
+# srh sid[2] dead::beef
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "sid[2]",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": "dead::beef"
+        }
+    }
+]
+
diff --git a/tests/py/ip6/srh.t.json.output b/tests/py/ip6/srh.t.json.output
new file mode 100644
index 0000000..f801b81
--- /dev/null
+++ b/tests/py/ip6/srh.t.json.output
@@ -0,0 +1,22 @@
+# srh tag { 0, 4-127, 0xffff }
+[
+    {
+        "match": {
+            "left": {
+                "exthdr": {
+                    "field": "tag",
+                    "name": "srh"
+                }
+            },
+	    "op": "==",
+            "right": {
+                "set": [
+                    0,
+                    { "range": [ 4, 127 ] },
+                    65535
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/srh.t.payload b/tests/py/ip6/srh.t.payload
new file mode 100644
index 0000000..364940a
--- /dev/null
+++ b/tests/py/ip6/srh.t.payload
@@ -0,0 +1,64 @@
+# srh last-entry 0
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# srh last-entry 127
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 4 => reg 1 ]
+  [ cmp eq reg 1 0x0000007f ]
+
+# srh last-entry { 0, 4-127, 255 }
+__set%d test-ip6 7 size 5
+__set%d test-ip6 0
+	element 00000000  : 0 [end]	element 00000001  : 1 [end]	element 00000004  : 0 [end]	element 00000080  : 1 [end]	element 000000ff  : 0 [end]  userdata = { \x01\x04\x01\x00\x00\x00 }
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# srh flags 0
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 5 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# srh flags 127
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 5 => reg 1 ]
+  [ cmp eq reg 1 0x0000007f ]
+
+# srh flags { 0, 4-127, 255 }
+__set%d test-ip6 7 size 5
+__set%d test-ip6 0
+	element 00000000  : 0 [end]	element 00000001  : 1 [end]	element 00000004  : 0 [end]	element 00000080  : 1 [end]	element 000000ff  : 0 [end]  userdata = { \x01\x04\x01\x00\x00\x00 }
+ip6 test-ip6 input
+  [ exthdr load ipv6 1b @ 43 + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# srh tag 0
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 43 + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000000 ]
+
+# srh tag 127
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 43 + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00007f00 ]
+
+# srh tag { 0, 4-127, 0xffff }
+__set%d test-ip6 7 size 5
+__set%d test-ip6 0
+	element 00000000  : 0 [end]	element 00000100  : 1 [end]	element 00000400  : 0 [end]	element 00008000  : 1 [end]	element 0000ffff  : 0 [end]  userdata = { \x01\x04\x01\x00\x00\x00 }
+ip6 test-ip6 input
+  [ exthdr load ipv6 2b @ 43 + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# srh sid[1] dead::beef
+ip6 test-ip6 input
+  [ exthdr load ipv6 16b @ 43 + 8 => reg 1 ]
+  [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+
+# srh sid[2] dead::beef
+ip6 test-ip6 input
+  [ exthdr load ipv6 16b @ 43 + 24 => reg 1 ]
+  [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+
diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t
new file mode 100644
index 0000000..d4c6bff
--- /dev/null
+++ b/tests/py/ip6/tproxy.t
@@ -0,0 +1,14 @@
+:y;type filter hook prerouting priority -150
+
+*ip6;x;y
+
+tproxy;fail
+tproxy to [2001:db8::1];fail
+tproxy to [2001:db8::1]:50080;fail
+tproxy to :50080;fail
+meta l4proto 6 tproxy to [2001:db8::1];ok
+meta l4proto 17 tproxy to [2001:db8::1]:50080;ok
+meta l4proto 6 tproxy to :50080;ok
+meta l4proto 6 tproxy ip6 to [2001:db8::1];ok;meta l4proto 6 tproxy to [2001:db8::1]
+meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok;meta l4proto 17 tproxy to [2001:db8::1]:50080
+meta l4proto 6 tproxy ip6 to :50080;ok;meta l4proto 6 tproxy to :50080
diff --git a/tests/py/ip6/tproxy.t.json b/tests/py/ip6/tproxy.t.json
new file mode 100644
index 0000000..0e02d49
--- /dev/null
+++ b/tests/py/ip6/tproxy.t.json
@@ -0,0 +1,125 @@
+# meta l4proto 6 tproxy to [2001:db8::1]
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1"
+        }
+    }
+]
+
+# meta l4proto 17 tproxy to [2001:db8::1]:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1",
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 6 tproxy to :50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1",
+            "family": "ip6"
+        }
+    }
+]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1",
+            "family": "ip6",
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 6 tproxy ip6 to :50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "family": "ip6",
+            "port": 50080
+        }
+    }
+]
+
diff --git a/tests/py/ip6/tproxy.t.json.output b/tests/py/ip6/tproxy.t.json.output
new file mode 100644
index 0000000..461738b
--- /dev/null
+++ b/tests/py/ip6/tproxy.t.json.output
@@ -0,0 +1,60 @@
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1"
+        }
+    }
+]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 17
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "2001:db8::1",
+            "port": 50080
+        }
+    }
+]
+
+# meta l4proto 6 tproxy ip6 to :50080
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "port": 50080
+        }
+    }
+]
diff --git a/tests/py/ip6/tproxy.t.payload b/tests/py/ip6/tproxy.t.payload
new file mode 100644
index 0000000..9f28e80
--- /dev/null
+++ b/tests/py/ip6/tproxy.t.payload
@@ -0,0 +1,44 @@
+# meta l4proto 6 tproxy to [2001:db8::1]
+ip6 x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+  [ tproxy ip6 addr reg 1 ]
+
+# meta l4proto 17 tproxy to [2001:db8::1]:50080
+ip6 x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+  [ immediate reg 2 0x0000a0c3 ]
+  [ tproxy ip6 addr reg 1 port reg 2 ]
+
+# meta l4proto 6 tproxy to :50080
+ip6 x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip6 port reg 1 ]
+
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+ip6 x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+  [ tproxy ip6 addr reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+ip6 x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+  [ immediate reg 2 0x0000a0c3 ]
+  [ tproxy ip6 addr reg 1 port reg 2 ]
+
+# meta l4proto 6 tproxy ip6 to :50080
+ip6 x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip6 port reg 1 ]
+
diff --git a/tests/py/ip6/vmap.t b/tests/py/ip6/vmap.t
new file mode 100644
index 0000000..2d54b82
--- /dev/null
+++ b/tests/py/ip6/vmap.t
@@ -0,0 +1,58 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+ip6 saddr vmap { abcd::3 : accept };ok
+ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234:1234;fail
+
+# Ipv6 address combinations
+# from src/scanner.l
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept};ok;ip6 saddr vmap { 0:1234:1234:1234:1234:1234:1234:1234 : accept}
+ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept};ok;ip6 saddr vmap { 1234:0:1234:1234:1234:1234:1234:1234 : accept}
+ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept};ok;ip6 saddr vmap { 1234:1234:0:1234:1234:1234:1234:1234 : accept}
+ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept};ok;ip6 saddr vmap { 1234:1234:1234:0:1234:1234:1234:1234 : accept}
+ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept};ok;ip6 saddr vmap { 1234:1234:1234:1234:0:1234:1234:1234 : accept}
+ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept};ok;ip6 saddr vmap { 1234:1234:1234:1234:1234:0:1234:1234 : accept}
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept};ok;ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:0:1234 : accept}
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept};ok;ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:0 : accept}
+ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:1234::  : accept};ok
+ip6 saddr vmap { ::1234:1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234:1234 : accept};ok
+ip6 saddr vmap { 1234::1234:1234 : accept};ok
+ip6 saddr vmap { 1234:1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234:1234 : accept};ok;ip6 saddr vmap { ::18.52.18.52 : accept}
+ip6 saddr vmap { 1234::1234 : accept};ok
+ip6 saddr vmap { 1234:1234:: : accept};ok
+ip6 saddr vmap { ::1234 : accept};ok
+ip6 saddr vmap { 1234:: : accept};ok
+ip6 saddr vmap { ::/64 : accept};ok
+
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop};ok;ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:0 : accept, ::aaaa : drop}
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop};ok;ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:0 : accept, ::bbbb : drop}
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop};ok;ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:0 : accept, ::cccc : drop}
+ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop};ok;ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:0 : accept, ::dddd: drop}
+
+# rule without comma:
+filter-input ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:bbbb:::accept::adda : drop};fail
diff --git a/tests/py/ip6/vmap.t.json b/tests/py/ip6/vmap.t.json
new file mode 100644
index 0000000..1b867ff
--- /dev/null
+++ b/tests/py/ip6/vmap.t.json
@@ -0,0 +1,1037 @@
+# ip6 saddr vmap { abcd::3 : accept }
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "abcd::3",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::1234:1234:1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234::1234:1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234::1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234::1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234::1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234::1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234::1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:1234::",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::1234:1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234::1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234::1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234::1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234::1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234::1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234::",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234::1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234::1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234::1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234::1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::  : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234::",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234::1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234::1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234::1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234::1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:: : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234::",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234::1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234::1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:: : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234::",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234::1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:: : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234::",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:: : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234::",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::/64 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        {
+                            "prefix": {
+                                "addr": "::",
+                                "len": 64
+                            }
+                        },
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa::",
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        "::aaaa",
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa::",
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        "::bbbb",
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa::",
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        "::cccc",
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa::",
+                        {
+                            "accept": null
+                        }
+                    ],
+                    [
+                        "::dddd",
+                        {
+                            "drop": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/vmap.t.json.output b/tests/py/ip6/vmap.t.json.output
new file mode 100644
index 0000000..affe383
--- /dev/null
+++ b/tests/py/ip6/vmap.t.json.output
@@ -0,0 +1,336 @@
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "0:1234:1234:1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:0:1234:1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:0:1234:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:0:1234:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:0:1234:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:0:1234:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:0:1234",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "1234:1234:1234:1234:1234:1234:1234:0",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap { ::1234:1234 : accept}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::18.52.18.52",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::aaaa",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa:0",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::bbbb",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa:0",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::cccc",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa:0",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}
+[
+    {
+        "vmap": {
+            "key": {
+                "payload": {
+                    "field": "saddr",
+                    "protocol": "ip6"
+                }
+            },
+            "data": {
+                "set": [
+                    [
+                        "::dddd",
+                        {
+                            "drop": null
+                        }
+                    ],
+                    [
+                        "1234:1234:1234:1234:1234:1234:aaaa:0",
+                        {
+                            "accept": null
+                        }
+                    ]
+                ]
+            }
+        }
+    }
+]
+
diff --git a/tests/py/ip6/vmap.t.payload.inet b/tests/py/ip6/vmap.t.payload.inet
new file mode 100644
index 0000000..931cc6b
--- /dev/null
+++ b/tests/py/ip6/vmap.t.payload.inet
@@ -0,0 +1,420 @@
+# ip6 saddr vmap { abcd::3 : accept }
+__map%d test-inet b
+__map%d test-inet 0
+	element 0000cdab 00000000 00000000 03000000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34120000 34123412 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00003412 34123412 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34120000 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00003412 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34120000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 00003412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 34120000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 00003412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00000000 34123412 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00003412 34120000 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00000000 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00003412 34120000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 00000000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 00003412 34120000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 00000000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00000000 34120000 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00003412 00000000 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00000000 34120000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00003412 00000000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 00000000 34120000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::  : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 00003412 00000000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00000000 00000000 34123412 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00003412 00000000 34120000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00000000 00000000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00003412 00000000 34120000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:: : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 00000000 00000000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00000000 00000000 34120000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00003412 00000000 00000000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00000000 00000000 34120000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:: : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00003412 00000000 00000000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00000000 00000000 00000000 34123412  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00003412 00000000 00000000 34120000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:: : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 00000000 00000000 00000000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234 : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00000000 00000000 00000000 34120000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:: : accept}
+__map%d test-inet b
+__map%d test-inet 0
+	element 00003412 00000000 00000000 00000000  : accept 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::/64 : accept}
+__map%d test-inet f
+__map%d test-inet 0
+	element 00000000 00000000 00000000 00000000  : accept 0 [end]	element 00000000 01000000 00000000 00000000  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 aaaa0000  : drop 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 bbbb0000  : drop 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 cccc0000  : drop 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}
+__map%d test-inet b
+__map%d test-inet 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 dddd0000  : drop 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/ip6/vmap.t.payload.ip6 b/tests/py/ip6/vmap.t.payload.ip6
new file mode 100644
index 0000000..6e077b2
--- /dev/null
+++ b/tests/py/ip6/vmap.t.payload.ip6
@@ -0,0 +1,336 @@
+# ip6 saddr vmap { abcd::3 : accept }
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 0000cdab 00000000 00000000 03000000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34120000 34123412 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00003412 34123412 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34120000 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00003412 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34120000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 00003412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 34120000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 00003412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00000000 34123412 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00003412 34120000 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00000000 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00003412 34120000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 00000000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 00003412 34120000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 00000000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00000000 34120000 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00003412 00000000 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00000000 34120000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00003412 00000000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 00000000 34120000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::  : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 00003412 00000000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00000000 00000000 34123412 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00003412 00000000 34120000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00000000 00000000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00003412 00000000 34120000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:: : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 00000000 00000000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00000000 00000000 34120000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00003412 00000000 00000000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00000000 00000000 34120000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:: : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00003412 00000000 00000000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00000000 00000000 00000000 34123412  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00003412 00000000 00000000 34120000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:: : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 00000000 00000000 00000000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234 : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00000000 00000000 00000000 34120000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:: : accept}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 00003412 00000000 00000000 00000000  : accept 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::/64 : accept}
+__map%d test-ip6 f
+__map%d test-ip6 0
+	element 00000000 00000000 00000000 00000000  : accept 0 [end]	element 00000000 01000000 00000000 00000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 aaaa0000  : drop 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 bbbb0000  : drop 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 cccc0000  : drop 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}
+__map%d test-ip6 b
+__map%d test-ip6 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 dddd0000  : drop 0 [end]
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/ip6/vmap.t.payload.netdev b/tests/py/ip6/vmap.t.payload.netdev
new file mode 100644
index 0000000..45f2c0b
--- /dev/null
+++ b/tests/py/ip6/vmap.t.payload.netdev
@@ -0,0 +1,420 @@
+# ip6 saddr vmap { abcd::3 : accept }
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 0000cdab 00000000 00000000 03000000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34120000 34123412 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00003412 34123412 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34120000 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00003412 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34120000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 00003412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 34120000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 00003412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000000 34123412 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00003412 34120000 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00000000 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00003412 34120000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 00000000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 00003412 34120000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 00000000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000000 34120000 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00003412 00000000 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00000000 34120000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00003412 00000000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 00000000 34120000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:1234::  : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 00003412 00000000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000000 00000000 34123412 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00003412 00000000 34120000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00000000 00000000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234::1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00003412 00000000 34120000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:1234:: : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 00000000 00000000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000000 00000000 34120000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00003412 00000000 00000000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234::1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00000000 00000000 34120000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:1234:: : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00003412 00000000 00000000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234:1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000000 00000000 00000000 34123412  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234::1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00003412 00000000 00000000 34120000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:1234:: : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 00000000 00000000 00000000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::1234 : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000000 00000000 00000000 34120000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { 1234:: : accept}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00003412 00000000 00000000 00000000  : accept 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap { ::/64 : accept}
+__map%d test-netdev f
+__map%d test-netdev 0
+	element 00000000 00000000 00000000 00000000  : accept 0 [end]	element 00000000 01000000 00000000 00000000  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 aaaa0000  : drop 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 bbbb0000  : drop 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 cccc0000  : drop 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 34123412 34123412 34123412 0000aaaa  : accept 0 [end]	element 00000000 00000000 00000000 dddd0000  : drop 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/log b/tests/py/log
new file mode 100644
index 0000000..aba5a15
--- /dev/null
+++ b/tests/py/log
@@ -0,0 +1,1004 @@
+INFO: Log will be available at /tmp/nftables-test.log
+any/last.t: ERROR: line 11: add rule ip test-ip4 input last: This rule should not have failed.
+any/last.t: ERROR: line 12: add rule ip test-ip4 input last used 300s: This rule should not have failed.
+any/meta.t: ERROR: line 3: I cannot create the chain 'egress'
+any/meta.t: ERROR: line 12: add rule netdev test-netdev egress meta length 1000: This rule should not have failed.
+any/meta.t: ERROR: line 13: add rule netdev test-netdev egress meta length 22: This rule should not have failed.
+any/meta.t: ERROR: line 14: add rule netdev test-netdev egress meta length != 233: This rule should not have failed.
+any/meta.t: ERROR: line 15: add rule netdev test-netdev egress meta length 33-45: This rule should not have failed.
+any/meta.t: ERROR: line 16: add rule netdev test-netdev egress meta length != 33-45: This rule should not have failed.
+any/meta.t: ERROR: line 17: add rule netdev test-netdev egress meta length { 33, 55, 67, 88}: This rule should not have failed.
+any/meta.t: ERROR: line 18: add rule netdev test-netdev egress meta length { 33-55, 67-88}: This rule should not have failed.
+any/meta.t: ERROR: line 19: add rule netdev test-netdev egress meta length { 33-55, 56-88, 100-120}: This rule should not have failed.
+any/meta.t: ERROR: line 20: add rule netdev test-netdev egress meta length != { 33, 55, 67, 88}: This rule should not have failed.
+any/meta.t: ERROR: line 21: add rule netdev test-netdev egress meta length { 33-55, 66-88}: This rule should not have failed.
+any/meta.t: ERROR: line 22: add rule netdev test-netdev egress meta length != { 33-55, 66-88}: This rule should not have failed.
+any/meta.t: ERROR: line 24: add rule netdev test-netdev egress meta protocol { ip, arp, ip6, vlan }: This rule should not have failed.
+any/meta.t: ERROR: line 25: add rule netdev test-netdev egress meta protocol != {ip, arp, ip6, 8021q}: This rule should not have failed.
+any/meta.t: ERROR: line 26: add rule netdev test-netdev egress meta protocol ip: This rule should not have failed.
+any/meta.t: ERROR: line 27: add rule netdev test-netdev egress meta protocol != ip: This rule should not have failed.
+any/meta.t: ERROR: line 29: add rule netdev test-netdev egress meta l4proto 22: This rule should not have failed.
+any/meta.t: ERROR: line 30: add rule netdev test-netdev egress meta l4proto != 233: This rule should not have failed.
+any/meta.t: ERROR: line 31: add rule netdev test-netdev egress meta l4proto 33-45: This rule should not have failed.
+any/meta.t: ERROR: line 32: add rule netdev test-netdev egress meta l4proto != 33-45: This rule should not have failed.
+any/meta.t: ERROR: line 33: add rule netdev test-netdev egress meta l4proto { 33, 55, 67, 88}: This rule should not have failed.
+any/meta.t: ERROR: line 34: add rule netdev test-netdev egress meta l4proto != { 33, 55, 67, 88}: This rule should not have failed.
+any/meta.t: ERROR: line 35: add rule netdev test-netdev egress meta l4proto { 33-55, 66-88}: This rule should not have failed.
+any/meta.t: ERROR: line 36: add rule netdev test-netdev egress meta l4proto != { 33-55, 66-88}: This rule should not have failed.
+any/meta.t: ERROR: line 38: add rule netdev test-netdev egress meta priority root: This rule should not have failed.
+any/meta.t: ERROR: line 39: add rule netdev test-netdev egress meta priority none: This rule should not have failed.
+any/meta.t: ERROR: line 40: add rule netdev test-netdev egress meta priority 0x87654321: This rule should not have failed.
+any/meta.t: ERROR: line 41: add rule netdev test-netdev egress meta priority 2271560481: This rule should not have failed.
+any/meta.t: ERROR: line 42: add rule netdev test-netdev egress meta priority 1:1234: This rule should not have failed.
+any/meta.t: ERROR: line 43: add rule netdev test-netdev egress meta priority bcad:dadc: This rule should not have failed.
+any/meta.t: ERROR: line 44: add rule netdev test-netdev egress meta priority aabb:0: This rule should not have failed.
+any/meta.t: ERROR: line 45: add rule netdev test-netdev egress meta priority != bcad:dadc: This rule should not have failed.
+any/meta.t: ERROR: line 46: add rule netdev test-netdev egress meta priority != aabb:0: This rule should not have failed.
+any/meta.t: ERROR: line 47: add rule netdev test-netdev egress meta priority bcad:dada-bcad:dadc: This rule should not have failed.
+any/meta.t: ERROR: line 48: add rule netdev test-netdev egress meta priority != bcad:dada-bcad:dadc: This rule should not have failed.
+any/meta.t: ERROR: line 49: add rule netdev test-netdev egress meta priority {bcad:dada, bcad:dadc, aaaa:bbbb}: This rule should not have failed.
+any/meta.t: ERROR: line 50: add rule netdev test-netdev egress meta priority set cafe:beef: This rule should not have failed.
+any/meta.t: ERROR: line 51: add rule netdev test-netdev egress meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb}: This rule should not have failed.
+any/meta.t: ERROR: line 53: add rule netdev test-netdev egress meta mark 0x4: This rule should not have failed.
+any/meta.t: ERROR: line 54: add rule netdev test-netdev egress meta mark 0x32: This rule should not have failed.
+any/meta.t: ERROR: line 55: add rule netdev test-netdev egress meta mark and 0x03 == 0x01: This rule should not have failed.
+any/meta.t: ERROR: line 56: add rule netdev test-netdev egress meta mark and 0x03 != 0x01: This rule should not have failed.
+any/meta.t: ERROR: line 57: add rule netdev test-netdev egress meta mark 0x10: This rule should not have failed.
+any/meta.t: ERROR: line 58: add rule netdev test-netdev egress meta mark != 0x10: This rule should not have failed.
+any/meta.t: ERROR: line 59: add rule netdev test-netdev egress meta mark 0xffffff00/24: This rule should not have failed.
+any/meta.t: ERROR: line 61: add rule netdev test-netdev egress meta mark or 0x03 == 0x01: This rule should not have failed.
+any/meta.t: ERROR: line 62: add rule netdev test-netdev egress meta mark or 0x03 != 0x01: This rule should not have failed.
+any/meta.t: ERROR: line 63: add rule netdev test-netdev egress meta mark xor 0x03 == 0x01: This rule should not have failed.
+any/meta.t: ERROR: line 64: add rule netdev test-netdev egress meta mark xor 0x03 != 0x01: This rule should not have failed.
+any/meta.t: ERROR: line 66: add rule netdev test-netdev egress meta iif "lo" accept: This rule should not have failed.
+any/meta.t: ERROR: line 67: add rule netdev test-netdev egress meta iif != "lo" accept: This rule should not have failed.
+any/meta.t: ERROR: line 69: add rule netdev test-netdev egress meta iifname "dummy0": This rule should not have failed.
+any/meta.t: ERROR: line 70: add rule netdev test-netdev egress meta iifname != "dummy0": This rule should not have failed.
+any/meta.t: ERROR: line 71: add rule netdev test-netdev egress meta iifname {"dummy0", "lo"}: This rule should not have failed.
+any/meta.t: ERROR: line 72: add rule netdev test-netdev egress meta iifname != {"dummy0", "lo"}: This rule should not have failed.
+any/meta.t: ERROR: line 73: add rule netdev test-netdev egress meta iifname "dummy*": This rule should not have failed.
+any/meta.t: ERROR: line 74: add rule netdev test-netdev egress meta iifname "dummy\*": This rule should not have failed.
+any/meta.t: ERROR: line 77: add rule netdev test-netdev egress meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
+any/meta.t: ERROR: line 78: add rule netdev test-netdev egress meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
+any/meta.t: ERROR: line 79: add rule netdev test-netdev egress meta iiftype != ether: This rule should not have failed.
+any/meta.t: ERROR: line 80: add rule netdev test-netdev egress meta iiftype ether: This rule should not have failed.
+any/meta.t: ERROR: line 81: add rule netdev test-netdev egress meta iiftype != ppp: This rule should not have failed.
+any/meta.t: ERROR: line 82: add rule netdev test-netdev egress meta iiftype ppp: This rule should not have failed.
+any/meta.t: ERROR: line 84: add rule netdev test-netdev egress meta oif "lo" accept: This rule should not have failed.
+any/meta.t: ERROR: line 85: add rule netdev test-netdev egress meta oif != "lo" accept: This rule should not have failed.
+any/meta.t: ERROR: line 87: add rule netdev test-netdev egress meta oifname "dummy0": This rule should not have failed.
+any/meta.t: ERROR: line 88: add rule netdev test-netdev egress meta oifname != "dummy0": This rule should not have failed.
+any/meta.t: ERROR: line 89: add rule netdev test-netdev egress meta oifname { "dummy0", "lo"}: This rule should not have failed.
+any/meta.t: ERROR: line 90: add rule netdev test-netdev egress meta oifname "dummy*": This rule should not have failed.
+any/meta.t: ERROR: line 91: add rule netdev test-netdev egress meta oifname "dummy\*": This rule should not have failed.
+any/meta.t: ERROR: line 94: add rule netdev test-netdev egress meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
+any/meta.t: ERROR: line 95: add rule netdev test-netdev egress meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}: This rule should not have failed.
+any/meta.t: ERROR: line 96: add rule netdev test-netdev egress meta oiftype != ether: This rule should not have failed.
+any/meta.t: ERROR: line 97: add rule netdev test-netdev egress meta oiftype ether: This rule should not have failed.
+any/meta.t: ERROR: line 99: add rule netdev test-netdev egress meta skuid {"bin", "root", "daemon"} accept: This rule should not have failed.
+any/meta.t: ERROR: line 100: add rule netdev test-netdev egress meta skuid != {"bin", "root", "daemon"} accept: This rule should not have failed.
+any/meta.t: ERROR: line 101: add rule netdev test-netdev egress meta skuid "root": This rule should not have failed.
+any/meta.t: ERROR: line 102: add rule netdev test-netdev egress meta skuid != "root": This rule should not have failed.
+any/meta.t: ERROR: line 103: add rule netdev test-netdev egress meta skuid lt 3000 accept: This rule should not have failed.
+any/meta.t: ERROR: line 104: add rule netdev test-netdev egress meta skuid gt 3000 accept: This rule should not have failed.
+any/meta.t: ERROR: line 105: add rule netdev test-netdev egress meta skuid eq 3000 accept: This rule should not have failed.
+any/meta.t: ERROR: line 106: add rule netdev test-netdev egress meta skuid 3001-3005 accept: This rule should not have failed.
+any/meta.t: ERROR: line 107: add rule netdev test-netdev egress meta skuid != 2001-2005 accept: This rule should not have failed.
+any/meta.t: ERROR: line 108: add rule netdev test-netdev egress meta skuid { 2001-2005, 3001-3005} accept: This rule should not have failed.
+any/meta.t: ERROR: line 109: add rule netdev test-netdev egress meta skuid != { 2001-2005, 3001-3005} accept: This rule should not have failed.
+any/meta.t: ERROR: line 111: add rule netdev test-netdev egress meta skgid {"bin", "root", "daemon"} accept: This rule should not have failed.
+any/meta.t: ERROR: line 112: add rule netdev test-netdev egress meta skgid != {"bin", "root", "daemon"} accept: This rule should not have failed.
+any/meta.t: ERROR: line 113: add rule netdev test-netdev egress meta skgid "root": This rule should not have failed.
+any/meta.t: ERROR: line 114: add rule netdev test-netdev egress meta skgid != "root": This rule should not have failed.
+any/meta.t: ERROR: line 115: add rule netdev test-netdev egress meta skgid lt 3000 accept: This rule should not have failed.
+any/meta.t: ERROR: line 116: add rule netdev test-netdev egress meta skgid gt 3000 accept: This rule should not have failed.
+any/meta.t: ERROR: line 117: add rule netdev test-netdev egress meta skgid eq 3000 accept: This rule should not have failed.
+any/meta.t: ERROR: line 118: add rule netdev test-netdev egress meta skgid 2001-2005 accept: This rule should not have failed.
+any/meta.t: ERROR: line 119: add rule netdev test-netdev egress meta skgid != 2001-2005 accept: This rule should not have failed.
+any/meta.t: ERROR: line 131: add rule netdev test-netdev egress meta mark set 0xffffffc8 xor 0x16: This rule should not have failed.
+any/meta.t: ERROR: line 132: add rule netdev test-netdev egress meta mark set 0x16 and 0x16: This rule should not have failed.
+any/meta.t: ERROR: line 133: add rule netdev test-netdev egress meta mark set 0xffffffe9 or 0x16: This rule should not have failed.
+any/meta.t: ERROR: line 134: add rule netdev test-netdev egress meta mark set 0xffffffde and 0x16: This rule should not have failed.
+any/meta.t: ERROR: line 135: add rule netdev test-netdev egress meta mark set 0xf045ffde or 0x10: This rule should not have failed.
+any/meta.t: ERROR: line 136: add rule netdev test-netdev egress meta mark set 0xffffffde or 0x16: This rule should not have failed.
+any/meta.t: ERROR: line 137: add rule netdev test-netdev egress meta mark set 0x32 or 0xfffff: This rule should not have failed.
+any/meta.t: ERROR: line 138: add rule netdev test-netdev egress meta mark set 0xfffe xor 0x16: This rule should not have failed.
+any/meta.t: ERROR: line 143: add rule netdev test-netdev egress meta iif "lo": This rule should not have failed.
+any/meta.t: ERROR: line 144: add rule netdev test-netdev egress meta oif "lo": This rule should not have failed.
+any/meta.t: ERROR: line 145: add rule netdev test-netdev egress meta oifname "dummy2" accept: This rule should not have failed.
+any/meta.t: ERROR: line 146: add rule netdev test-netdev egress meta skuid 3000: This rule should not have failed.
+any/meta.t: ERROR: line 147: add rule netdev test-netdev egress meta skgid 3000: This rule should not have failed.
+any/meta.t: ERROR: line 151: add rule netdev test-netdev egress meta rtclassid "cosmos": This rule should not have failed.
+any/meta.t: ERROR: line 153: add rule netdev test-netdev egress meta pkttype broadcast: This rule should not have failed.
+any/meta.t: ERROR: line 154: add rule netdev test-netdev egress meta pkttype host: This rule should not have failed.
+any/meta.t: ERROR: line 155: add rule netdev test-netdev egress meta pkttype multicast: This rule should not have failed.
+any/meta.t: ERROR: line 156: add rule netdev test-netdev egress meta pkttype != broadcast: This rule should not have failed.
+any/meta.t: ERROR: line 157: add rule netdev test-netdev egress meta pkttype != host: This rule should not have failed.
+any/meta.t: ERROR: line 158: add rule netdev test-netdev egress meta pkttype != multicast: This rule should not have failed.
+any/meta.t: ERROR: line 160: add rule netdev test-netdev egress pkttype { broadcast, multicast} accept: This rule should not have failed.
+any/meta.t: ERROR: line 162: add rule netdev test-netdev egress meta cpu 1: This rule should not have failed.
+any/meta.t: ERROR: line 163: add rule netdev test-netdev egress meta cpu != 1: This rule should not have failed.
+any/meta.t: ERROR: line 164: add rule netdev test-netdev egress meta cpu 1-3: This rule should not have failed.
+any/meta.t: ERROR: line 165: add rule netdev test-netdev egress meta cpu != 1-2: This rule should not have failed.
+any/meta.t: ERROR: line 166: add rule netdev test-netdev egress meta cpu { 2,3}: This rule should not have failed.
+any/meta.t: ERROR: line 167: add rule netdev test-netdev egress meta cpu { 2-3, 5-7}: This rule should not have failed.
+any/meta.t: ERROR: line 168: add rule netdev test-netdev egress meta cpu != { 2,3}: This rule should not have failed.
+any/meta.t: ERROR: line 170: add rule netdev test-netdev egress meta iifgroup 0: This rule should not have failed.
+any/meta.t: ERROR: line 171: add rule netdev test-netdev egress meta iifgroup != 0: This rule should not have failed.
+any/meta.t: ERROR: line 172: add rule netdev test-netdev egress meta iifgroup "default": This rule should not have failed.
+any/meta.t: ERROR: line 173: add rule netdev test-netdev egress meta iifgroup != "default": This rule should not have failed.
+any/meta.t: ERROR: line 174: add rule netdev test-netdev egress meta iifgroup {"default", 11}: This rule should not have failed.
+any/meta.t: ERROR: line 175: add rule netdev test-netdev egress meta iifgroup != {"default", 11}: This rule should not have failed.
+any/meta.t: ERROR: line 176: add rule netdev test-netdev egress meta iifgroup { 11,33}: This rule should not have failed.
+any/meta.t: ERROR: line 177: add rule netdev test-netdev egress meta iifgroup {11-33, 44-55}: This rule should not have failed.
+any/meta.t: ERROR: line 178: add rule netdev test-netdev egress meta iifgroup != { 11,33}: This rule should not have failed.
+any/meta.t: ERROR: line 179: add rule netdev test-netdev egress meta iifgroup != {11-33, 44-55}: This rule should not have failed.
+any/meta.t: ERROR: line 180: add rule netdev test-netdev egress meta oifgroup 0: This rule should not have failed.
+any/meta.t: ERROR: line 181: add rule netdev test-netdev egress meta oifgroup != 0: This rule should not have failed.
+any/meta.t: ERROR: line 182: add rule netdev test-netdev egress meta oifgroup "default": This rule should not have failed.
+any/meta.t: ERROR: line 183: add rule netdev test-netdev egress meta oifgroup != "default": This rule should not have failed.
+any/meta.t: ERROR: line 184: add rule netdev test-netdev egress meta oifgroup {"default", 11}: This rule should not have failed.
+any/meta.t: ERROR: line 185: add rule netdev test-netdev egress meta oifgroup != {"default", 11}: This rule should not have failed.
+any/meta.t: ERROR: line 186: add rule netdev test-netdev egress meta oifgroup { 11,33}: This rule should not have failed.
+any/meta.t: ERROR: line 187: add rule netdev test-netdev egress meta oifgroup {11-33, 44-55}: This rule should not have failed.
+any/meta.t: ERROR: line 188: add rule netdev test-netdev egress meta oifgroup != { 11,33}: This rule should not have failed.
+any/meta.t: ERROR: line 189: add rule netdev test-netdev egress meta oifgroup != {11-33, 44-55}: This rule should not have failed.
+any/meta.t: ERROR: line 191: add rule netdev test-netdev egress meta cgroup 1048577: This rule should not have failed.
+any/meta.t: ERROR: line 192: add rule netdev test-netdev egress meta cgroup != 1048577: This rule should not have failed.
+any/meta.t: ERROR: line 193: add rule netdev test-netdev egress meta cgroup { 1048577, 1048578 }: This rule should not have failed.
+any/meta.t: ERROR: line 194: add rule netdev test-netdev egress meta cgroup != { 1048577, 1048578}: This rule should not have failed.
+any/meta.t: ERROR: line 195: add rule netdev test-netdev egress meta cgroup 1048577-1048578: This rule should not have failed.
+any/meta.t: ERROR: line 196: add rule netdev test-netdev egress meta cgroup != 1048577-1048578: This rule should not have failed.
+any/meta.t: ERROR: line 198: add rule netdev test-netdev egress meta iif . meta oif { "lo" . "lo" }: This rule should not have failed.
+any/meta.t: ERROR: line 199: add rule netdev test-netdev egress meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a }: This rule should not have failed.
+any/meta.t: ERROR: line 200: add rule netdev test-netdev egress meta iif . meta oif vmap { "lo" . "lo" : drop }: This rule should not have failed.
+any/meta.t: ERROR: line 202: add rule netdev test-netdev egress meta random eq 1: This rule should not have failed.
+any/meta.t: ERROR: line 203: add rule netdev test-netdev egress meta random gt 1000000: This rule should not have failed.
+any/meta.t: ERROR: line 205: add rule netdev test-netdev egress meta time "1970-05-23 21:07:14" drop: This rule should not have failed.
+any/meta.t: ERROR: line 206: add rule netdev test-netdev egress meta time 12341234 drop: This rule should not have failed.
+any/meta.t: ERROR: line 207: add rule netdev test-netdev egress meta time "2019-06-21 17:00:00" drop: This rule should not have failed.
+any/meta.t: ERROR: line 208: add rule netdev test-netdev egress meta time "2019-07-01 00:00:00" drop: This rule should not have failed.
+any/meta.t: ERROR: line 209: add rule netdev test-netdev egress meta time "2019-07-01 00:01:00" drop: This rule should not have failed.
+any/meta.t: ERROR: line 210: add rule netdev test-netdev egress meta time "2019-07-01 00:00:01" drop: This rule should not have failed.
+any/meta.t: ERROR: line 211: add rule netdev test-netdev egress meta time < "2022-07-01 11:00:00" accept: This rule should not have failed.
+any/meta.t: ERROR: line 212: add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept: This rule should not have failed.
+any/meta.t: ERROR: line 213: add rule netdev test-netdev egress meta day "Saturday" drop: This rule should not have failed.
+any/meta.t: ERROR: line 214: add rule netdev test-netdev egress meta day 6 drop: This rule should not have failed.
+any/meta.t: ERROR: line 216: add rule netdev test-netdev egress meta hour "17:00" drop: This rule should not have failed.
+any/meta.t: ERROR: line 217: add rule netdev test-netdev egress meta hour "17:00:00" drop: This rule should not have failed.
+any/meta.t: ERROR: line 218: add rule netdev test-netdev egress meta hour "17:00:01" drop: This rule should not have failed.
+any/meta.t: ERROR: line 219: add rule netdev test-netdev egress meta hour "00:00" drop: This rule should not have failed.
+any/meta.t: ERROR: line 220: add rule netdev test-netdev egress meta hour "00:01" drop: This rule should not have failed.
+any/meta.t: ERROR: line 221: add rule netdev test-netdev egress time < "2022-07-01 11:00:00" accept: This rule should not have failed.
+any/meta.t: ERROR: line 222: add rule netdev test-netdev egress time > "2022-07-01 11:00:00" accept: This rule should not have failed.
+any/meta.t: ERROR: line 226: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+any/rawpayload.t: ERROR: line 3: I cannot create the chain 'egress'
+any/rawpayload.t: ERROR: line 8: add rule netdev test-netdev egress meta l4proto { tcp, udp, sctp} @th,16,16 { 22, 23, 80 }: This rule should not have failed.
+any/rawpayload.t: ERROR: line 9: add rule netdev test-netdev egress meta l4proto tcp @th,16,16 { 22, 23, 80}: This rule should not have failed.
+any/rawpayload.t: ERROR: line 10: add rule netdev test-netdev egress @nh,8,8 0xff: This rule should not have failed.
+any/rawpayload.t: ERROR: line 11: add rule netdev test-netdev egress @nh,8,16 0x0: This rule should not have failed.
+any/rawpayload.t: ERROR: line 18: add rule netdev test-netdev egress @ll,0,1 1: This rule should not have failed.
+any/rawpayload.t: ERROR: line 19: add rule netdev test-netdev egress @ll,0,8 & 0x80 == 0x80: This rule should not have failed.
+any/rawpayload.t: ERROR: line 20: add rule netdev test-netdev egress @ll,0,128 0xfedcba987654321001234567890abcde: This rule should not have failed.
+any/rawpayload.t: ERROR: line 22: add rule netdev test-netdev egress meta l4proto 91 @th,400,16 0x0 accept: This rule should not have failed.
+any/rawpayload.t: ERROR: line 24: add rule inet test-inet input @ih,32,32 0x14000000: This rule should not have failed.
+any/rawpayload.t: ERROR: line 24: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+any/rt.t: OK
+any/ct.t: OK
+any/log.t: OK
+any/queue.t: OK
+any/objects.t: ERROR: line 3: I cannot create the chain 'egress'
+any/objects.t: ERROR: line 16: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+any/objects.t: OK
+any/counter.t: OK
+any/quota.t: ERROR: line 3: I cannot create the chain 'egress'
+any/quota.t: ERROR: line 12: add rule netdev test-netdev egress quota 1025 bytes: This rule should not have failed.
+any/quota.t: ERROR: line 13: add rule netdev test-netdev egress quota 1 kbytes: This rule should not have failed.
+any/quota.t: ERROR: line 14: add rule netdev test-netdev egress quota 2 kbytes: This rule should not have failed.
+any/quota.t: ERROR: line 15: add rule netdev test-netdev egress quota 1025 kbytes: This rule should not have failed.
+any/quota.t: ERROR: line 16: add rule netdev test-netdev egress quota 1023 mbytes: This rule should not have failed.
+any/quota.t: ERROR: line 17: add rule netdev test-netdev egress quota 10230 mbytes: This rule should not have failed.
+any/quota.t: ERROR: line 18: add rule netdev test-netdev egress quota 1023000 mbytes: This rule should not have failed.
+any/quota.t: ERROR: line 20: add rule netdev test-netdev egress quota over 1 kbytes: This rule should not have failed.
+any/quota.t: ERROR: line 21: add rule netdev test-netdev egress quota over 2 kbytes: This rule should not have failed.
+any/quota.t: ERROR: line 22: add rule netdev test-netdev egress quota over 1025 kbytes: This rule should not have failed.
+any/quota.t: ERROR: line 23: add rule netdev test-netdev egress quota over 1023 mbytes: This rule should not have failed.
+any/quota.t: ERROR: line 24: add rule netdev test-netdev egress quota over 10230 mbytes: This rule should not have failed.
+any/quota.t: ERROR: line 25: add rule netdev test-netdev egress quota over 1023000 mbytes: This rule should not have failed.
+any/quota.t: ERROR: line 25: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+any/limit.t: ERROR: line 3: I cannot create the chain 'egress'
+any/limit.t: ERROR: line 12: add rule netdev test-netdev egress limit rate 400/minute: This rule should not have failed.
+any/limit.t: ERROR: line 13: add rule netdev test-netdev egress limit rate 20/second: This rule should not have failed.
+any/limit.t: ERROR: line 14: add rule netdev test-netdev egress limit rate 400/hour: This rule should not have failed.
+any/limit.t: ERROR: line 15: add rule netdev test-netdev egress limit rate 40/day: This rule should not have failed.
+any/limit.t: ERROR: line 16: add rule netdev test-netdev egress limit rate 400/week: This rule should not have failed.
+any/limit.t: ERROR: line 17: add rule netdev test-netdev egress limit rate 1023/second burst 10 packets: This rule should not have failed.
+any/limit.t: ERROR: line 20: add rule netdev test-netdev egress limit rate 1 kbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 21: add rule netdev test-netdev egress limit rate 2 kbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 22: add rule netdev test-netdev egress limit rate 1025 kbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 23: add rule netdev test-netdev egress limit rate 1023 mbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 24: add rule netdev test-netdev egress limit rate 10230 mbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 25: add rule netdev test-netdev egress limit rate 1023000 mbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 28: add rule netdev test-netdev egress limit rate 1 bytes / second: This rule should not have failed.
+any/limit.t: ERROR: line 29: add rule netdev test-netdev egress limit rate 1 kbytes / second: This rule should not have failed.
+any/limit.t: ERROR: line 30: add rule netdev test-netdev egress limit rate 1 mbytes / second: This rule should not have failed.
+any/limit.t: ERROR: line 33: add rule netdev test-netdev egress limit rate 1025 bytes/second burst 512 bytes: This rule should not have failed.
+any/limit.t: ERROR: line 34: add rule netdev test-netdev egress limit rate 1025 kbytes/second burst 1023 kbytes: This rule should not have failed.
+any/limit.t: ERROR: line 35: add rule netdev test-netdev egress limit rate 1025 mbytes/second burst 1025 kbytes: This rule should not have failed.
+any/limit.t: ERROR: line 36: add rule netdev test-netdev egress limit rate 1025000 mbytes/second burst 1023 mbytes: This rule should not have failed.
+any/limit.t: ERROR: line 38: add rule netdev test-netdev egress limit rate over 400/minute: This rule should not have failed.
+any/limit.t: ERROR: line 39: add rule netdev test-netdev egress limit rate over 20/second: This rule should not have failed.
+any/limit.t: ERROR: line 40: add rule netdev test-netdev egress limit rate over 400/hour: This rule should not have failed.
+any/limit.t: ERROR: line 41: add rule netdev test-netdev egress limit rate over 40/day: This rule should not have failed.
+any/limit.t: ERROR: line 42: add rule netdev test-netdev egress limit rate over 400/week: This rule should not have failed.
+any/limit.t: ERROR: line 43: add rule netdev test-netdev egress limit rate over 1023/second burst 10 packets: This rule should not have failed.
+any/limit.t: ERROR: line 45: add rule netdev test-netdev egress limit rate over 1 kbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 46: add rule netdev test-netdev egress limit rate over 2 kbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 47: add rule netdev test-netdev egress limit rate over 1025 kbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 48: add rule netdev test-netdev egress limit rate over 1023 mbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 49: add rule netdev test-netdev egress limit rate over 10230 mbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 50: add rule netdev test-netdev egress limit rate over 1023000 mbytes/second: This rule should not have failed.
+any/limit.t: ERROR: line 52: add rule netdev test-netdev egress limit rate over 1025 bytes/second burst 512 bytes: This rule should not have failed.
+any/limit.t: ERROR: line 53: add rule netdev test-netdev egress limit rate over 1025 kbytes/second burst 1023 kbytes: This rule should not have failed.
+any/limit.t: ERROR: line 54: add rule netdev test-netdev egress limit rate over 1025 mbytes/second burst 1025 kbytes: This rule should not have failed.
+any/limit.t: ERROR: line 55: add rule netdev test-netdev egress limit rate over 1025000 mbytes/second burst 1023 mbytes: This rule should not have failed.
+any/limit.t: ERROR: line 55: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+any/tcpopt.t: ERROR: line 58: add rule ip test-ip4 input reset tcp option mptcp: This rule should not have failed.
+any/tcpopt.t: ERROR: line 59: add rule ip test-ip4 input reset tcp option 2: This rule should not have failed.
+any/tcpopt.t: ERROR: line 60: add rule ip test-ip4 input reset tcp option 123: This rule should not have failed.
+arp/arp.t: ERROR: line 4: I cannot create the chain 'egress'
+arp/arp.t: ERROR: line 9: add rule netdev test-netdev egress arp htype 1: This rule should not have failed.
+arp/arp.t: ERROR: line 10: add rule netdev test-netdev egress arp htype != 1: This rule should not have failed.
+arp/arp.t: ERROR: line 11: add rule netdev test-netdev egress arp htype 22: This rule should not have failed.
+arp/arp.t: ERROR: line 12: add rule netdev test-netdev egress arp htype != 233: This rule should not have failed.
+arp/arp.t: ERROR: line 13: add rule netdev test-netdev egress arp htype 33-45: This rule should not have failed.
+arp/arp.t: ERROR: line 14: add rule netdev test-netdev egress arp htype != 33-45: This rule should not have failed.
+arp/arp.t: ERROR: line 15: add rule netdev test-netdev egress arp htype { 33, 55, 67, 88}: This rule should not have failed.
+arp/arp.t: ERROR: line 16: add rule netdev test-netdev egress arp htype != { 33, 55, 67, 88}: This rule should not have failed.
+arp/arp.t: ERROR: line 18: add rule netdev test-netdev egress arp ptype 0x0800: This rule should not have failed.
+arp/arp.t: ERROR: line 20: add rule netdev test-netdev egress arp hlen 22: This rule should not have failed.
+arp/arp.t: ERROR: line 21: add rule netdev test-netdev egress arp hlen != 233: This rule should not have failed.
+arp/arp.t: ERROR: line 22: add rule netdev test-netdev egress arp hlen 33-45: This rule should not have failed.
+arp/arp.t: ERROR: line 23: add rule netdev test-netdev egress arp hlen != 33-45: This rule should not have failed.
+arp/arp.t: ERROR: line 24: add rule netdev test-netdev egress arp hlen { 33, 55, 67, 88}: This rule should not have failed.
+arp/arp.t: ERROR: line 25: add rule netdev test-netdev egress arp hlen != { 33, 55, 67, 88}: This rule should not have failed.
+arp/arp.t: ERROR: line 27: add rule netdev test-netdev egress arp plen 22: This rule should not have failed.
+arp/arp.t: ERROR: line 28: add rule netdev test-netdev egress arp plen != 233: This rule should not have failed.
+arp/arp.t: ERROR: line 29: add rule netdev test-netdev egress arp plen 33-45: This rule should not have failed.
+arp/arp.t: ERROR: line 30: add rule netdev test-netdev egress arp plen != 33-45: This rule should not have failed.
+arp/arp.t: ERROR: line 31: add rule netdev test-netdev egress arp plen { 33, 55, 67, 88}: This rule should not have failed.
+arp/arp.t: ERROR: line 32: add rule netdev test-netdev egress arp plen != { 33, 55, 67, 88}: This rule should not have failed.
+arp/arp.t: ERROR: line 34: add rule netdev test-netdev egress arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}: This rule should not have failed.
+arp/arp.t: ERROR: line 35: add rule netdev test-netdev egress arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}: This rule should not have failed.
+arp/arp.t: ERROR: line 36: add rule netdev test-netdev egress arp operation 1-2: This rule should not have failed.
+arp/arp.t: ERROR: line 37: add rule netdev test-netdev egress arp operation request: This rule should not have failed.
+arp/arp.t: ERROR: line 38: add rule netdev test-netdev egress arp operation reply: This rule should not have failed.
+arp/arp.t: ERROR: line 39: add rule netdev test-netdev egress arp operation rrequest: This rule should not have failed.
+arp/arp.t: ERROR: line 40: add rule netdev test-netdev egress arp operation rreply: This rule should not have failed.
+arp/arp.t: ERROR: line 41: add rule netdev test-netdev egress arp operation inrequest: This rule should not have failed.
+arp/arp.t: ERROR: line 42: add rule netdev test-netdev egress arp operation inreply: This rule should not have failed.
+arp/arp.t: ERROR: line 43: add rule netdev test-netdev egress arp operation nak: This rule should not have failed.
+arp/arp.t: ERROR: line 44: add rule netdev test-netdev egress arp operation != request: This rule should not have failed.
+arp/arp.t: ERROR: line 45: add rule netdev test-netdev egress arp operation != reply: This rule should not have failed.
+arp/arp.t: ERROR: line 46: add rule netdev test-netdev egress arp operation != rrequest: This rule should not have failed.
+arp/arp.t: ERROR: line 47: add rule netdev test-netdev egress arp operation != rreply: This rule should not have failed.
+arp/arp.t: ERROR: line 48: add rule netdev test-netdev egress arp operation != inrequest: This rule should not have failed.
+arp/arp.t: ERROR: line 49: add rule netdev test-netdev egress arp operation != inreply: This rule should not have failed.
+arp/arp.t: ERROR: line 50: add rule netdev test-netdev egress arp operation != nak: This rule should not have failed.
+arp/arp.t: ERROR: line 52: add rule netdev test-netdev egress arp saddr ip 1.2.3.4: This rule should not have failed.
+arp/arp.t: ERROR: line 53: add rule netdev test-netdev egress arp daddr ip 4.3.2.1: This rule should not have failed.
+arp/arp.t: ERROR: line 54: add rule netdev test-netdev egress arp saddr ether aa:bb:cc:aa:bb:cc: This rule should not have failed.
+arp/arp.t: ERROR: line 55: add rule netdev test-netdev egress arp daddr ether aa:bb:cc:aa:bb:cc: This rule should not have failed.
+arp/arp.t: ERROR: line 57: add rule netdev test-netdev egress arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee: This rule should not have failed.
+arp/arp.t: ERROR: line 58: add rule netdev test-netdev egress arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1: This rule should not have failed.
+arp/arp.t: ERROR: line 60: add rule netdev test-netdev egress meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566: This rule should not have failed.
+arp/arp.t: ERROR: line 60: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+bridge/meta.t: OK
+bridge/redirect.t: ERROR: line 5: add rule bridge test-bridge prerouting meta broute set 1: This rule should not have failed.
+bridge/icmpX.t: OK
+bridge/vlan.t: ERROR: line 3: I cannot create the chain 'egress'
+bridge/vlan.t: ERROR: line 8: add rule netdev test-netdev egress vlan id 4094: This rule should not have failed.
+bridge/vlan.t: ERROR: line 9: add rule netdev test-netdev egress vlan id 0: This rule should not have failed.
+bridge/vlan.t: ERROR: line 12: add rule netdev test-netdev egress vlan id 4094 vlan dei 0: This rule should not have failed.
+bridge/vlan.t: ERROR: line 13: add rule netdev test-netdev egress vlan id 4094 vlan dei 1: This rule should not have failed.
+bridge/vlan.t: ERROR: line 14: add rule netdev test-netdev egress vlan id 4094 vlan dei != 1: This rule should not have failed.
+bridge/vlan.t: ERROR: line 15: add rule netdev test-netdev egress vlan id 4094 vlan cfi 1: This rule should not have failed.
+bridge/vlan.t: ERROR: line 19: add rule netdev test-netdev egress vlan id 4094 vlan dei 1 vlan pcp 7: This rule should not have failed.
+bridge/vlan.t: ERROR: line 20: add rule netdev test-netdev egress vlan id 4094 vlan dei 1 vlan pcp 3: This rule should not have failed.
+bridge/vlan.t: ERROR: line 22: add rule netdev test-netdev egress ether type vlan vlan id 4094: This rule should not have failed.
+bridge/vlan.t: ERROR: line 23: add rule netdev test-netdev egress ether type vlan vlan id 0: This rule should not have failed.
+bridge/vlan.t: ERROR: line 24: add rule netdev test-netdev egress ether type vlan vlan id 4094 vlan dei 0: This rule should not have failed.
+bridge/vlan.t: ERROR: line 25: add rule netdev test-netdev egress ether type vlan vlan id 4094 vlan dei 1: This rule should not have failed.
+bridge/vlan.t: ERROR: line 28: add rule netdev test-netdev egress vlan id 4094 tcp dport 22: This rule should not have failed.
+bridge/vlan.t: ERROR: line 29: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.1: This rule should not have failed.
+bridge/vlan.t: ERROR: line 30: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.0/23: This rule should not have failed.
+bridge/vlan.t: ERROR: line 31: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.0/23 udp dport 53: This rule should not have failed.
+bridge/vlan.t: ERROR: line 32: add rule netdev test-netdev egress ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53: This rule should not have failed.
+bridge/vlan.t: ERROR: line 34: add rule netdev test-netdev egress vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3: This rule should not have failed.
+bridge/vlan.t: ERROR: line 37: add rule netdev test-netdev egress ether type vlan ip protocol 1 accept: This rule should not have failed.
+bridge/vlan.t: ERROR: line 40: add rule netdev test-netdev egress ether type 8021ad vlan id 1 ip protocol 6 accept: This rule should not have failed.
+bridge/vlan.t: ERROR: line 41: add rule netdev test-netdev egress ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter: This rule should not have failed.
+bridge/vlan.t: ERROR: line 42: add rule netdev test-netdev egress ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6: This rule should not have failed.
+bridge/vlan.t: ERROR: line 49: add rule netdev test-netdev egress vlan id 1 vlan id set 2: This rule should not have failed.
+bridge/vlan.t: ERROR: line 51: add rule netdev test-netdev egress ether saddr 00:01:02:03:04:05 vlan id 1: This rule should not have failed.
+bridge/vlan.t: ERROR: line 52: add rule netdev test-netdev egress vlan id 2 ether saddr 0:1:2:3:4:6: This rule should not have failed.
+bridge/vlan.t: ERROR: line 54: add rule netdev test-netdev egress ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }: This rule should not have failed.
+bridge/vlan.t: ERROR: line 54: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+bridge/ether.t: OK
+bridge/reject.t: OK
+inet/ipsec.t: OK
+inet/vmap.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/vmap.t: ERROR: line 8: add rule netdev test-netdev egress iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }: This rule should not have failed.
+inet/vmap.t: ERROR: line 9: add rule inet test-inet input ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }: This rule should not have failed.
+inet/vmap.t: ERROR: line 10: add rule netdev test-netdev egress udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }: This rule should not have failed.
+inet/vmap.t: ERROR: line 10: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/meta.t: OK
+inet/snat.t: OK
+inet/ether-ip.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/ether-ip.t: ERROR: line 8: add rule netdev test-netdev egress tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept: This rule should not have failed.
+inet/ether-ip.t: ERROR: line 9: add rule netdev test-netdev egress tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04: This rule should not have failed.
+inet/ether-ip.t: ERROR: line 9: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/rt.t: OK
+inet/ct.t: OK
+inet/ip.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/ip.t: ERROR: line 10: add rule netdev test-netdev egress ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }: This rule should not have failed.
+inet/ip.t: ERROR: line 12: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/icmpX.t: OK
+inet/tcp.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/tcp.t: ERROR: line 12: add rule netdev test-netdev egress tcp dport 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 13: add rule netdev test-netdev egress tcp dport != 233: This rule should not have failed.
+inet/tcp.t: ERROR: line 14: add rule netdev test-netdev egress tcp dport 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 15: add rule netdev test-netdev egress tcp dport != 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 16: add rule netdev test-netdev egress tcp dport { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 17: add rule netdev test-netdev egress tcp dport != { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 18: add rule netdev test-netdev egress tcp dport {telnet, http, https} accept: This rule should not have failed.
+inet/tcp.t: ERROR: line 19: add rule netdev test-netdev egress tcp dport vmap { 22 : accept, 23 : drop }: This rule should not have failed.
+inet/tcp.t: ERROR: line 20: add rule netdev test-netdev egress tcp dport vmap { 25:accept, 28:drop }: This rule should not have failed.
+inet/tcp.t: ERROR: line 21: add rule netdev test-netdev egress tcp dport { 22, 53, 80, 110 }: This rule should not have failed.
+inet/tcp.t: ERROR: line 22: add rule netdev test-netdev egress tcp dport != { 22, 53, 80, 110 }: This rule should not have failed.
+inet/tcp.t: ERROR: line 26: add rule netdev test-netdev egress tcp sport 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 27: add rule netdev test-netdev egress tcp sport != 233: This rule should not have failed.
+inet/tcp.t: ERROR: line 28: add rule netdev test-netdev egress tcp sport 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 29: add rule netdev test-netdev egress tcp sport != 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 30: add rule netdev test-netdev egress tcp sport { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 31: add rule netdev test-netdev egress tcp sport != { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 32: add rule netdev test-netdev egress tcp sport vmap { 25:accept, 28:drop }: This rule should not have failed.
+inet/tcp.t: ERROR: line 34: add rule netdev test-netdev egress tcp sport 8080 drop: This rule should not have failed.
+inet/tcp.t: ERROR: line 35: add rule netdev test-netdev egress tcp sport 1024 tcp dport 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 36: add rule netdev test-netdev egress tcp sport 1024 tcp dport 22 tcp sequence 0: This rule should not have failed.
+inet/tcp.t: ERROR: line 38: add rule netdev test-netdev egress tcp sequence 0 tcp sport 1024 tcp dport 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 39: add rule netdev test-netdev egress tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 41: add rule netdev test-netdev egress tcp sequence 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 42: add rule netdev test-netdev egress tcp sequence != 233: This rule should not have failed.
+inet/tcp.t: ERROR: line 43: add rule netdev test-netdev egress tcp sequence 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 44: add rule netdev test-netdev egress tcp sequence != 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 45: add rule netdev test-netdev egress tcp sequence { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 46: add rule netdev test-netdev egress tcp sequence != { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 48: add rule netdev test-netdev egress tcp ackseq 42949672 drop: This rule should not have failed.
+inet/tcp.t: ERROR: line 49: add rule netdev test-netdev egress tcp ackseq 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 50: add rule netdev test-netdev egress tcp ackseq != 233: This rule should not have failed.
+inet/tcp.t: ERROR: line 51: add rule netdev test-netdev egress tcp ackseq 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 52: add rule netdev test-netdev egress tcp ackseq != 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 53: add rule netdev test-netdev egress tcp ackseq { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 54: add rule netdev test-netdev egress tcp ackseq != { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 66: add rule netdev test-netdev egress tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop: This rule should not have failed.
+inet/tcp.t: ERROR: line 67: add rule netdev test-netdev egress tcp flags != { fin, urg, ecn, cwr} drop: This rule should not have failed.
+inet/tcp.t: ERROR: line 68: add rule netdev test-netdev egress tcp flags cwr: This rule should not have failed.
+inet/tcp.t: ERROR: line 69: add rule netdev test-netdev egress tcp flags != cwr: This rule should not have failed.
+inet/tcp.t: ERROR: line 70: add rule netdev test-netdev egress tcp flags == syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 71: add rule netdev test-netdev egress tcp flags fin,syn / fin,syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 72: add rule netdev test-netdev egress tcp flags != syn / fin,syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 73: add rule netdev test-netdev egress tcp flags & syn != 0: This rule should not have failed.
+inet/tcp.t: ERROR: line 74: add rule netdev test-netdev egress tcp flags & syn == 0: This rule should not have failed.
+inet/tcp.t: ERROR: line 75: add rule netdev test-netdev egress tcp flags & (syn | ack) != 0: This rule should not have failed.
+inet/tcp.t: ERROR: line 76: add rule netdev test-netdev egress tcp flags & (syn | ack) == 0: This rule should not have failed.
+inet/tcp.t: ERROR: line 78: add rule netdev test-netdev egress tcp flags & syn == syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 79: add rule netdev test-netdev egress tcp flags & syn != syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 80: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 81: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) == syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 82: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) != syn: This rule should not have failed.
+inet/tcp.t: ERROR: line 83: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) == (syn | ack): This rule should not have failed.
+inet/tcp.t: ERROR: line 84: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) != (syn | ack): This rule should not have failed.
+inet/tcp.t: ERROR: line 85: add rule netdev test-netdev egress tcp flags & (syn | ack) == (syn | ack): This rule should not have failed.
+inet/tcp.t: ERROR: line 86: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr: This rule should not have failed.
+inet/tcp.t: ERROR: line 87: add rule netdev test-netdev egress tcp flags { syn, syn | ack }: This rule should not have failed.
+inet/tcp.t: ERROR: line 88: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }: This rule should not have failed.
+inet/tcp.t: ERROR: line 89: add rule netdev test-netdev egress tcp flags ! fin,rst: This rule should not have failed.
+inet/tcp.t: ERROR: line 92: add rule netdev test-netdev egress tcp window 22222: This rule should not have failed.
+inet/tcp.t: ERROR: line 93: add rule netdev test-netdev egress tcp window 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 94: add rule netdev test-netdev egress tcp window != 233: This rule should not have failed.
+inet/tcp.t: ERROR: line 95: add rule netdev test-netdev egress tcp window 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 96: add rule netdev test-netdev egress tcp window != 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 97: add rule netdev test-netdev egress tcp window { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 98: add rule netdev test-netdev egress tcp window != { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 100: add rule netdev test-netdev egress tcp checksum 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 101: add rule netdev test-netdev egress tcp checksum != 233: This rule should not have failed.
+inet/tcp.t: ERROR: line 102: add rule netdev test-netdev egress tcp checksum 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 103: add rule netdev test-netdev egress tcp checksum != 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 104: add rule netdev test-netdev egress tcp checksum { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 105: add rule netdev test-netdev egress tcp checksum != { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 107: add rule netdev test-netdev egress tcp urgptr 1234 accept: This rule should not have failed.
+inet/tcp.t: ERROR: line 108: add rule netdev test-netdev egress tcp urgptr 22: This rule should not have failed.
+inet/tcp.t: ERROR: line 109: add rule netdev test-netdev egress tcp urgptr != 233: This rule should not have failed.
+inet/tcp.t: ERROR: line 110: add rule netdev test-netdev egress tcp urgptr 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 111: add rule netdev test-netdev egress tcp urgptr != 33-45: This rule should not have failed.
+inet/tcp.t: ERROR: line 112: add rule netdev test-netdev egress tcp urgptr { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 113: add rule netdev test-netdev egress tcp urgptr != { 33, 55, 67, 88}: This rule should not have failed.
+inet/tcp.t: ERROR: line 115: add rule netdev test-netdev egress tcp doff 8: This rule should not have failed.
+inet/tcp.t: ERROR: line 115: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/icmp.t: OK
+inet/socket.t: OK
+inet/udplite.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/udplite.t: ERROR: line 10: add rule netdev test-netdev egress udplite sport 80 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 11: add rule netdev test-netdev egress udplite sport != 60 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 12: add rule netdev test-netdev egress udplite sport 50-70 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 13: add rule netdev test-netdev egress udplite sport != 50-60 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 14: add rule netdev test-netdev egress udplite sport { 49, 50} drop: This rule should not have failed.
+inet/udplite.t: ERROR: line 15: add rule netdev test-netdev egress udplite sport != { 49, 50} accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 17: add rule netdev test-netdev egress udplite dport 80 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 18: add rule netdev test-netdev egress udplite dport != 60 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 19: add rule netdev test-netdev egress udplite dport 70-75 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 20: add rule netdev test-netdev egress udplite dport != 50-60 accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 21: add rule netdev test-netdev egress udplite dport { 49, 50} drop: This rule should not have failed.
+inet/udplite.t: ERROR: line 22: add rule netdev test-netdev egress udplite dport != { 49, 50} accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 31: add rule netdev test-netdev egress udplite checksum 6666 drop: This rule should not have failed.
+inet/udplite.t: ERROR: line 32: add rule netdev test-netdev egress udplite checksum != { 444, 555} accept: This rule should not have failed.
+inet/udplite.t: ERROR: line 33: add rule netdev test-netdev egress udplite checksum 22: This rule should not have failed.
+inet/udplite.t: ERROR: line 34: add rule netdev test-netdev egress udplite checksum != 233: This rule should not have failed.
+inet/udplite.t: ERROR: line 35: add rule netdev test-netdev egress udplite checksum 33-45: This rule should not have failed.
+inet/udplite.t: ERROR: line 36: add rule netdev test-netdev egress udplite checksum != 33-45: This rule should not have failed.
+inet/udplite.t: ERROR: line 37: add rule netdev test-netdev egress udplite checksum { 33, 55, 67, 88}: This rule should not have failed.
+inet/udplite.t: ERROR: line 38: add rule netdev test-netdev egress udplite checksum != { 33, 55, 67, 88}: This rule should not have failed.
+inet/udplite.t: ERROR: line 38: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/dccp.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/dccp.t: ERROR: line 10: add rule netdev test-netdev egress dccp sport 21-35: This rule should not have failed.
+inet/dccp.t: ERROR: line 11: add rule netdev test-netdev egress dccp sport != 21-35: This rule should not have failed.
+inet/dccp.t: ERROR: line 12: add rule netdev test-netdev egress dccp sport {23, 24, 25}: This rule should not have failed.
+inet/dccp.t: ERROR: line 13: add rule netdev test-netdev egress dccp sport != {23, 24, 25}: This rule should not have failed.
+inet/dccp.t: ERROR: line 15: add rule netdev test-netdev egress dccp sport 20-50: This rule should not have failed.
+inet/dccp.t: ERROR: line 19: add rule netdev test-netdev egress dccp dport {23, 24, 25}: This rule should not have failed.
+inet/dccp.t: ERROR: line 20: add rule netdev test-netdev egress dccp dport != {23, 24, 25}: This rule should not have failed.
+inet/dccp.t: ERROR: line 22: add rule netdev test-netdev egress dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}: This rule should not have failed.
+inet/dccp.t: ERROR: line 23: add rule netdev test-netdev egress dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}: This rule should not have failed.
+inet/dccp.t: ERROR: line 24: add rule netdev test-netdev egress dccp type request: This rule should not have failed.
+inet/dccp.t: ERROR: line 25: add rule netdev test-netdev egress dccp type != request: This rule should not have failed.
+inet/dccp.t: ERROR: line 27: add rule ip test-ip4 input dccp option 0 exists: This rule should not have failed.
+inet/dccp.t: ERROR: line 28: add rule ip test-ip4 input dccp option 43 missing: This rule should not have failed.
+inet/dccp.t: ERROR: line 29: add rule ip test-ip4 input dccp option 255 exists: This rule should not have failed.
+inet/dccp.t: ERROR: line 30: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/tproxy.t: OK
+inet/ether.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/ether.t: ERROR: line 11: add rule netdev test-netdev egress tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept: This rule should not have failed.
+inet/ether.t: ERROR: line 12: add rule netdev test-netdev egress tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept: This rule should not have failed.
+inet/ether.t: ERROR: line 14: add rule netdev test-netdev egress ether saddr 00:0f:54:0c:11:04 accept: This rule should not have failed.
+inet/ether.t: ERROR: line 16: add rule netdev test-netdev egress vlan id 1: This rule should not have failed.
+inet/ether.t: ERROR: line 17: add rule netdev test-netdev egress ether type vlan vlan id 2: This rule should not have failed.
+inet/ether.t: ERROR: line 20: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/synproxy.t: OK
+inet/sctp.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/sctp.t: ERROR: line 10: add rule netdev test-netdev egress sctp sport 23: This rule should not have failed.
+inet/sctp.t: ERROR: line 11: add rule netdev test-netdev egress sctp sport != 23: This rule should not have failed.
+inet/sctp.t: ERROR: line 12: add rule netdev test-netdev egress sctp sport 23-44: This rule should not have failed.
+inet/sctp.t: ERROR: line 13: add rule netdev test-netdev egress sctp sport != 23-44: This rule should not have failed.
+inet/sctp.t: ERROR: line 14: add rule netdev test-netdev egress sctp sport { 23, 24, 25}: This rule should not have failed.
+inet/sctp.t: ERROR: line 15: add rule netdev test-netdev egress sctp sport != { 23, 24, 25}: This rule should not have failed.
+inet/sctp.t: ERROR: line 17: add rule netdev test-netdev egress sctp dport 23: This rule should not have failed.
+inet/sctp.t: ERROR: line 18: add rule netdev test-netdev egress sctp dport != 23: This rule should not have failed.
+inet/sctp.t: ERROR: line 19: add rule netdev test-netdev egress sctp dport 23-44: This rule should not have failed.
+inet/sctp.t: ERROR: line 20: add rule netdev test-netdev egress sctp dport != 23-44: This rule should not have failed.
+inet/sctp.t: ERROR: line 21: add rule netdev test-netdev egress sctp dport { 23, 24, 25}: This rule should not have failed.
+inet/sctp.t: ERROR: line 22: add rule netdev test-netdev egress sctp dport != { 23, 24, 25}: This rule should not have failed.
+inet/sctp.t: ERROR: line 24: add rule netdev test-netdev egress sctp checksum 1111: This rule should not have failed.
+inet/sctp.t: ERROR: line 25: add rule netdev test-netdev egress sctp checksum != 11: This rule should not have failed.
+inet/sctp.t: ERROR: line 26: add rule netdev test-netdev egress sctp checksum 21-333: This rule should not have failed.
+inet/sctp.t: ERROR: line 27: add rule netdev test-netdev egress sctp checksum != 32-111: This rule should not have failed.
+inet/sctp.t: ERROR: line 28: add rule netdev test-netdev egress sctp checksum { 22, 33, 44}: This rule should not have failed.
+inet/sctp.t: ERROR: line 29: add rule netdev test-netdev egress sctp checksum != { 22, 33, 44}: This rule should not have failed.
+inet/sctp.t: ERROR: line 31: add rule netdev test-netdev egress sctp vtag 22: This rule should not have failed.
+inet/sctp.t: ERROR: line 32: add rule netdev test-netdev egress sctp vtag != 233: This rule should not have failed.
+inet/sctp.t: ERROR: line 33: add rule netdev test-netdev egress sctp vtag 33-45: This rule should not have failed.
+inet/sctp.t: ERROR: line 34: add rule netdev test-netdev egress sctp vtag != 33-45: This rule should not have failed.
+inet/sctp.t: ERROR: line 35: add rule netdev test-netdev egress sctp vtag {33, 55, 67, 88}: This rule should not have failed.
+inet/sctp.t: ERROR: line 36: add rule netdev test-netdev egress sctp vtag != {33, 55, 67, 88}: This rule should not have failed.
+inet/sctp.t: ERROR: line 39: add rule ip test-ip4 input sctp chunk data exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 40: add rule ip test-ip4 input sctp chunk init exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 41: add rule ip test-ip4 input sctp chunk init-ack exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 42: add rule ip test-ip4 input sctp chunk sack exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 43: add rule ip test-ip4 input sctp chunk heartbeat exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 44: add rule ip test-ip4 input sctp chunk heartbeat-ack exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 45: add rule ip test-ip4 input sctp chunk abort exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 46: add rule ip test-ip4 input sctp chunk shutdown exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 47: add rule ip test-ip4 input sctp chunk shutdown-ack exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 48: add rule ip test-ip4 input sctp chunk error exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 49: add rule ip test-ip4 input sctp chunk cookie-echo exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 50: add rule ip test-ip4 input sctp chunk cookie-ack exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 51: add rule ip test-ip4 input sctp chunk ecne exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 52: add rule ip test-ip4 input sctp chunk cwr exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 53: add rule ip test-ip4 input sctp chunk shutdown-complete exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 54: add rule ip test-ip4 input sctp chunk asconf-ack exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 55: add rule ip test-ip4 input sctp chunk forward-tsn exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 56: add rule ip test-ip4 input sctp chunk asconf exists: This rule should not have failed.
+inet/sctp.t: ERROR: line 59: add rule ip test-ip4 input sctp chunk data type 0: This rule should not have failed.
+inet/sctp.t: ERROR: line 60: add rule ip test-ip4 input sctp chunk init flags 23: This rule should not have failed.
+inet/sctp.t: ERROR: line 61: add rule ip test-ip4 input sctp chunk init-ack length 42: This rule should not have failed.
+inet/sctp.t: ERROR: line 64: add rule ip test-ip4 input sctp chunk data stream 1337: This rule should not have failed.
+inet/sctp.t: ERROR: line 65: add rule ip test-ip4 input sctp chunk init initial-tsn 5: This rule should not have failed.
+inet/sctp.t: ERROR: line 66: add rule ip test-ip4 input sctp chunk init-ack num-outbound-streams 3: This rule should not have failed.
+inet/sctp.t: ERROR: line 67: add rule ip test-ip4 input sctp chunk sack a-rwnd 1: This rule should not have failed.
+inet/sctp.t: ERROR: line 68: add rule ip test-ip4 input sctp chunk shutdown cum-tsn-ack 65535: This rule should not have failed.
+inet/sctp.t: ERROR: line 69: add rule ip test-ip4 input sctp chunk ecne lowest-tsn 5: This rule should not have failed.
+inet/sctp.t: ERROR: line 70: add rule ip test-ip4 input sctp chunk cwr lowest-tsn 8: This rule should not have failed.
+inet/sctp.t: ERROR: line 71: add rule ip test-ip4 input sctp chunk asconf-ack seqno 12345: This rule should not have failed.
+inet/sctp.t: ERROR: line 72: add rule ip test-ip4 input sctp chunk forward-tsn new-cum-tsn 31337: This rule should not have failed.
+inet/sctp.t: ERROR: line 73: add rule ip test-ip4 input sctp chunk asconf seqno 12345: This rule should not have failed.
+inet/sctp.t: ERROR: line 73: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/map.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/map.t: ERROR: line 9: add rule netdev test-netdev egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}: This rule should not have failed.
+inet/map.t: ERROR: line 10: add rule netdev test-netdev egress mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}: This rule should not have failed.
+inet/map.t: ERROR: line 10: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/ip_tcp.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/ip_tcp.t: ERROR: line 10: add rule netdev test-netdev egress ip protocol tcp tcp dport 22: This rule should not have failed.
+inet/ip_tcp.t: ERROR: line 13: add rule netdev test-netdev egress ip protocol tcp ip saddr 1.2.3.4 tcp dport 22: This rule should not have failed.
+inet/ip_tcp.t: ERROR: line 16: add rule netdev test-netdev egress ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22: This rule should not have failed.
+inet/ip_tcp.t: ERROR: line 19: add rule netdev test-netdev egress ip protocol tcp counter tcp dport 22: This rule should not have failed.
+inet/ip_tcp.t: ERROR: line 21: add rule netdev test-netdev egress ether type ip tcp dport 22: This rule should not have failed.
+inet/ip_tcp.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/fib.t: OK
+inet/vxlan.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/vxlan.t: ERROR: line 11: add rule ip test-ip4 input udp dport 4789 vxlan vni 10: This rule should not have failed.
+inet/vxlan.t: ERROR: line 12: add rule ip test-ip4 input udp dport 4789 vxlan ip saddr 10.141.11.2: This rule should not have failed.
+inet/vxlan.t: ERROR: line 13: add rule ip test-ip4 input udp dport 4789 vxlan ip saddr 10.141.11.0/24: This rule should not have failed.
+inet/vxlan.t: ERROR: line 14: add rule ip test-ip4 input udp dport 4789 vxlan ip protocol 1: This rule should not have failed.
+inet/vxlan.t: ERROR: line 15: add rule ip test-ip4 input udp dport 4789 vxlan udp sport 8888: This rule should not have failed.
+inet/vxlan.t: ERROR: line 16: add rule ip test-ip4 input udp dport 4789 vxlan icmp type echo-reply: This rule should not have failed.
+inet/vxlan.t: ERROR: line 17: add rule ip test-ip4 input udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05: This rule should not have failed.
+inet/vxlan.t: ERROR: line 18: add rule ip test-ip4 input udp dport 4789 vxlan vlan id 10: This rule should not have failed.
+inet/vxlan.t: ERROR: line 19: add rule ip test-ip4 input udp dport 4789 vxlan ip dscp 0x02: This rule should not have failed.
+inet/vxlan.t: ERROR: line 20: add rule ip test-ip4 input udp dport 4789 vxlan ip dscp 0x02: This rule should not have failed.
+inet/vxlan.t: ERROR: line 21: add rule ip test-ip4 input udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }: This rule should not have failed.
+inet/vxlan.t: ERROR: line 23: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/ah.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/ah.t: ERROR: line 22: add rule netdev test-netdev egress ah hdrlength 11-23: This rule should not have failed.
+inet/ah.t: ERROR: line 23: add rule netdev test-netdev egress ah hdrlength != 11-23: This rule should not have failed.
+inet/ah.t: ERROR: line 24: add rule netdev test-netdev egress ah hdrlength {11, 23, 44 }: This rule should not have failed.
+inet/ah.t: ERROR: line 25: add rule netdev test-netdev egress ah hdrlength != {11, 23, 44 }: This rule should not have failed.
+inet/ah.t: ERROR: line 27: add rule netdev test-netdev egress ah reserved 22: This rule should not have failed.
+inet/ah.t: ERROR: line 28: add rule netdev test-netdev egress ah reserved != 233: This rule should not have failed.
+inet/ah.t: ERROR: line 29: add rule netdev test-netdev egress ah reserved 33-45: This rule should not have failed.
+inet/ah.t: ERROR: line 30: add rule netdev test-netdev egress ah reserved != 33-45: This rule should not have failed.
+inet/ah.t: ERROR: line 31: add rule netdev test-netdev egress ah reserved {23, 100}: This rule should not have failed.
+inet/ah.t: ERROR: line 32: add rule netdev test-netdev egress ah reserved != {23, 100}: This rule should not have failed.
+inet/ah.t: ERROR: line 34: add rule netdev test-netdev egress ah spi 111: This rule should not have failed.
+inet/ah.t: ERROR: line 35: add rule netdev test-netdev egress ah spi != 111: This rule should not have failed.
+inet/ah.t: ERROR: line 36: add rule netdev test-netdev egress ah spi 111-222: This rule should not have failed.
+inet/ah.t: ERROR: line 37: add rule netdev test-netdev egress ah spi != 111-222: This rule should not have failed.
+inet/ah.t: ERROR: line 38: add rule netdev test-netdev egress ah spi {111, 122}: This rule should not have failed.
+inet/ah.t: ERROR: line 39: add rule netdev test-netdev egress ah spi != {111, 122}: This rule should not have failed.
+inet/ah.t: ERROR: line 42: add rule netdev test-netdev egress ah sequence 123: This rule should not have failed.
+inet/ah.t: ERROR: line 43: add rule netdev test-netdev egress ah sequence != 123: This rule should not have failed.
+inet/ah.t: ERROR: line 44: add rule netdev test-netdev egress ah sequence {23, 25, 33}: This rule should not have failed.
+inet/ah.t: ERROR: line 45: add rule netdev test-netdev egress ah sequence != {23, 25, 33}: This rule should not have failed.
+inet/ah.t: ERROR: line 46: add rule netdev test-netdev egress ah sequence 23-33: This rule should not have failed.
+inet/ah.t: ERROR: line 47: add rule netdev test-netdev egress ah sequence != 23-33: This rule should not have failed.
+inet/ah.t: ERROR: line 47: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/dnat.t: OK
+inet/esp.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/esp.t: ERROR: line 10: add rule netdev test-netdev egress esp spi 100: This rule should not have failed.
+inet/esp.t: ERROR: line 11: add rule netdev test-netdev egress esp spi != 100: This rule should not have failed.
+inet/esp.t: ERROR: line 12: add rule netdev test-netdev egress esp spi 111-222: This rule should not have failed.
+inet/esp.t: ERROR: line 13: add rule netdev test-netdev egress esp spi != 111-222: This rule should not have failed.
+inet/esp.t: ERROR: line 14: add rule netdev test-netdev egress esp spi { 100, 102}: This rule should not have failed.
+inet/esp.t: ERROR: line 15: add rule netdev test-netdev egress esp spi != { 100, 102}: This rule should not have failed.
+inet/esp.t: ERROR: line 17: add rule netdev test-netdev egress esp sequence 22: This rule should not have failed.
+inet/esp.t: ERROR: line 18: add rule netdev test-netdev egress esp sequence 22-24: This rule should not have failed.
+inet/esp.t: ERROR: line 19: add rule netdev test-netdev egress esp sequence != 22-24: This rule should not have failed.
+inet/esp.t: ERROR: line 20: add rule netdev test-netdev egress esp sequence { 22, 24}: This rule should not have failed.
+inet/esp.t: ERROR: line 21: add rule netdev test-netdev egress esp sequence != { 22, 24}: This rule should not have failed.
+inet/esp.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/geneve.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/geneve.t: ERROR: line 11: add rule ip test-ip4 input udp dport 6081 geneve vni 10: This rule should not have failed.
+inet/geneve.t: ERROR: line 12: add rule ip test-ip4 input udp dport 6081 geneve ip saddr 10.141.11.2: This rule should not have failed.
+inet/geneve.t: ERROR: line 13: add rule ip test-ip4 input udp dport 6081 geneve ip saddr 10.141.11.0/24: This rule should not have failed.
+inet/geneve.t: ERROR: line 14: add rule ip test-ip4 input udp dport 6081 geneve ip protocol 1: This rule should not have failed.
+inet/geneve.t: ERROR: line 15: add rule ip test-ip4 input udp dport 6081 geneve udp sport 8888: This rule should not have failed.
+inet/geneve.t: ERROR: line 16: add rule ip test-ip4 input udp dport 6081 geneve icmp type echo-reply: This rule should not have failed.
+inet/geneve.t: ERROR: line 17: add rule ip test-ip4 input udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05: This rule should not have failed.
+inet/geneve.t: ERROR: line 18: add rule ip test-ip4 input udp dport 6081 geneve vlan id 10: This rule should not have failed.
+inet/geneve.t: ERROR: line 19: add rule ip test-ip4 input udp dport 6081 geneve ip dscp 0x02: This rule should not have failed.
+inet/geneve.t: ERROR: line 20: add rule ip test-ip4 input udp dport 6081 geneve ip dscp 0x02: This rule should not have failed.
+inet/geneve.t: ERROR: line 21: add rule ip test-ip4 input udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 }: This rule should not have failed.
+inet/geneve.t: ERROR: line 23: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/udp.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/udp.t: ERROR: line 10: add rule netdev test-netdev egress udp sport 80 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 11: add rule netdev test-netdev egress udp sport != 60 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 12: add rule netdev test-netdev egress udp sport 50-70 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 13: add rule netdev test-netdev egress udp sport != 50-60 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 14: add rule netdev test-netdev egress udp sport { 49, 50} drop: This rule should not have failed.
+inet/udp.t: ERROR: line 15: add rule netdev test-netdev egress udp sport != { 50, 60} accept: This rule should not have failed.
+inet/udp.t: ERROR: line 19: add rule netdev test-netdev egress udp dport 80 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 20: add rule netdev test-netdev egress udp dport != 60 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 21: add rule netdev test-netdev egress udp dport 70-75 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 22: add rule netdev test-netdev egress udp dport != 50-60 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 23: add rule netdev test-netdev egress udp dport { 49, 50} drop: This rule should not have failed.
+inet/udp.t: ERROR: line 24: add rule netdev test-netdev egress udp dport != { 50, 60} accept: This rule should not have failed.
+inet/udp.t: ERROR: line 26: add rule netdev test-netdev egress udp length 6666: This rule should not have failed.
+inet/udp.t: ERROR: line 27: add rule netdev test-netdev egress udp length != 6666: This rule should not have failed.
+inet/udp.t: ERROR: line 28: add rule netdev test-netdev egress udp length 50-65 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 29: add rule netdev test-netdev egress udp length != 50-65 accept: This rule should not have failed.
+inet/udp.t: ERROR: line 30: add rule netdev test-netdev egress udp length { 50, 65} accept: This rule should not have failed.
+inet/udp.t: ERROR: line 31: add rule netdev test-netdev egress udp length != { 50, 65} accept: This rule should not have failed.
+inet/udp.t: ERROR: line 33: add rule netdev test-netdev egress udp checksum 6666 drop: This rule should not have failed.
+inet/udp.t: ERROR: line 34: add rule netdev test-netdev egress udp checksum != { 444, 555} accept: This rule should not have failed.
+inet/udp.t: ERROR: line 36: add rule netdev test-netdev egress udp checksum 22: This rule should not have failed.
+inet/udp.t: ERROR: line 37: add rule netdev test-netdev egress udp checksum != 233: This rule should not have failed.
+inet/udp.t: ERROR: line 38: add rule netdev test-netdev egress udp checksum 33-45: This rule should not have failed.
+inet/udp.t: ERROR: line 39: add rule netdev test-netdev egress udp checksum != 33-45: This rule should not have failed.
+inet/udp.t: ERROR: line 40: add rule netdev test-netdev egress udp checksum { 33, 55, 67, 88}: This rule should not have failed.
+inet/udp.t: ERROR: line 41: add rule netdev test-netdev egress udp checksum != { 33, 55, 67, 88}: This rule should not have failed.
+inet/udp.t: ERROR: line 44: add rule netdev test-netdev egress iif "lo" udp checksum set 0: This rule should not have failed.
+inet/udp.t: ERROR: line 45: add rule netdev test-netdev egress iif "lo" udp dport set 65535: This rule should not have failed.
+inet/udp.t: ERROR: line 45: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/sets.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/sets.t: ERROR: line 15: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed.
+inet/sets.t: ERROR: line 18: add rule netdev test-netdev egress ip6 daddr != @set2 accept: This rule should not have failed.
+inet/sets.t: ERROR: line 24: add rule netdev test-netdev egress ip saddr . ip daddr . tcp dport @set3 accept: This rule should not have failed.
+inet/sets.t: ERROR: line 25: add rule netdev test-netdev egress ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept: This rule should not have failed.
+inet/sets.t: ERROR: line 25: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/gretap.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/gretap.t: ERROR: line 10: add rule ip test-ip4 input gretap ip saddr 10.141.11.2: This rule should not have failed.
+inet/gretap.t: ERROR: line 11: add rule ip test-ip4 input gretap ip saddr 10.141.11.0/24: This rule should not have failed.
+inet/gretap.t: ERROR: line 12: add rule ip test-ip4 input gretap ip protocol 1: This rule should not have failed.
+inet/gretap.t: ERROR: line 13: add rule ip test-ip4 input gretap udp sport 8888: This rule should not have failed.
+inet/gretap.t: ERROR: line 14: add rule ip test-ip4 input gretap icmp type echo-reply: This rule should not have failed.
+inet/gretap.t: ERROR: line 15: add rule ip test-ip4 input gretap ether saddr 62:87:4d:d6:19:05: This rule should not have failed.
+inet/gretap.t: ERROR: line 16: add rule ip test-ip4 input gretap vlan id 10: This rule should not have failed.
+inet/gretap.t: ERROR: line 17: add rule ip test-ip4 input gretap ip dscp 0x02: This rule should not have failed.
+inet/gretap.t: ERROR: line 18: add rule ip test-ip4 input gretap ip dscp 0x02: This rule should not have failed.
+inet/gretap.t: ERROR: line 19: add rule ip test-ip4 input gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 }: This rule should not have failed.
+inet/gretap.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/osf.t: OK
+inet/gre.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/gre.t: ERROR: line 10: add rule netdev test-netdev egress gre version 0: This rule should not have failed.
+inet/gre.t: ERROR: line 11: add rule ip test-ip4 input gre ip saddr 10.141.11.2: This rule should not have failed.
+inet/gre.t: ERROR: line 12: add rule ip test-ip4 input gre ip saddr 10.141.11.0/24: This rule should not have failed.
+inet/gre.t: ERROR: line 13: add rule ip test-ip4 input gre ip protocol 1: This rule should not have failed.
+inet/gre.t: ERROR: line 14: add rule ip test-ip4 input gre udp sport 8888: This rule should not have failed.
+inet/gre.t: ERROR: line 15: add rule ip test-ip4 input gre icmp type echo-reply: This rule should not have failed.
+inet/gre.t: ERROR: line 18: add rule ip test-ip4 input gre ip dscp 0x02: This rule should not have failed.
+inet/gre.t: ERROR: line 19: add rule ip test-ip4 input gre ip dscp 0x02: This rule should not have failed.
+inet/gre.t: ERROR: line 20: add rule ip test-ip4 input gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 }: This rule should not have failed.
+inet/gre.t: ERROR: line 22: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/comp.t: ERROR: line 3: I cannot create the chain 'egress'
+inet/comp.t: ERROR: line 12: add rule netdev test-netdev egress comp nexthdr != esp: This rule should not have failed.
+inet/comp.t: ERROR: line 18: add rule netdev test-netdev egress comp flags 0x0: This rule should not have failed.
+inet/comp.t: ERROR: line 19: add rule netdev test-netdev egress comp flags != 0x23: This rule should not have failed.
+inet/comp.t: ERROR: line 20: add rule netdev test-netdev egress comp flags 0x33-0x45: This rule should not have failed.
+inet/comp.t: ERROR: line 21: add rule netdev test-netdev egress comp flags != 0x33-0x45: This rule should not have failed.
+inet/comp.t: ERROR: line 22: add rule netdev test-netdev egress comp flags {0x33, 0x55, 0x67, 0x88}: This rule should not have failed.
+inet/comp.t: ERROR: line 23: add rule netdev test-netdev egress comp flags != {0x33, 0x55, 0x67, 0x88}: This rule should not have failed.
+inet/comp.t: ERROR: line 25: add rule netdev test-netdev egress comp cpi 22: This rule should not have failed.
+inet/comp.t: ERROR: line 26: add rule netdev test-netdev egress comp cpi != 233: This rule should not have failed.
+inet/comp.t: ERROR: line 27: add rule netdev test-netdev egress comp cpi 33-45: This rule should not have failed.
+inet/comp.t: ERROR: line 28: add rule netdev test-netdev egress comp cpi != 33-45: This rule should not have failed.
+inet/comp.t: ERROR: line 29: add rule netdev test-netdev egress comp cpi {33, 55, 67, 88}: This rule should not have failed.
+inet/comp.t: ERROR: line 30: add rule netdev test-netdev egress comp cpi != {33, 55, 67, 88}: This rule should not have failed.
+inet/comp.t: ERROR: line 30: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+inet/reject.t: OK
+ip/meta.t: OK
+ip/snat.t: OK
+ip/masquerade.t: OK
+ip/redirect.t: OK
+ip/rt.t: OK
+ip/ct.t: OK
+ip/hash.t: OK
+ip/ip.t: ERROR: line 3: I cannot create the chain 'egress'
+ip/ip.t: ERROR: line 28: add rule netdev test-netdev egress ip dscp cs1: This rule should not have failed.
+ip/ip.t: ERROR: line 29: add rule netdev test-netdev egress ip dscp != cs1: This rule should not have failed.
+ip/ip.t: ERROR: line 30: add rule netdev test-netdev egress ip dscp 0x38: This rule should not have failed.
+ip/ip.t: ERROR: line 31: add rule netdev test-netdev egress ip dscp != 0x20: This rule should not have failed.
+ip/ip.t: ERROR: line 32: add rule netdev test-netdev egress ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}: This rule should not have failed.
+ip/ip.t: ERROR: line 34: add rule netdev test-netdev egress ip dscp != {cs0, cs3}: This rule should not have failed.
+ip/ip.t: ERROR: line 35: add rule netdev test-netdev egress ip dscp vmap { cs1 : continue , cs4 : accept } counter: This rule should not have failed.
+ip/ip.t: ERROR: line 37: add rule netdev test-netdev egress ip length 232: This rule should not have failed.
+ip/ip.t: ERROR: line 38: add rule netdev test-netdev egress ip length != 233: This rule should not have failed.
+ip/ip.t: ERROR: line 39: add rule netdev test-netdev egress ip length 333-435: This rule should not have failed.
+ip/ip.t: ERROR: line 40: add rule netdev test-netdev egress ip length != 333-453: This rule should not have failed.
+ip/ip.t: ERROR: line 41: add rule netdev test-netdev egress ip length { 333, 553, 673, 838}: This rule should not have failed.
+ip/ip.t: ERROR: line 42: add rule netdev test-netdev egress ip length != { 333, 553, 673, 838}: This rule should not have failed.
+ip/ip.t: ERROR: line 44: add rule netdev test-netdev egress ip id 22: This rule should not have failed.
+ip/ip.t: ERROR: line 45: add rule netdev test-netdev egress ip id != 233: This rule should not have failed.
+ip/ip.t: ERROR: line 46: add rule netdev test-netdev egress ip id 33-45: This rule should not have failed.
+ip/ip.t: ERROR: line 47: add rule netdev test-netdev egress ip id != 33-45: This rule should not have failed.
+ip/ip.t: ERROR: line 48: add rule netdev test-netdev egress ip id { 33, 55, 67, 88}: This rule should not have failed.
+ip/ip.t: ERROR: line 49: add rule netdev test-netdev egress ip id != { 33, 55, 67, 88}: This rule should not have failed.
+ip/ip.t: ERROR: line 51: add rule netdev test-netdev egress ip frag-off 222 accept: This rule should not have failed.
+ip/ip.t: ERROR: line 52: add rule netdev test-netdev egress ip frag-off != 233: This rule should not have failed.
+ip/ip.t: ERROR: line 53: add rule netdev test-netdev egress ip frag-off 33-45: This rule should not have failed.
+ip/ip.t: ERROR: line 54: add rule netdev test-netdev egress ip frag-off != 33-45: This rule should not have failed.
+ip/ip.t: ERROR: line 55: add rule netdev test-netdev egress ip frag-off { 33, 55, 67, 88}: This rule should not have failed.
+ip/ip.t: ERROR: line 56: add rule netdev test-netdev egress ip frag-off != { 33, 55, 67, 88}: This rule should not have failed.
+ip/ip.t: ERROR: line 58: add rule netdev test-netdev egress ip ttl 0 drop: This rule should not have failed.
+ip/ip.t: ERROR: line 59: add rule netdev test-netdev egress ip ttl 233: This rule should not have failed.
+ip/ip.t: ERROR: line 60: add rule netdev test-netdev egress ip ttl 33-55: This rule should not have failed.
+ip/ip.t: ERROR: line 61: add rule netdev test-netdev egress ip ttl != 45-50: This rule should not have failed.
+ip/ip.t: ERROR: line 62: add rule netdev test-netdev egress ip ttl {43, 53, 45 }: This rule should not have failed.
+ip/ip.t: ERROR: line 63: add rule netdev test-netdev egress ip ttl != {43, 53, 45 }: This rule should not have failed.
+ip/ip.t: ERROR: line 65: add rule netdev test-netdev egress ip protocol tcp: This rule should not have failed.
+ip/ip.t: ERROR: line 66: add rule netdev test-netdev egress ip protocol != tcp: This rule should not have failed.
+ip/ip.t: ERROR: line 67: add rule netdev test-netdev egress ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept: This rule should not have failed.
+ip/ip.t: ERROR: line 68: add rule netdev test-netdev egress ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept: This rule should not have failed.
+ip/ip.t: ERROR: line 70: add rule netdev test-netdev egress ip protocol 255: This rule should not have failed.
+ip/ip.t: ERROR: line 73: add rule netdev test-netdev egress ip checksum 13172 drop: This rule should not have failed.
+ip/ip.t: ERROR: line 74: add rule netdev test-netdev egress ip checksum 22: This rule should not have failed.
+ip/ip.t: ERROR: line 75: add rule netdev test-netdev egress ip checksum != 233: This rule should not have failed.
+ip/ip.t: ERROR: line 76: add rule netdev test-netdev egress ip checksum 33-45: This rule should not have failed.
+ip/ip.t: ERROR: line 77: add rule netdev test-netdev egress ip checksum != 33-45: This rule should not have failed.
+ip/ip.t: ERROR: line 78: add rule netdev test-netdev egress ip checksum { 33, 55, 67, 88}: This rule should not have failed.
+ip/ip.t: ERROR: line 79: add rule netdev test-netdev egress ip checksum != { 33, 55, 67, 88}: This rule should not have failed.
+ip/ip.t: ERROR: line 83: add rule netdev test-netdev egress ip saddr 192.168.2.0/24: This rule should not have failed.
+ip/ip.t: ERROR: line 84: add rule netdev test-netdev egress ip saddr != 192.168.2.0/24: This rule should not have failed.
+ip/ip.t: ERROR: line 85: add rule netdev test-netdev egress ip saddr 192.168.3.1 ip daddr 192.168.3.100: This rule should not have failed.
+ip/ip.t: ERROR: line 86: add rule netdev test-netdev egress ip saddr != 1.1.1.1: This rule should not have failed.
+ip/ip.t: ERROR: line 87: add rule netdev test-netdev egress ip saddr 1.1.1.1: This rule should not have failed.
+ip/ip.t: ERROR: line 88: add rule netdev test-netdev egress ip daddr 192.168.0.1-192.168.0.250: This rule should not have failed.
+ip/ip.t: ERROR: line 89: add rule netdev test-netdev egress ip daddr 10.0.0.0-10.255.255.255: This rule should not have failed.
+ip/ip.t: ERROR: line 90: add rule netdev test-netdev egress ip daddr 172.16.0.0-172.31.255.255: This rule should not have failed.
+ip/ip.t: ERROR: line 91: add rule netdev test-netdev egress ip daddr 192.168.3.1-192.168.4.250: This rule should not have failed.
+ip/ip.t: ERROR: line 92: add rule netdev test-netdev egress ip daddr != 192.168.0.1-192.168.0.250: This rule should not have failed.
+ip/ip.t: ERROR: line 93: add rule netdev test-netdev egress ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept: This rule should not have failed.
+ip/ip.t: ERROR: line 94: add rule netdev test-netdev egress ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept: This rule should not have failed.
+ip/ip.t: ERROR: line 96: add rule netdev test-netdev egress ip daddr 192.168.1.2-192.168.1.55: This rule should not have failed.
+ip/ip.t: ERROR: line 97: add rule netdev test-netdev egress ip daddr != 192.168.1.2-192.168.1.55: This rule should not have failed.
+ip/ip.t: ERROR: line 98: add rule netdev test-netdev egress ip saddr 192.168.1.3-192.168.33.55: This rule should not have failed.
+ip/ip.t: ERROR: line 99: add rule netdev test-netdev egress ip saddr != 192.168.1.3-192.168.33.55: This rule should not have failed.
+ip/ip.t: ERROR: line 101: add rule netdev test-netdev egress ip daddr 192.168.0.1: This rule should not have failed.
+ip/ip.t: ERROR: line 102: add rule netdev test-netdev egress ip daddr 192.168.0.1 drop: This rule should not have failed.
+ip/ip.t: ERROR: line 103: add rule netdev test-netdev egress ip daddr 192.168.0.2: This rule should not have failed.
+ip/ip.t: ERROR: line 105: add rule netdev test-netdev egress ip saddr & 0xff == 1: This rule should not have failed.
+ip/ip.t: ERROR: line 106: add rule netdev test-netdev egress ip saddr & 0.0.0.255 < 0.0.0.127: This rule should not have failed.
+ip/ip.t: ERROR: line 108: add rule netdev test-netdev egress ip saddr & 0xffff0000 == 0xffff0000: This rule should not have failed.
+ip/ip.t: ERROR: line 110: add rule netdev test-netdev egress ip version 4 ip hdrlength 5: This rule should not have failed.
+ip/ip.t: ERROR: line 111: add rule netdev test-netdev egress ip hdrlength 0: This rule should not have failed.
+ip/ip.t: ERROR: line 112: add rule netdev test-netdev egress ip hdrlength 15: This rule should not have failed.
+ip/ip.t: ERROR: line 113: add rule netdev test-netdev egress ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter: This rule should not have failed.
+ip/ip.t: ERROR: line 117: add rule netdev test-netdev egress iif "lo" ip daddr set 127.0.0.1: This rule should not have failed.
+ip/ip.t: ERROR: line 118: add rule netdev test-netdev egress iif "lo" ip checksum set 0: This rule should not have failed.
+ip/ip.t: ERROR: line 119: add rule netdev test-netdev egress iif "lo" ip id set 0: This rule should not have failed.
+ip/ip.t: ERROR: line 120: add rule netdev test-netdev egress iif "lo" ip ecn set 1: This rule should not have failed.
+ip/ip.t: ERROR: line 121: add rule netdev test-netdev egress iif "lo" ip ecn set ce: This rule should not have failed.
+ip/ip.t: ERROR: line 122: add rule netdev test-netdev egress iif "lo" ip ttl set 23: This rule should not have failed.
+ip/ip.t: ERROR: line 123: add rule netdev test-netdev egress iif "lo" ip protocol set 1: This rule should not have failed.
+ip/ip.t: ERROR: line 125: add rule netdev test-netdev egress iif "lo" ip dscp set af23: This rule should not have failed.
+ip/ip.t: ERROR: line 126: add rule netdev test-netdev egress iif "lo" ip dscp set cs0: This rule should not have failed.
+ip/ip.t: ERROR: line 128: add rule netdev test-netdev egress ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }: This rule should not have failed.
+ip/ip.t: ERROR: line 129: add rule netdev test-netdev egress ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }: This rule should not have failed.
+ip/ip.t: ERROR: line 129: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+ip/igmp.t: OK
+ip/tcp.t: OK
+ip/icmp.t: OK
+ip/flowtable.t: OK
+ip/dup.t: OK
+ip/tproxy.t: OK
+ip/ether.t: OK
+ip/objects.t: OK
+ip/ip_tcp.t: OK
+ip/dnat.t: OK
+ip/sets.t: ERROR: line 3: I cannot create the chain 'egress'
+ip/sets.t: ERROR: line 32: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed.
+ip/sets.t: ERROR: line 33: add rule netdev test-netdev egress ip saddr != @set1 drop: This rule should not have failed.
+ip/sets.t: ERROR: line 34: add rule netdev test-netdev egress ip saddr @set2 drop: This rule should not have failed.
+ip/sets.t: ERROR: line 35: add rule netdev test-netdev egress ip saddr != @set2 drop: This rule should not have failed.
+ip/sets.t: ERROR: line 52: add rule netdev test-netdev egress ip saddr . ip daddr @set5 drop: This rule should not have failed.
+ip/sets.t: ERROR: line 53: add rule netdev test-netdev egress add @set5 { ip saddr . ip daddr }: This rule should not have failed.
+ip/sets.t: ERROR: line 56: add rule netdev test-netdev egress ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }: This rule should not have failed.
+ip/sets.t: ERROR: line 57: add rule netdev test-netdev egress ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }: This rule should not have failed.
+ip/sets.t: ERROR: line 60: add element ip test-ip4 set6 {  192.168.3.5,  * }: This rule should not have failed.
+ip/sets.t: ERROR: line 61: add rule netdev test-netdev egress ip saddr @set6 drop: This rule should not have failed.
+ip/sets.t: ERROR: line 63: add rule ip test-ip4 input ip saddr vmap { 1.1.1.1 : drop, * : accept }: This rule should not have failed.
+ip/sets.t: ERROR: line 64: add rule ip test-ip4 input meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }: This rule should not have failed.
+ip/sets.t: ERROR: line 65: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+ip/numgen.t: OK
+ip/reject.t: OK
+ip6/vmap.t: ERROR: line 3: I cannot create the chain 'egress'
+ip6/vmap.t: ERROR: line 9: add rule netdev test-netdev egress ip6 saddr vmap { abcd::3 : accept }: This rule should not have failed.
+ip6/vmap.t: ERROR: line 14: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 15: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 16: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 17: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 18: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 19: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 20: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 21: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 22: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 23: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 24: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 25: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 26: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 27: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 28: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 29: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 30: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 31: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 32: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 33: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 34: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 35: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234::  : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 36: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 37: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 38: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 39: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 40: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:: : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 41: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 42: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 43: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 44: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:: : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 45: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 46: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 47: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:: : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 48: add rule netdev test-netdev egress ip6 saddr vmap { ::1234 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 49: add rule netdev test-netdev egress ip6 saddr vmap { 1234:: : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 50: add rule netdev test-netdev egress ip6 saddr vmap { ::/64 : accept}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 52: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 53: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 54: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 55: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}: This rule should not have failed.
+ip6/vmap.t: ERROR: line 58: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+ip6/rt0.t: OK
+ip6/meta.t: OK
+ip6/snat.t: OK
+ip6/srh.t: OK
+ip6/masquerade.t: OK
+ip6/redirect.t: OK
+ip6/rt.t: OK
+ip6/icmpv6.t: OK
+ip6/ct.t: OK
+ip6/flowtable.t: OK
+ip6/dst.t: OK
+ip6/ip6.t: OK
+ip6/dup.t: OK
+ip6/tproxy.t: OK
+ip6/ether.t: OK
+ip6/hbh.t: OK
+ip6/map.t: OK
+ip6/frag.t: ERROR: line 3: I cannot create the chain 'egress'
+ip6/frag.t: ERROR: line 9: add rule netdev test-netdev egress frag nexthdr tcp: This rule should not have failed.
+ip6/frag.t: ERROR: line 10: add rule netdev test-netdev egress frag nexthdr != icmp: This rule should not have failed.
+ip6/frag.t: ERROR: line 11: add rule netdev test-netdev egress frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}: This rule should not have failed.
+ip6/frag.t: ERROR: line 12: add rule netdev test-netdev egress frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}: This rule should not have failed.
+ip6/frag.t: ERROR: line 13: add rule netdev test-netdev egress frag nexthdr esp: This rule should not have failed.
+ip6/frag.t: ERROR: line 14: add rule netdev test-netdev egress frag nexthdr ah: This rule should not have failed.
+ip6/frag.t: ERROR: line 16: add rule netdev test-netdev egress frag reserved 22: This rule should not have failed.
+ip6/frag.t: ERROR: line 17: add rule netdev test-netdev egress frag reserved != 233: This rule should not have failed.
+ip6/frag.t: ERROR: line 18: add rule netdev test-netdev egress frag reserved 33-45: This rule should not have failed.
+ip6/frag.t: ERROR: line 19: add rule netdev test-netdev egress frag reserved != 33-45: This rule should not have failed.
+ip6/frag.t: ERROR: line 20: add rule netdev test-netdev egress frag reserved { 33, 55, 67, 88}: This rule should not have failed.
+ip6/frag.t: ERROR: line 21: add rule netdev test-netdev egress frag reserved != { 33, 55, 67, 88}: This rule should not have failed.
+ip6/frag.t: ERROR: line 23: add rule netdev test-netdev egress frag frag-off 22: This rule should not have failed.
+ip6/frag.t: ERROR: line 24: add rule netdev test-netdev egress frag frag-off != 233: This rule should not have failed.
+ip6/frag.t: ERROR: line 25: add rule netdev test-netdev egress frag frag-off 33-45: This rule should not have failed.
+ip6/frag.t: ERROR: line 26: add rule netdev test-netdev egress frag frag-off != 33-45: This rule should not have failed.
+ip6/frag.t: ERROR: line 27: add rule netdev test-netdev egress frag frag-off { 33, 55, 67, 88}: This rule should not have failed.
+ip6/frag.t: ERROR: line 28: add rule netdev test-netdev egress frag frag-off != { 33, 55, 67, 88}: This rule should not have failed.
+ip6/frag.t: ERROR: line 30: add rule netdev test-netdev egress frag reserved2 1: This rule should not have failed.
+ip6/frag.t: ERROR: line 31: add rule netdev test-netdev egress frag more-fragments 0: This rule should not have failed.
+ip6/frag.t: ERROR: line 32: add rule netdev test-netdev egress frag more-fragments 1: This rule should not have failed.
+ip6/frag.t: ERROR: line 34: add rule netdev test-netdev egress frag id 1: This rule should not have failed.
+ip6/frag.t: ERROR: line 35: add rule netdev test-netdev egress frag id 22: This rule should not have failed.
+ip6/frag.t: ERROR: line 36: add rule netdev test-netdev egress frag id != 33: This rule should not have failed.
+ip6/frag.t: ERROR: line 37: add rule netdev test-netdev egress frag id 33-45: This rule should not have failed.
+ip6/frag.t: ERROR: line 38: add rule netdev test-netdev egress frag id != 33-45: This rule should not have failed.
+ip6/frag.t: ERROR: line 39: add rule netdev test-netdev egress frag id { 33, 55, 67, 88}: This rule should not have failed.
+ip6/frag.t: ERROR: line 40: add rule netdev test-netdev egress frag id != { 33, 55, 67, 88}: This rule should not have failed.
+ip6/frag.t: ERROR: line 40: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+ip6/exthdr.t: OK
+ip6/dnat.t: OK
+ip6/sets.t: ERROR: line 3: I cannot create the chain 'egress'
+ip6/sets.t: ERROR: line 25: add rule netdev test-netdev egress ip6 saddr @set2 drop: This rule should not have failed.
+ip6/sets.t: ERROR: line 26: add rule netdev test-netdev egress ip6 saddr != @set2 drop: This rule should not have failed.
+ip6/sets.t: ERROR: line 42: add rule netdev test-netdev egress ip6 saddr . ip6 daddr @set5 drop: This rule should not have failed.
+ip6/sets.t: ERROR: line 43: add rule netdev test-netdev egress add @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed.
+ip6/sets.t: ERROR: line 44: add rule netdev test-netdev egress delete @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed.
+ip6/sets.t: ERROR: line 44: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+ip6/mh.t: OK
+ip6/reject.t: OK
+netdev/dup.t: ERROR: line 2: I cannot create the chain 'egress'
+netdev/dup.t: ERROR: line 6: add rule netdev test-netdev egress dup to "lo": This rule should not have failed.
+netdev/dup.t: ERROR: line 7: add rule netdev test-netdev egress dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed.
+netdev/dup.t: ERROR: line 8: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+netdev/fwd.t: ERROR: line 2: I cannot create the chain 'egress'
+netdev/fwd.t: ERROR: line 6: add rule netdev test-netdev egress fwd to "lo": This rule should not have failed.
+netdev/fwd.t: ERROR: line 7: add rule netdev test-netdev egress fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed.
+netdev/fwd.t: ERROR: line 9: add rule netdev test-netdev egress fwd ip to 192.168.2.200 device "lo": This rule should not have failed.
+netdev/fwd.t: ERROR: line 9: The chain egress does not exist in netdev test-netdev. I cannot delete it.
+netdev/reject.t: ERROR: line 5: add rule netdev test-netdev ingress reject with icmp host-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 6: add rule netdev test-netdev ingress reject with icmp net-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 7: add rule netdev test-netdev ingress reject with icmp prot-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 8: add rule netdev test-netdev ingress reject with icmp port-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 9: add rule netdev test-netdev ingress reject with icmp net-prohibited: This rule should not have failed.
+netdev/reject.t: ERROR: line 10: add rule netdev test-netdev ingress reject with icmp host-prohibited: This rule should not have failed.
+netdev/reject.t: ERROR: line 11: add rule netdev test-netdev ingress reject with icmp admin-prohibited: This rule should not have failed.
+netdev/reject.t: ERROR: line 13: add rule netdev test-netdev ingress reject with icmpv6 no-route: This rule should not have failed.
+netdev/reject.t: ERROR: line 14: add rule netdev test-netdev ingress reject with icmpv6 admin-prohibited: This rule should not have failed.
+netdev/reject.t: ERROR: line 15: add rule netdev test-netdev ingress reject with icmpv6 addr-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 16: add rule netdev test-netdev ingress reject with icmpv6 port-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 17: add rule netdev test-netdev ingress reject with icmpv6 policy-fail: This rule should not have failed.
+netdev/reject.t: ERROR: line 18: add rule netdev test-netdev ingress reject with icmpv6 reject-route: This rule should not have failed.
+netdev/reject.t: ERROR: line 20: add rule netdev test-netdev ingress mark 12345 reject with tcp reset: This rule should not have failed.
+netdev/reject.t: ERROR: line 22: add rule netdev test-netdev ingress reject: This rule should not have failed.
+netdev/reject.t: ERROR: line 23: add rule netdev test-netdev ingress meta protocol ip reject: This rule should not have failed.
+netdev/reject.t: ERROR: line 24: add rule netdev test-netdev ingress meta protocol ip6 reject: This rule should not have failed.
+netdev/reject.t: ERROR: line 26: add rule netdev test-netdev ingress reject with icmpx host-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 27: add rule netdev test-netdev ingress reject with icmpx no-route: This rule should not have failed.
+netdev/reject.t: ERROR: line 28: add rule netdev test-netdev ingress reject with icmpx admin-prohibited: This rule should not have failed.
+netdev/reject.t: ERROR: line 29: add rule netdev test-netdev ingress reject with icmpx port-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 31: add rule netdev test-netdev ingress meta protocol ip reject with icmp host-unreachable: This rule should not have failed.
+netdev/reject.t: ERROR: line 32: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpv6 no-route: This rule should not have failed.
+netdev/reject.t: ERROR: line 39: add rule netdev test-netdev ingress meta protocol ip reject with icmpx admin-prohibited: This rule should not have failed.
+netdev/reject.t: ERROR: line 40: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpx admin-prohibited: This rule should not have failed.
+104 test files, 68 files passed, 1988 unit tests, 
+805 error, 0 warning
+
+=================================================================
+==67823==ERROR: LeakSanitizer: detected memory leaks
+
+Direct leak of 464608 byte(s) in 116 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4f1cca in PyObject_Malloc (/usr/bin/python3.9+0x4f1cca)
+
+Direct leak of 17699 byte(s) in 20 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x50ee7b  (/usr/bin/python3.9+0x50ee7b)
+
+Direct leak of 6256 byte(s) in 9 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x50c092 in PyDict_Copy (/usr/bin/python3.9+0x50c092)
+
+Direct leak of 5892 byte(s) in 8 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4f2b1d  (/usr/bin/python3.9+0x4f2b1d)
+
+Direct leak of 4628 byte(s) in 6 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4fcaef in PyMem_Malloc (/usr/bin/python3.9+0x4fcaef)
+
+Direct leak of 2656 byte(s) in 5 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4f1b05  (/usr/bin/python3.9+0x4f1b05)
+
+Direct leak of 1226 byte(s) in 2 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x50ea16 in PyBytes_FromStringAndSize (/usr/bin/python3.9+0x50ea16)
+
+Direct leak of 1056 byte(s) in 2 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4f1db2  (/usr/bin/python3.9+0x4f1db2)
+
+Direct leak of 936 byte(s) in 1 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4fa38d in PyType_GenericAlloc (/usr/bin/python3.9+0x4fa38d)
+
+Direct leak of 96 byte(s) in 3 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x540d66  (/usr/bin/python3.9+0x540d66)
+
+Direct leak of 32 byte(s) in 1 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4f00d3 in PyThread_allocate_lock (/usr/bin/python3.9+0x4f00d3)
+
+Indirect leak of 54968 byte(s) in 57 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4fa38d in PyType_GenericAlloc (/usr/bin/python3.9+0x4fa38d)
+
+Indirect leak of 4963 byte(s) in 5 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x50ee7b  (/usr/bin/python3.9+0x50ee7b)
+
+Indirect leak of 4779 byte(s) in 5 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4f2b1d  (/usr/bin/python3.9+0x4f2b1d)
+
+Indirect leak of 576 byte(s) in 1 object(s) allocated from:
+    #0 0x7f739491de8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
+    #1 0x4f1cca in PyObject_Malloc (/usr/bin/python3.9+0x4f1cca)
+
+SUMMARY: AddressSanitizer: 570371 byte(s) leaked in 241 allocation(s).
diff --git a/tests/py/netdev/dup.t b/tests/py/netdev/dup.t
new file mode 100644
index 0000000..5632802
--- /dev/null
+++ b/tests/py/netdev/dup.t
@@ -0,0 +1,8 @@
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*netdev;test-netdev;ingress,egress
+
+dup to "lo";ok
+dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok
+
diff --git a/tests/py/netdev/dup.t.json b/tests/py/netdev/dup.t.json
new file mode 100644
index 0000000..dc56f64
--- /dev/null
+++ b/tests/py/netdev/dup.t.json
@@ -0,0 +1,30 @@
+# dup to "lo"
+[
+    {
+        "dup": {
+            "addr": "lo"
+        }
+    }
+]
+
+# dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}
+[
+    {
+        "dup": {
+            "addr": {
+                "map": {
+                    "key": {
+                        "meta": { "key": "mark" }
+                    },
+                    "data": {
+                        "set": [
+                            [ 1, "lo" ],
+                            [ 2, "lo" ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/netdev/dup.t.payload b/tests/py/netdev/dup.t.payload
new file mode 100644
index 0000000..51ff782
--- /dev/null
+++ b/tests/py/netdev/dup.t.payload
@@ -0,0 +1,14 @@
+# dup to "lo"
+netdev test-netdev ingress 
+  [ immediate reg 1 0x00000001 ]
+  [ dup sreg_dev 1 ]
+
+# dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000001  : 00000001 0 [end]	element 00000002  : 00000001 0 [end]
+netdev test-netdev ingress 
+  [ meta load mark => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ dup sreg_dev 1 ]
+
diff --git a/tests/py/netdev/fwd.t b/tests/py/netdev/fwd.t
new file mode 100644
index 0000000..6051560
--- /dev/null
+++ b/tests/py/netdev/fwd.t
@@ -0,0 +1,9 @@
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*netdev;test-netdev;ingress,egress
+
+fwd to "lo";ok
+fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"};ok
+
+fwd ip to 192.168.2.200 device "lo";ok
diff --git a/tests/py/netdev/fwd.t.json b/tests/py/netdev/fwd.t.json
new file mode 100644
index 0000000..583606c
--- /dev/null
+++ b/tests/py/netdev/fwd.t.json
@@ -0,0 +1,47 @@
+# fwd to "lo"
+[
+    {
+        "fwd": {
+            "dev": "lo"
+	}
+    }
+]
+
+# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}
+[
+    {
+        "fwd": {
+            "dev": {
+                "map": {
+                    "key": {
+                        "meta": { "key": "mark" }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                "0x00000001",
+                                "lo"
+                            ],
+                            [
+                                "0x00000002",
+                                "lo"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
+# fwd ip to 192.168.2.200 device "lo"
+[
+    {
+        "fwd": {
+            "addr": "192.168.2.200",
+            "dev": "lo",
+            "family": "ip"
+        }
+    }
+]
+
diff --git a/tests/py/netdev/fwd.t.json.output b/tests/py/netdev/fwd.t.json.output
new file mode 100644
index 0000000..8433e49
--- /dev/null
+++ b/tests/py/netdev/fwd.t.json.output
@@ -0,0 +1,27 @@
+# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}
+[
+    {
+        "fwd": {
+            "dev": {
+                "map": {
+                    "key": {
+                        "meta": { "key": "mark" }
+                    },
+                    "data": {
+                        "set": [
+                            [
+                                1,
+                                "lo"
+                            ],
+                            [
+                                2,
+                                "lo"
+                            ]
+                        ]
+                    }
+                }
+            }
+        }
+    }
+]
+
diff --git a/tests/py/netdev/fwd.t.payload b/tests/py/netdev/fwd.t.payload
new file mode 100644
index 0000000..f03077a
--- /dev/null
+++ b/tests/py/netdev/fwd.t.payload
@@ -0,0 +1,20 @@
+# fwd to "lo"
+netdev test-netdev ingress 
+  [ immediate reg 1 0x00000001 ]
+  [ fwd sreg_dev 1 ]
+
+# fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}
+__map%d test-netdev b
+__map%d test-netdev 0
+	element 00000001  : 00000001 0 [end]	element 00000002  : 00000001 0 [end]
+netdev test-netdev ingress 
+  [ meta load mark => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ fwd sreg_dev 1 ]
+
+# fwd ip to 192.168.2.200 device "lo"
+netdev test-netdev ingress 
+  [ immediate reg 1 0x00000001 ]
+  [ immediate reg 2 0xc802a8c0 ]
+  [ fwd sreg_dev 1 sreg_addr 2 nfproto 2 ]
+
diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t
new file mode 100644
index 0000000..c66e649
--- /dev/null
+++ b/tests/py/netdev/reject.t
@@ -0,0 +1,40 @@
+:ingress;type filter hook ingress device lo priority 0
+
+*netdev;test-netdev;ingress
+
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
+reject with icmpv6 policy-fail;ok
+reject with icmpv6 reject-route;ok
+
+mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset
+
+reject;ok
+meta protocol ip reject;ok;reject with icmp port-unreachable
+meta protocol ip6 reject;ok;reject with icmpv6 port-unreachable
+
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
+
+meta protocol ip reject with icmp host-unreachable;ok;reject with icmp host-unreachable
+meta protocol ip6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route
+
+meta protocol ip6 reject with icmp host-unreachable;fail
+meta protocol ip ip protocol icmp reject with icmpv6 no-route;fail
+meta protocol ip6 ip protocol icmp reject with icmp host-unreachable;fail
+meta l4proto udp reject with tcp reset;fail
+
+meta protocol ip reject with icmpx admin-prohibited;ok
+meta protocol ip6 reject with icmpx admin-prohibited;ok
diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json
new file mode 100644
index 0000000..9968aaf
--- /dev/null
+++ b/tests/py/netdev/reject.t.json
@@ -0,0 +1,293 @@
+# reject with icmp host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-unreachable
+[
+    {
+        "reject": {
+            "expr": "net-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp prot-unreachable
+[
+    {
+        "reject": {
+            "expr": "prot-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp net-prohibited
+[
+    {
+        "reject": {
+            "expr": "net-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp host-prohibited
+[
+    {
+        "reject": {
+            "expr": "host-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmp admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmp"
+        }
+    }
+]
+
+# reject with icmpv6 no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 addr-unreachable
+[
+    {
+        "reject": {
+            "expr": "addr-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 policy-fail
+[
+    {
+        "reject": {
+            "expr": "policy-fail",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpv6 reject-route
+[
+    {
+        "reject": {
+            "expr": "reject-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# mark 12345 reject with tcp reset
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "mark"
+                }
+            },
+            "op": "==",
+            "right": 12345
+        }
+    },
+    {
+        "reject": {
+            "type": "tcp reset"
+        }
+    }
+]
+
+# reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta protocol ip reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# meta protocol ip6 reject
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# reject with icmpx host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx admin-prohibited
+[
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# reject with icmpx port-unreachable
+[
+    {
+        "reject": {
+            "expr": "port-unreachable",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta protocol ip reject with icmp host-unreachable
+[
+    {
+        "reject": {
+            "expr": "host-unreachable",
+            "type": "icmp"
+        }
+    }
+]
+
+# meta protocol ip6 reject with icmpv6 no-route
+[
+    {
+        "reject": {
+            "expr": "no-route",
+            "type": "icmpv6"
+        }
+    }
+]
+
+# meta protocol ip reject with icmpx admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta protocol ip6 reject with icmpx admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "protocol"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload
new file mode 100644
index 0000000..d014ada
--- /dev/null
+++ b/tests/py/netdev/reject.t.payload
@@ -0,0 +1,142 @@
+# reject with icmp host-unreachable
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 1 ]
+
+# reject with icmp net-unreachable
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 0 ]
+
+# reject with icmp prot-unreachable
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 2 ]
+
+# reject with icmp port-unreachable
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 3 ]
+
+# reject with icmp net-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 9 ]
+
+# reject with icmp host-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 10 ]
+
+# reject with icmp admin-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 13 ]
+
+# reject with icmpv6 no-route
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 0 ]
+
+# reject with icmpv6 admin-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 1 ]
+
+# reject with icmpv6 addr-unreachable
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 3 ]
+
+# reject with icmpv6 port-unreachable
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 4 ]
+
+# reject with icmpv6 policy-fail
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 5 ]
+
+# reject with icmpv6 reject-route
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 6 ]
+
+# mark 12345 reject with tcp reset
+netdev 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ meta load mark => reg 1 ]
+  [ cmp eq reg 1 0x00003039 ]
+  [ reject type 1 code 0 ]
+
+# reject
+netdev 
+  [ reject type 2 code 1 ]
+
+# meta protocol ip reject
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 3 ]
+
+# meta protocol ip6 reject
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 4 ]
+
+# reject with icmpx host-unreachable
+netdev 
+  [ reject type 2 code 2 ]
+
+# reject with icmpx no-route
+netdev 
+  [ reject type 2 code 0 ]
+
+# reject with icmpx admin-prohibited
+netdev 
+  [ reject type 2 code 3 ]
+
+# reject with icmpx port-unreachable
+netdev 
+  [ reject type 2 code 1 ]
+
+# meta protocol ip reject with icmp host-unreachable
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 0 code 1 ]
+
+# meta protocol ip6 reject with icmpv6 no-route
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 0 code 0 ]
+
+# meta protocol ip reject with icmpx admin-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 2 code 3 ]
+
+# meta protocol ip6 reject with icmpx admin-prohibited
+netdev 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 2 code 3 ]
+
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
new file mode 100755
index 0000000..9a25503
--- /dev/null
+++ b/tests/py/nft-test.py
@@ -0,0 +1,1586 @@
+#!/usr/bin/env python
+#
+# (C) 2014 by Ana Rey Botello <anarey@gmail.com>
+#
+# Based on iptables-test.py:
+# (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>"
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Thanks to the Outreach Program for Women (OPW) for sponsoring this test
+# infrastructure.
+
+from __future__ import print_function
+import sys
+import os
+import argparse
+import signal
+import json
+import traceback
+import tempfile
+
+TESTS_PATH = os.path.dirname(os.path.abspath(__file__))
+sys.path.insert(0, os.path.join(TESTS_PATH, '../../py/'))
+os.environ['TZ'] = 'UTC-2'
+
+from nftables import Nftables
+
+TESTS_DIRECTORY = ["any", "arp", "bridge", "inet", "ip", "ip6", "netdev"]
+LOGFILE = "/tmp/nftables-test.log"
+log_file = None
+table_list = []
+chain_list = []
+all_set = dict()
+obj_list = []
+signal_received = 0
+
+
+class Colors:
+    if sys.stdout.isatty() and sys.stderr.isatty():
+        HEADER = '\033[95m'
+        GREEN = '\033[92m'
+        YELLOW = '\033[93m'
+        RED = '\033[91m'
+        ENDC = '\033[0m'
+    else:
+        HEADER = ''
+        GREEN = ''
+        YELLOW = ''
+        RED = ''
+        ENDC = ''
+
+
+class Chain:
+    """Class that represents a chain"""
+
+    def __init__(self, name, config, lineno):
+        self.name = name
+        self.config = config
+        self.lineno = lineno
+
+    def __eq__(self, other):
+        return self.__dict__ == other.__dict__
+
+    def __str__(self):
+        return "%s" % self.name
+
+
+class Table:
+    """Class that represents a table"""
+
+    def __init__(self, family, name, chains):
+        self.family = family
+        self.name = name
+        self.chains = chains
+
+    def __eq__(self, other):
+        return self.__dict__ == other.__dict__
+
+    def __str__(self):
+        return "%s %s" % (self.family, self.name)
+
+
+class Set:
+    """Class that represents a set"""
+
+    def __init__(self, family, table, name, type, data, timeout, flags):
+        self.family = family
+        self.table = table
+        self.name = name
+        self.type = type
+        self.data = data
+        self.timeout = timeout
+        self.flags = flags
+
+    def __eq__(self, other):
+        return self.__dict__ == other.__dict__
+
+
+class Obj:
+    """Class that represents an object"""
+
+    def __init__(self, table, family, name, type, spcf):
+        self.table = table
+        self.family = family
+        self.name = name
+        self.type = type
+        self.spcf = spcf
+
+    def __eq__(self, other):
+        return self.__dict__ == other.__dict__
+
+
+def print_msg(reason, errstr, filename=None, lineno=None, color=None):
+    '''
+    Prints a message with nice colors, indicating file and line number.
+    '''
+    color_errstr = "%s%s%s" % (color, errstr, Colors.ENDC)
+    if filename and lineno:
+        sys.stderr.write("%s: %s line %d: %s\n" %
+                         (filename, color_errstr, lineno + 1, reason))
+    else:
+        sys.stderr.write("%s %s\n" % (color_errstr, reason))
+    sys.stderr.flush() # So that the message stay in the right place.
+
+
+def print_error(reason, filename=None, lineno=None):
+    print_msg(reason, "ERROR:", filename, lineno, Colors.RED)
+
+
+def print_warning(reason, filename=None, lineno=None):
+    print_msg(reason, "WARNING:", filename, lineno, Colors.YELLOW)
+
+def print_info(reason, filename=None, lineno=None):
+    print_msg(reason, "INFO:", filename, lineno, Colors.GREEN)
+
+def color_differences(rule, other, color):
+    rlen = len(rule)
+    olen = len(other)
+    out = ""
+    i = 0
+
+    # find equal part at start
+    for i in range(rlen):
+        if i >= olen or rule[i] != other[i]:
+            break
+    if i > 0:
+        out += rule[:i]
+        rule = rule[i:]
+        other = other[i:]
+        rlen = len(rule)
+        olen = len(other)
+
+    # find equal part at end
+    for i in range(1, rlen + 1):
+        if i > olen or rule[rlen - i] != other[olen - i]:
+            i -= 1
+            break
+    if rlen > i:
+        out += color + rule[:rlen - i] + Colors.ENDC
+        rule = rule[rlen - i:]
+
+    out += rule
+    return out
+
+def print_differences_warning(filename, lineno, rule1, rule2, cmd):
+    colored_rule1 = color_differences(rule1, rule2, Colors.YELLOW)
+    colored_rule2 = color_differences(rule2, rule1, Colors.YELLOW)
+    reason = "'%s': '%s' mismatches '%s'" % (cmd, colored_rule1, colored_rule2)
+    print_warning(reason, filename, lineno)
+
+
+def print_differences_error(filename, lineno, cmd):
+    reason = "'%s': Listing is broken." % cmd
+    print_error(reason, filename, lineno)
+
+
+def table_exist(table, filename, lineno):
+    '''
+    Exists a table.
+    '''
+    cmd = "list table %s" % table
+    ret = execute_cmd(cmd, filename, lineno)
+
+    return True if (ret == 0) else False
+
+
+def table_flush(table, filename, lineno):
+    '''
+    Flush a table.
+    '''
+    cmd = "flush table %s" % table
+    execute_cmd(cmd, filename, lineno)
+
+    return cmd
+
+
+def table_create(table, filename, lineno):
+    '''
+    Adds a table.
+    '''
+    # We check if table exists.
+    if table_exist(table, filename, lineno):
+        reason = "Table %s already exists" % table
+        print_error(reason, filename, lineno)
+        return -1
+
+    table_list.append(table)
+
+    # We add a new table
+    cmd = "add table %s" % table
+    ret = execute_cmd(cmd, filename, lineno)
+
+    if ret != 0:
+        reason = "Cannot " + cmd
+        print_error(reason, filename, lineno)
+        table_list.remove(table)
+        return -1
+
+    # We check if table was added correctly.
+    if not table_exist(table, filename, lineno):
+        table_list.remove(table)
+        reason = "I have just added the table %s " \
+                 "but it does not exist. Giving up!" % table
+        print_error(reason, filename, lineno)
+        return -1
+
+    for table_chain in table.chains:
+        chain = chain_get_by_name(table_chain)
+        if chain is None:
+            reason = "The chain %s requested by table %s " \
+                     "does not exist." % (table_chain, table)
+            print_error(reason, filename, lineno)
+        else:
+            chain_create(chain, table, filename)
+
+    return 0
+
+
+def table_delete(table, filename=None, lineno=None):
+    '''
+    Deletes a table.
+    '''
+    if not table_exist(table, filename, lineno):
+        reason = "Table %s does not exist but I added it before." % table
+        print_error(reason, filename, lineno)
+        return -1
+
+    cmd = "delete table %s" % table
+    ret = execute_cmd(cmd, filename, lineno)
+    if ret != 0:
+        reason = "%s: I cannot delete table %s. Giving up!" % (cmd, table)
+        print_error(reason, filename, lineno)
+        return -1
+
+    if table_exist(table, filename, lineno):
+        reason = "I have just deleted the table %s " \
+                 "but it still exists." % table
+        print_error(reason, filename, lineno)
+        return -1
+
+    return 0
+
+
+def chain_exist(chain, table, filename):
+    '''
+    Checks a chain
+    '''
+    cmd = "list chain %s %s" % (table, chain)
+    ret = execute_cmd(cmd, filename, chain.lineno)
+
+    return True if (ret == 0) else False
+
+
+def chain_create(chain, table, filename):
+    '''
+    Adds a chain
+    '''
+    if chain_exist(chain, table, filename):
+        reason = "This chain '%s' exists in %s. I cannot create " \
+                 "two chains with same name." % (chain, table)
+        print_error(reason, filename, chain.lineno)
+        return -1
+
+    cmd = "add chain %s %s" % (table, chain)
+    if chain.config:
+        cmd += " { %s; }" % chain.config
+
+    ret = execute_cmd(cmd, filename, chain.lineno)
+    if ret != 0:
+        reason = "I cannot create the chain '%s'" % chain
+        print_error(reason, filename, chain.lineno)
+        return -1
+
+    if not chain_exist(chain, table, filename):
+        reason = "I have added the chain '%s' " \
+                 "but it does not exist in %s" % (chain, table)
+        print_error(reason, filename, chain.lineno)
+        return -1
+
+    return 0
+
+
+def chain_delete(chain, table, filename=None, lineno=None):
+    '''
+    Flushes and deletes a chain.
+    '''
+    if not chain_exist(chain, table, filename):
+        reason = "The chain %s does not exist in %s. " \
+                 "I cannot delete it." % (chain, table)
+        print_error(reason, filename, lineno)
+        return -1
+
+    cmd = "flush chain %s %s" % (table, chain)
+    ret = execute_cmd(cmd, filename, lineno)
+    if ret != 0:
+        reason = "I cannot " + cmd
+        print_error(reason, filename, lineno)
+        return -1
+
+    cmd = "delete chain %s %s" % (table, chain)
+    ret = execute_cmd(cmd, filename, lineno)
+    if ret != 0:
+        reason = "I cannot " + cmd
+        print_error(reason, filename, lineno)
+        return -1
+
+    if chain_exist(chain, table, filename):
+        reason = "The chain %s exists in %s. " \
+                 "I cannot delete this chain" % (chain, table)
+        print_error(reason, filename, lineno)
+        return -1
+
+    return 0
+
+
+def chain_get_by_name(name):
+    for chain in chain_list:
+        if chain.name == name:
+            break
+    else:
+        chain = None
+
+    return chain
+
+
+def set_add(s, test_result, filename, lineno):
+    '''
+    Adds a set.
+    '''
+    if not table_list:
+        reason = "Missing table to add rule"
+        print_error(reason, filename, lineno)
+        return -1
+
+    for table in table_list:
+        s.table = table.name
+        s.family = table.family
+        if _set_exist(s, filename, lineno):
+            reason = "Set %s already exists in %s" % (s.name, table)
+            print_error(reason, filename, lineno)
+            return -1
+
+        flags = s.flags
+        if flags != "":
+            flags = "flags %s; " % flags
+
+        if s.data == "":
+                cmd = "add set %s %s { type %s;%s %s}" % (table, s.name, s.type, s.timeout, flags)
+        else:
+                cmd = "add map %s %s { type %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags)
+
+        ret = execute_cmd(cmd, filename, lineno)
+
+        if (ret == 0 and test_result == "fail") or \
+                (ret != 0 and test_result == "ok"):
+            reason = "%s: I cannot add the set %s" % (cmd, s.name)
+            print_error(reason, filename, lineno)
+            return -1
+
+        if not _set_exist(s, filename, lineno):
+            reason = "I have just added the set %s to " \
+                     "the table %s but it does not exist" % (s.name, table)
+            print_error(reason, filename, lineno)
+            return -1
+
+    return 0
+
+
+def map_add(s, test_result, filename, lineno):
+    '''
+    Adds a map
+    '''
+    if not table_list:
+        reason = "Missing table to add rule"
+        print_error(reason, filename, lineno)
+        return -1
+
+    for table in table_list:
+        s.table = table.name
+        s.family = table.family
+        if _map_exist(s, filename, lineno):
+            reason = "Map %s already exists in %s" % (s.name, table)
+            print_error(reason, filename, lineno)
+            return -1
+
+        flags = s.flags
+        if flags != "":
+            flags = "flags %s; " % flags
+
+        cmd = "add map %s %s { type %s : %s;%s %s}" % (table, s.name, s.type, s.data, s.timeout, flags)
+
+        ret = execute_cmd(cmd, filename, lineno)
+
+        if (ret == 0 and test_result == "fail") or \
+                (ret != 0 and test_result == "ok"):
+            reason = "%s: I cannot add the set %s" % (cmd, s.name)
+            print_error(reason, filename, lineno)
+            return -1
+
+        if not _map_exist(s, filename, lineno):
+            reason = "I have just added the set %s to " \
+                     "the table %s but it does not exist" % (s.name, table)
+            print_error(reason, filename, lineno)
+            return -1
+
+
+def set_add_elements(set_element, set_name, state, filename, lineno):
+    '''
+    Adds elements to the set.
+    '''
+    if not table_list:
+        reason = "Missing table to add rules"
+        print_error(reason, filename, lineno)
+        return -1
+
+    for table in table_list:
+        # Check if set exists.
+        if (not set_exist(set_name, table, filename, lineno) or
+                    set_name not in all_set) and state == "ok":
+            reason = "I cannot add an element to the set %s " \
+                     "since it does not exist." % set_name
+            print_error(reason, filename, lineno)
+            return -1
+
+        element = ", ".join(set_element)
+        cmd = "add element %s %s { %s }" % (table, set_name, element)
+        ret = execute_cmd(cmd, filename, lineno)
+
+        if (state == "fail" and ret == 0) or (state == "ok" and ret != 0):
+            if state == "fail":
+                    test_state = "This rule should have failed."
+            else:
+                    test_state = "This rule should not have failed."
+
+            reason = cmd + ": " + test_state
+            print_error(reason, filename, lineno)
+            return -1
+
+        # Add element into all_set.
+        if ret == 0 and state == "ok":
+            for e in set_element:
+                all_set[set_name].add(e)
+
+    return 0
+
+
+def set_delete_elements(set_element, set_name, table, filename=None,
+                        lineno=None):
+    '''
+    Deletes elements in a set.
+    '''
+    for element in set_element:
+        cmd = "delete element %s %s { %s }" % (table, set_name, element)
+        ret = execute_cmd(cmd, filename, lineno)
+        if ret != 0:
+            reason = "I cannot delete element %s " \
+                     "from the set %s" % (element, set_name)
+            print_error(reason, filename, lineno)
+            return -1
+
+    return 0
+
+
+def set_delete(table, filename=None, lineno=None):
+    '''
+    Deletes set and its content.
+    '''
+    for set_name in all_set.keys():
+        # Check if exists the set
+        if not set_exist(set_name, table, filename, lineno):
+            reason = "The set %s does not exist, " \
+                     "I cannot delete it" % set_name
+            print_error(reason, filename, lineno)
+            return -1
+
+        # We delete all elements in the set
+        set_delete_elements(all_set[set_name], set_name, table, filename,
+                            lineno)
+
+        # We delete the set.
+        cmd = "delete set %s %s" % (table, set_name)
+        ret = execute_cmd(cmd, filename, lineno)
+
+        # Check if the set still exists after I deleted it.
+        if ret != 0 or set_exist(set_name, table, filename, lineno):
+            reason = "Cannot remove the set " + set_name
+            print_error(reason, filename, lineno)
+            return -1
+
+    return 0
+
+
+def set_exist(set_name, table, filename, lineno):
+    '''
+    Check if the set exists.
+    '''
+    cmd = "list set %s %s" % (table, set_name)
+    ret = execute_cmd(cmd, filename, lineno)
+
+    return True if (ret == 0) else False
+
+
+def _set_exist(s, filename, lineno):
+    '''
+    Check if the set exists.
+    '''
+    cmd = "list set %s %s %s" % (s.family, s.table, s.name)
+    ret = execute_cmd(cmd, filename, lineno)
+
+    return True if (ret == 0) else False
+
+
+def _map_exist(s, filename, lineno):
+    '''
+    Check if the map exists.
+    '''
+    cmd = "list map %s %s %s" % (s.family, s.table, s.name)
+    ret = execute_cmd(cmd, filename, lineno)
+
+    return True if (ret == 0) else False
+
+
+def set_check_element(rule1, rule2):
+    '''
+    Check if element exists in anonymous sets.
+    '''
+    pos1 = rule1.find("{")
+    pos2 = rule2.find("{")
+
+    if (rule1[:pos1] != rule2[:pos2]):
+        return False
+
+    end1 = rule1.find("}")
+    end2 = rule2.find("}")
+
+    if (pos1 != -1) and (pos2 != -1) and (end1 != -1) and (end2 != -1):
+        list1 = (rule1[pos1 + 1:end1].replace(" ", "")).split(",")
+        list2 = (rule2[pos2 + 1:end2].replace(" ", "")).split(",")
+        list1.sort()
+        list2.sort()
+        if list1 != list2:
+            return False
+
+        return rule1[end1:] == rule2[end2:]
+
+    return False
+
+
+def obj_add(o, test_result, filename, lineno):
+    '''
+    Adds an object.
+    '''
+    if not table_list:
+        reason = "Missing table to add rule"
+        print_error(reason, filename, lineno)
+        return -1
+
+    for table in table_list:
+        o.table = table.name
+        o.family = table.family
+        obj_handle = o.type + " " + o.name
+        if _obj_exist(o, filename, lineno):
+            reason = "The %s already exists in %s" % (obj_handle, table)
+            print_error(reason, filename, lineno)
+            return -1
+
+        cmd = "add %s %s %s %s" % (o.type, table, o.name, o.spcf)
+        ret = execute_cmd(cmd, filename, lineno)
+
+        if (ret == 0 and test_result == "fail") or \
+                (ret != 0 and test_result == "ok"):
+            reason = "%s: I cannot add the %s" % (cmd, obj_handle)
+            print_error(reason, filename, lineno)
+            return -1
+
+        exist = _obj_exist(o, filename, lineno)
+
+        if exist:
+            if test_result == "ok":
+                 return 0
+            reason = "I added the %s to the table %s " \
+                     "but it should have failed" % (obj_handle, table)
+            print_error(reason, filename, lineno)
+            return -1
+
+        if test_result == "fail":
+            return 0
+
+        reason = "I have just added the %s to " \
+                 "the table %s but it does not exist" % (obj_handle, table)
+        print_error(reason, filename, lineno)
+        return -1
+
+def obj_delete(table, filename=None, lineno=None):
+    '''
+    Deletes object.
+    '''
+    for o in obj_list:
+        obj_handle = o.type + " " + o.name
+        # Check if exists the obj
+        if not obj_exist(o, table, filename, lineno):
+            reason = "The %s does not exist, I cannot delete it" % obj_handle
+            print_error(reason, filename, lineno)
+            return -1
+
+        # We delete the object.
+        cmd = "delete %s %s %s" % (o.type, table, o.name)
+        ret = execute_cmd(cmd, filename, lineno)
+
+        # Check if the object still exists after I deleted it.
+        if ret != 0 or obj_exist(o, table, filename, lineno):
+            reason = "Cannot remove the " + obj_handle
+            print_error(reason, filename, lineno)
+            return -1
+
+    return 0
+
+
+def obj_exist(o, table, filename, lineno):
+    '''
+    Check if the object exists.
+    '''
+    cmd = "list %s %s %s" % (o.type, table, o.name)
+    ret = execute_cmd(cmd, filename, lineno)
+
+    return True if (ret == 0) else False
+
+
+def _obj_exist(o, filename, lineno):
+    '''
+    Check if the object exists.
+    '''
+    cmd = "list %s %s %s %s" % (o.type, o.family, o.table, o.name)
+    ret = execute_cmd(cmd, filename, lineno)
+
+    return True if (ret == 0) else False
+
+
+def output_clean(pre_output, chain):
+    pos_chain = pre_output.find(chain.name)
+    if pos_chain == -1:
+        return ""
+    output_intermediate = pre_output[pos_chain:]
+    brace_start = output_intermediate.find("{")
+    brace_end = output_intermediate.find("}")
+    pre_rule = output_intermediate[brace_start:brace_end]
+    if pre_rule[1:].find("{") > -1:  # this rule has a set.
+        set = pre_rule[1:].replace("\t", "").replace("\n", "").strip()
+        set = set.split(";")[2].strip() + "}"
+        remainder = output_clean(chain.name + " {;;" + output_intermediate[brace_end+1:], chain)
+        if len(remainder) <= 0:
+            return set
+        return set + " " + remainder
+    else:
+        rule = pre_rule.split(";")[2].replace("\t", "").replace("\n", "").\
+            strip()
+    if len(rule) < 0:
+        return ""
+    return rule
+
+
+def payload_check_elems_to_set(elems):
+    newset = set()
+
+    for n, line in enumerate(elems.split('[end]')):
+        e = line.strip()
+        if e in newset:
+            print_error("duplicate", e, n)
+            return newset
+
+        newset.add(e)
+
+    return newset
+
+
+def payload_check_set_elems(want, got):
+    if want.find('element') < 0 or want.find('[end]') < 0:
+        return 0
+
+    if got.find('element') < 0 or got.find('[end]') < 0:
+        return 0
+
+    set_want = payload_check_elems_to_set(want)
+    set_got = payload_check_elems_to_set(got)
+
+    return set_want == set_got
+
+
+def payload_check(payload_buffer, file, cmd):
+    file.seek(0, 0)
+    i = 0
+
+    if not payload_buffer:
+        return False
+
+    for lineno, want_line in enumerate(payload_buffer):
+        line = file.readline()
+
+        if want_line == line:
+            i += 1
+            continue
+
+        if want_line.find('[') < 0 and line.find('[') < 0:
+            continue
+        if want_line.find(']') < 0 and line.find(']') < 0:
+            continue
+
+        if payload_check_set_elems(want_line, line):
+            continue
+
+        print_differences_warning(file.name, lineno, want_line.strip(),
+                                  line.strip(), cmd)
+        return 0
+
+    return i > 0
+
+
+def json_dump_normalize(json_string, human_readable = False):
+    json_obj = json.loads(json_string)
+
+    if human_readable:
+        return json.dumps(json_obj, sort_keys = True,
+                          indent = 4, separators = (',', ': '))
+    else:
+        return json.dumps(json_obj, sort_keys = True)
+
+def json_validate(json_string):
+    json_obj = json.loads(json_string)
+    try:
+        nftables.json_validate(json_obj)
+    except Exception:
+        print_error("schema validation failed for input '%s'" % json_string)
+        print_error(traceback.format_exc())
+
+def rule_add(rule, filename, lineno, force_all_family_option, filename_path):
+    '''
+    Adds a rule
+    '''
+    # TODO Check if a rule is added correctly.
+    ret = warning = error = unit_tests = 0
+
+    if not table_list or not chain_list:
+        reason = "Missing table or chain to add rule."
+        print_error(reason, filename, lineno)
+        return [-1, warning, error, unit_tests]
+
+    if rule[1].strip() == "ok":
+        payload_expected = None
+        payload_path = None
+        try:
+            payload_log = open("%s.payload" % filename_path)
+            payload_path = payload_log.name
+            payload_expected = payload_find_expected(payload_log, rule[0])
+        except:
+            payload_log = None
+
+        if enable_json_option:
+            try:
+                json_log = open("%s.json" % filename_path)
+                json_input = json_find_expected(json_log, rule[0])
+            except:
+                json_input = None
+
+            if not json_input:
+                print_error("did not find JSON equivalent for rule '%s'"
+                            % rule[0])
+            else:
+                try:
+                    json_input = json_dump_normalize(json_input)
+                except ValueError:
+                    reason = "Invalid JSON syntax in rule: %s" % json_input
+                    print_error(reason)
+                    return [-1, warning, error, unit_tests]
+
+            try:
+                json_log = open("%s.json.output" % filename_path)
+                json_expected = json_find_expected(json_log, rule[0])
+            except:
+                # will use json_input for comparison
+                json_expected = None
+
+            if json_expected:
+                try:
+                    json_expected = json_dump_normalize(json_expected)
+                except ValueError:
+                    reason = "Invalid JSON syntax in expected output: %s" % json_expected
+                    print_error(reason)
+                    return [-1, warning, error, unit_tests]
+
+    for table in table_list:
+        if rule[1].strip() == "ok":
+            table_payload_expected = None
+            try:
+                payload_log = open("%s.payload.%s" % (filename_path, table.family))
+                payload_path = payload_log.name
+                table_payload_expected = payload_find_expected(payload_log, rule[0])
+            except:
+                if not payload_log:
+                    print_error("did not find any payload information",
+                                filename_path)
+                elif not payload_expected:
+                    print_error("did not find payload information for "
+                                "rule '%s'" % rule[0], payload_log.name, 1)
+            if not table_payload_expected:
+                table_payload_expected = payload_expected
+
+        for table_chain in table.chains:
+            chain = chain_get_by_name(table_chain)
+            unit_tests += 1
+            table_flush(table, filename, lineno)
+
+            payload_log = tempfile.TemporaryFile(mode="w+")
+
+            # Add rule and check return code
+            cmd = "add rule %s %s %s" % (table, chain, rule[0])
+            ret = execute_cmd(cmd, filename, lineno, payload_log, debug="netlink")
+
+            state = rule[1].rstrip()
+            if (ret in [0,134] and state == "fail") or (ret != 0 and state == "ok"):
+                if state == "fail":
+                    test_state = "This rule should have failed."
+                else:
+                    test_state = "This rule should not have failed."
+                reason = cmd + ": " + test_state
+                print_error(reason, filename, lineno)
+                ret = -1
+                error += 1
+                if not force_all_family_option:
+                    return [ret, warning, error, unit_tests]
+
+            if state == "fail" and ret != 0:
+                ret = 0
+                continue
+
+            if ret != 0:
+                continue
+
+            # Check for matching payload
+            if state == "ok" and not payload_check(table_payload_expected,
+                                                   payload_log, cmd):
+                error += 1
+
+                try:
+                    gotf = open("%s.got" % payload_path)
+                    gotf_payload_expected = payload_find_expected(gotf, rule[0])
+                    gotf.close()
+                except:
+                    gotf_payload_expected = None
+                payload_log.seek(0, 0)
+                if not payload_check(gotf_payload_expected, payload_log, cmd):
+                    gotf = open("%s.got" % payload_path, 'a')
+                    payload_log.seek(0, 0)
+                    gotf.write("# %s\n" % rule[0])
+                    while True:
+                        line = payload_log.readline()
+                        if line == "":
+                            break
+                        gotf.write(line)
+                    gotf.close()
+                    print_warning("Wrote payload for rule %s" % rule[0],
+                                  gotf.name, 1)
+
+            # Check for matching ruleset listing
+            numeric_proto_old = nftables.set_numeric_proto_output(True)
+            stateless_old = nftables.set_stateless_output(True)
+            list_cmd = 'list table %s' % table
+            rc, pre_output, err = nftables.cmd(list_cmd)
+            nftables.set_numeric_proto_output(numeric_proto_old)
+            nftables.set_stateless_output(stateless_old)
+
+            output = pre_output.split(";")
+            if len(output) < 2:
+                reason = cmd + ": Listing is broken."
+                print_error(reason, filename, lineno)
+                ret = -1
+                error += 1
+                if not force_all_family_option:
+                    return [ret, warning, error, unit_tests]
+                continue
+
+            rule_output = output_clean(pre_output, chain)
+            retest_output = False
+            if len(rule) == 3:
+                teoric_exit = rule[2]
+                retest_output = True
+            else:
+                teoric_exit = rule[0]
+
+            if rule_output.rstrip() != teoric_exit.rstrip():
+                if rule[0].find("{") != -1:  # anonymous sets
+                    if not set_check_element(teoric_exit.rstrip(),
+                                         rule_output.rstrip()):
+                        warning += 1
+                        retest_output = True
+                        print_differences_warning(filename, lineno,
+                                                  teoric_exit.rstrip(),
+                                                  rule_output, cmd)
+                        if not force_all_family_option:
+                            return [ret, warning, error, unit_tests]
+                else:
+                    if len(rule_output) <= 0:
+                        error += 1
+                        print_differences_error(filename, lineno, cmd)
+                        if not force_all_family_option:
+                            return [ret, warning, error, unit_tests]
+
+                    warning += 1
+                    retest_output = True
+                    print_differences_warning(filename, lineno,
+                                              teoric_exit.rstrip(),
+                                              rule_output, cmd)
+
+                    if not force_all_family_option:
+                        return [ret, warning, error, unit_tests]
+
+            if retest_output:
+                table_flush(table, filename, lineno)
+
+                # Add rule and check return code
+                cmd = "add rule %s %s %s" % (table, chain, rule_output.rstrip())
+                ret = execute_cmd(cmd, filename, lineno, payload_log, debug="netlink")
+
+                if ret != 0:
+                    test_state = "Replaying rule failed."
+                    reason = cmd + ": " + test_state
+                    print_warning(reason, filename, lineno)
+                    ret = -1
+                    error += 1
+                    if not force_all_family_option:
+                        return [ret, warning, error, unit_tests]
+                # Check for matching payload
+                elif not payload_check(table_payload_expected,
+                                       payload_log, cmd):
+                    error += 1
+
+            if not enable_json_option:
+                continue
+
+            # Generate JSON equivalent for rule if not found
+            if not json_input:
+                json_old = nftables.set_json_output(True)
+                rc, json_output, err = nftables.cmd(list_cmd)
+                nftables.set_json_output(json_old)
+
+                json_output = json.loads(json_output)
+                for item in json_output["nftables"]:
+                    if "rule" in item:
+                        del(item["rule"]["handle"])
+                        json_output = item["rule"]
+                        break
+                json_input = json.dumps(json_output["expr"], sort_keys = True)
+
+                gotf = open("%s.json.got" % filename_path, 'a')
+                jdump = json_dump_normalize(json_input, True)
+                gotf.write("# %s\n%s\n\n" % (rule[0], jdump))
+                gotf.close()
+                print_warning("Wrote JSON equivalent for rule %s" % rule[0],
+                              gotf.name, 1)
+
+            table_flush(table, filename, lineno)
+            payload_log = tempfile.TemporaryFile(mode="w+")
+
+            # Add rule in JSON format
+            cmd = json.dumps({ "nftables": [{ "add": { "rule": {
+                    "family": table.family,
+                    "table": table.name,
+                    "chain": chain.name,
+                    "expr": json.loads(json_input),
+            }}}]})
+
+            if enable_json_schema:
+                json_validate(cmd)
+
+            json_old = nftables.set_json_output(True)
+            ret = execute_cmd(cmd, filename, lineno, payload_log, debug="netlink")
+            nftables.set_json_output(json_old)
+
+            if ret != 0:
+                reason = "Failed to add JSON equivalent rule"
+                print_error(reason, filename, lineno)
+                continue
+
+            # Check for matching payload
+            if not payload_check(table_payload_expected, payload_log, cmd):
+                error += 1
+                gotf = open("%s.json.payload.got" % filename_path, 'a')
+                payload_log.seek(0, 0)
+                gotf.write("# %s\n" % rule[0])
+                while True:
+                    line = payload_log.readline()
+                    if line == "":
+                        break
+                    gotf.write(line)
+                gotf.close()
+                print_warning("Wrote JSON payload for rule %s" % rule[0],
+                              gotf.name, 1)
+
+            # Check for matching ruleset listing
+            numeric_proto_old = nftables.set_numeric_proto_output(True)
+            stateless_old = nftables.set_stateless_output(True)
+            json_old = nftables.set_json_output(True)
+            rc, json_output, err = nftables.cmd(list_cmd)
+            nftables.set_json_output(json_old)
+            nftables.set_numeric_proto_output(numeric_proto_old)
+            nftables.set_stateless_output(stateless_old)
+
+            if enable_json_schema:
+                json_validate(json_output)
+
+            json_output = json.loads(json_output)
+            for item in json_output["nftables"]:
+                if "rule" in item:
+                    del(item["rule"]["handle"])
+                    json_output = item["rule"]
+                    break
+            json_output = json.dumps(json_output["expr"], sort_keys = True)
+
+            if not json_expected and json_output != json_input:
+                print_differences_warning(filename, lineno,
+                                          json_input, json_output, cmd)
+                error += 1
+                gotf = open("%s.json.output.got" % filename_path, 'a')
+                jdump = json_dump_normalize(json_output, True)
+                gotf.write("# %s\n%s\n\n" % (rule[0], jdump))
+                gotf.close()
+                print_warning("Wrote JSON output for rule %s" % rule[0],
+                              gotf.name, 1)
+                # prevent further warnings and .got file updates
+                json_expected = json_output
+            elif json_expected and json_output != json_expected:
+                print_differences_warning(filename, lineno,
+                                          json_expected, json_output, cmd)
+                error += 1
+
+    return [ret, warning, error, unit_tests]
+
+
+def cleanup_on_exit():
+    for table in table_list:
+        for table_chain in table.chains:
+            chain = chain_get_by_name(table_chain)
+            chain_delete(chain, table, "", "")
+        if all_set:
+            set_delete(table)
+        if obj_list:
+            obj_delete(table)
+        table_delete(table)
+
+
+def signal_handler(signal, frame):
+    global signal_received
+    signal_received = 1
+
+
+def execute_cmd(cmd, filename, lineno, stdout_log=False, debug=False):
+    '''
+    Executes a command, checks for segfaults and returns the command exit
+    code.
+
+    :param cmd: string with the command to be executed
+    :param filename: name of the file tested (used for print_error purposes)
+    :param lineno: line number being tested (used for print_error purposes)
+    :param stdout_log: redirect stdout to this file instead of global log_file
+    :param debug: temporarily set these debug flags
+    '''
+    global log_file
+    print("command: {}".format(cmd), file=log_file)
+    if debug_option:
+        print(cmd)
+
+    log_file.flush()
+
+    if debug:
+        debug_old = nftables.get_debug()
+        nftables.set_debug(debug)
+
+    ret, out, err = nftables.cmd(cmd)
+
+    if not stdout_log:
+        stdout_log = log_file
+
+    stdout_log.write(out)
+    stdout_log.flush()
+    log_file.write(err)
+    log_file.flush()
+
+    if debug:
+        nftables.set_debug(debug_old)
+
+    return ret
+
+
+def print_result(filename, tests, warning, error):
+    return str(filename) + ": " + str(tests) + " unit tests, " + str(error) + \
+           " error, " + str(warning) + " warning"
+
+
+def print_result_all(filename, tests, warning, error, unit_tests):
+    return str(filename) + ": " + str(tests) + " unit tests, " + \
+           str(unit_tests) + " total test executed, " + str(error) + \
+           " error, " + str(warning) + " warning"
+
+
+def table_process(table_line, filename, lineno):
+    table_info = table_line.split(";")
+    table = Table(table_info[0], table_info[1], table_info[2].split(","))
+
+    return table_create(table, filename, lineno)
+
+
+def chain_process(chain_line, lineno):
+    chain_info = chain_line.split(";")
+    chain_list.append(Chain(chain_info[0], chain_info[1], lineno))
+
+    return 0
+
+
+def set_process(set_line, filename, lineno):
+    test_result = set_line[1]
+    timeout=""
+
+    tokens = set_line[0].split(" ")
+    set_name = tokens[0]
+    set_type = tokens[2]
+    set_data = ""
+    set_flags = ""
+
+    i = 3
+    while len(tokens) > i and tokens[i] == ".":
+        set_type += " . " + tokens[i+1]
+        i += 2
+
+    while len(tokens) > i and tokens[i] == ":":
+        set_data = tokens[i+1]
+        i += 2
+
+    if len(tokens) == i+2 and tokens[i] == "timeout":
+        timeout = "timeout " + tokens[i+1] + ";"
+        i += 2
+
+    if len(tokens) == i+2 and tokens[i] == "flags":
+        set_flags = tokens[i+1]
+    elif len(tokens) != i:
+        print_error(set_name + " bad flag: " + tokens[i], filename, lineno)
+
+    s = Set("", "", set_name, set_type, set_data, timeout, set_flags)
+
+    if set_data == "":
+        ret = set_add(s, test_result, filename, lineno)
+    else:
+        ret = map_add(s, test_result, filename, lineno)
+
+    if ret == 0:
+        all_set[set_name] = set()
+
+    return ret
+
+
+def set_element_process(element_line, filename, lineno):
+    rule_state = element_line[1]
+    element_line = element_line[0]
+    space = element_line.find(" ")
+    set_name = element_line[:space]
+    set_element = element_line[space:].split(",")
+
+    return set_add_elements(set_element, set_name, rule_state, filename, lineno)
+
+
+def obj_process(obj_line, filename, lineno):
+    test_result = obj_line[1]
+
+    tokens = obj_line[0].split(" ")
+    obj_name = tokens[0]
+    obj_type = tokens[2]
+    obj_spcf = ""
+
+    if obj_type == "ct" and tokens[3] == "helper":
+       obj_type = "ct helper"
+       tokens[3] = ""
+
+    if obj_type == "ct" and tokens[3] == "timeout":
+       obj_type = "ct timeout"
+       tokens[3] = ""
+
+    if obj_type == "ct" and tokens[3] == "expectation":
+       obj_type = "ct expectation"
+       tokens[3] = ""
+
+    if len(tokens) > 3:
+        obj_spcf = " ".join(tokens[3:])
+
+    o = Obj("", "", obj_name, obj_type, obj_spcf)
+
+    ret = obj_add(o, test_result, filename, lineno)
+    if ret == 0:
+        obj_list.append(o)
+
+    return ret
+
+
+def payload_find_expected(payload_log, rule):
+    '''
+    Find the netlink payload that should be generated by given rule in
+    payload_log
+
+    :param payload_log: open file handle of the payload data
+    :param rule: nft rule we are going to add
+    '''
+    found = 0
+    payload_buffer = []
+
+    while True:
+        line = payload_log.readline()
+        if not line:
+            break
+
+        if line[0] == "#":  # rule start
+            rule_line = line.strip()[2:]
+
+            if rule_line == rule.strip():
+                found = 1
+                continue
+
+        if found == 1:
+            payload_buffer.append(line)
+            if line.isspace():
+                return payload_buffer
+
+    payload_log.seek(0, 0)
+    return payload_buffer
+
+
+def json_find_expected(json_log, rule):
+    '''
+    Find the corresponding JSON for given rule
+
+    :param json_log: open file handle of the json data
+    :param rule: nft rule we are going to add
+    '''
+    found = 0
+    json_buffer = ""
+
+    while True:
+        line = json_log.readline()
+        if not line:
+            break
+
+        if line[0] == "#":  # rule start
+            rule_line = line.strip()[2:]
+
+            if rule_line == rule.strip():
+                found = 1
+                continue
+
+        if found == 1:
+            json_buffer += line.rstrip("\n").strip()
+            if line.isspace():
+                return json_buffer
+
+    json_log.seek(0, 0)
+    return json_buffer
+
+
+def run_test_file(filename, force_all_family_option, specific_file):
+    '''
+    Runs a test file
+
+    :param filename: name of the file with the test rules
+    '''
+    filename_path = os.path.join(TESTS_PATH, filename)
+    f = open(filename_path)
+    tests = passed = total_unit_run = total_warning = total_error = 0
+
+    for lineno, line in enumerate(f):
+        sys.stdout.flush()
+
+        if signal_received == 1:
+            print("\nSignal received. Cleaning up and Exitting...")
+            cleanup_on_exit()
+            sys.exit(0)
+
+        if line.isspace():
+            continue
+
+        if line[0] == "#":  # Command-line
+            continue
+
+        if line[0] == '*':  # Table
+            table_line = line.rstrip()[1:]
+            ret = table_process(table_line, filename, lineno)
+            if ret != 0:
+                break
+            continue
+
+        if line[0] == ":":  # Chain
+            chain_line = line.rstrip()[1:]
+            ret = chain_process(chain_line, lineno)
+            if ret != 0:
+                break
+            continue
+
+        if line[0] == "!":  # Adds this set
+            set_line = line.rstrip()[1:].split(";")
+            ret = set_process(set_line, filename, lineno)
+            tests += 1
+            if ret == -1:
+                continue
+            passed += 1
+            continue
+
+        if line[0] == "?":  # Adds elements in a set
+            element_line = line.rstrip()[1:].split(";")
+            ret = set_element_process(element_line, filename, lineno)
+            tests += 1
+            if ret == -1:
+                continue
+
+            passed += 1
+            continue
+
+        if line[0] == "%":  # Adds this object
+            brace = line.rfind("}")
+            if brace < 0:
+                obj_line = line.rstrip()[1:].split(";")
+            else:
+                obj_line = (line[1:brace+1], line[brace+2:].rstrip())
+
+            ret = obj_process(obj_line, filename, lineno)
+            tests += 1
+            if ret == -1:
+                continue
+            passed += 1
+            continue
+
+        # Rule
+        rule = line.split(';')  # rule[1] Ok or FAIL
+        if len(rule) == 1 or len(rule) > 3 or rule[1].rstrip() \
+                not in {"ok", "fail"}:
+            reason = "Skipping malformed rule test. (%s)" % line.rstrip('\n')
+            print_warning(reason, filename, lineno)
+            continue
+
+        if line[0] == "-":  # Run omitted lines
+            if need_fix_option:
+                rule[0] = rule[0].rstrip()[1:].strip()
+            else:
+                continue
+        elif need_fix_option:
+            continue
+
+        result = rule_add(rule, filename, lineno, force_all_family_option,
+                          filename_path)
+        tests += 1
+        ret = result[0]
+        warning = result[1]
+        total_warning += warning
+        total_error += result[2]
+        total_unit_run += result[3]
+
+        if ret != 0:
+            continue
+
+        if warning == 0:  # All ok.
+            passed += 1
+
+    # Delete rules, sets, chains and tables
+    for table in table_list:
+        # We delete chains
+        for table_chain in table.chains:
+            chain = chain_get_by_name(table_chain)
+            chain_delete(chain, table, filename, lineno)
+
+        # We delete sets.
+        if all_set:
+            ret = set_delete(table, filename, lineno)
+            if ret != 0:
+                reason = "There is a problem when we delete a set"
+                print_error(reason, filename, lineno)
+
+        # We delete tables.
+        table_delete(table, filename, lineno)
+
+    if specific_file:
+        if force_all_family_option:
+            print(print_result_all(filename, tests, total_warning, total_error,
+                                   total_unit_run))
+        else:
+            print(print_result(filename, tests, total_warning, total_error))
+    else:
+        if tests == passed and tests > 0:
+            print(filename + ": " + Colors.GREEN + "OK" + Colors.ENDC)
+
+    f.close()
+    del table_list[:]
+    del chain_list[:]
+    all_set.clear()
+
+    return [tests, passed, total_warning, total_error, total_unit_run]
+
+def spawn_netns():
+    # prefer unshare module
+    try:
+        import unshare
+        unshare.unshare(unshare.CLONE_NEWNET)
+        return True
+    except:
+        pass
+
+    # sledgehammer style:
+    # - call ourselves prefixed by 'unshare -n' if found
+    # - pass extra --no-netns parameter to avoid another recursion
+    try:
+        import shutil
+
+        unshare = shutil.which("unshare")
+        if unshare is None:
+            return False
+
+        sys.argv.append("--no-netns")
+        if debug_option:
+            print("calling: ", [unshare, "-n", sys.executable] + sys.argv)
+        os.execv(unshare, [unshare, "-n", sys.executable] + sys.argv)
+    except:
+        pass
+
+    return False
+
+def main():
+    parser = argparse.ArgumentParser(description='Run nft tests')
+
+    parser.add_argument('filenames', nargs='*', metavar='path/to/file.t',
+                        help='Run only these tests')
+
+    parser.add_argument('-d', '--debug', action='store_true', dest='debug',
+                        help='enable debugging mode')
+
+    parser.add_argument('-e', '--need-fix', action='store_true',
+                        dest='need_fix_line', help='run rules that need a fix')
+
+    parser.add_argument('-f', '--force-family', action='store_true',
+                        dest='force_all_family',
+                        help='keep testing all families on error')
+
+    parser.add_argument('-H', '--host', action='store_true',
+                        help='run tests against installed libnftables.so.1')
+
+    parser.add_argument('-j', '--enable-json', action='store_true',
+                        dest='enable_json',
+                        help='test JSON functionality as well')
+
+    parser.add_argument('-l', '--library', default=None,
+                        help='path to libntables.so.1, overrides --host')
+
+    parser.add_argument('-N', '--no-netns', action='store_true',
+                        dest='no_netns',
+                        help='Do not run in own network namespace')
+
+    parser.add_argument('-s', '--schema', action='store_true',
+                        dest='enable_schema',
+                        help='verify json input/output against schema')
+
+    parser.add_argument('-v', '--version', action='version',
+                        version='1.0',
+                        help='Print the version information')
+
+    args = parser.parse_args()
+    global debug_option, need_fix_option, enable_json_option, enable_json_schema
+    debug_option = args.debug
+    need_fix_option = args.need_fix_line
+    force_all_family_option = args.force_all_family
+    enable_json_option = args.enable_json
+    enable_json_schema = args.enable_schema
+    specific_file = False
+
+    signal.signal(signal.SIGINT, signal_handler)
+    signal.signal(signal.SIGTERM, signal_handler)
+
+    if os.getuid() != 0:
+        print("You need to be root to run this, sorry")
+        return
+
+    if not args.no_netns and not spawn_netns():
+        print_warning("cannot run in own namespace, connectivity might break")
+
+    # Change working directory to repository root
+    os.chdir(TESTS_PATH + "/../..")
+
+    check_lib_path = True
+    if args.library is None:
+        if args.host:
+            args.library = 'libnftables.so.1'
+            check_lib_path = False
+        else:
+            args.library = 'src/.libs/libnftables.so.1'
+
+    if check_lib_path and not os.path.exists(args.library):
+        print("The nftables library at '%s' does not exist. "
+              "You need to build the project." % args.library)
+        return
+
+    if args.enable_schema and not args.enable_json:
+        print_error("Option --schema requires option --json")
+        return
+
+    global nftables
+    nftables = Nftables(sofile = args.library)
+
+    test_files = files_ok = run_total = 0
+    tests = passed = warnings = errors = 0
+    global log_file
+    try:
+        log_file = open(LOGFILE, 'w')
+        print_info("Log will be available at %s" % LOGFILE)
+    except IOError:
+        print_error("Cannot open log file %s" % LOGFILE)
+        return
+
+    file_list = []
+    if args.filenames:
+        file_list = args.filenames
+        if len(args.filenames) == 1:
+            specific_file = True
+    else:
+        for directory in TESTS_DIRECTORY:
+            path = os.path.join(TESTS_PATH, directory)
+            for root, dirs, files in os.walk(path):
+                for f in files:
+                    if f.endswith(".t"):
+                        file_list.append(os.path.join(directory, f))
+
+    for filename in file_list:
+        result = run_test_file(filename, force_all_family_option, specific_file)
+        file_tests = result[0]
+        file_passed = result[1]
+        file_warnings = result[2]
+        file_errors = result[3]
+        file_unit_run = result[4]
+
+        test_files += 1
+
+        if file_warnings == 0 and file_tests == file_passed:
+            files_ok += 1
+        if file_tests:
+            tests += file_tests
+            passed += file_passed
+            errors += file_errors
+            warnings += file_warnings
+        if force_all_family_option:
+            run_total += file_unit_run
+
+    if test_files == 0:
+        print("No test files to run")
+    else:
+        if not specific_file:
+            if force_all_family_option:
+                print("%d test files, %d files passed, %d unit tests, " % (test_files, files_ok, tests))
+                print("%d total executed, %d error, %d warning" % (run_total, errors,warnings))
+            else:
+                print("%d test files, %d files passed, %d unit tests, " % (test_files, files_ok, tests))
+                print("%d error, %d warning" % (errors, warnings))
+
+if __name__ == '__main__':
+    main()
diff --git a/tests/py/tools/test-sanitizer.sh b/tests/py/tools/test-sanitizer.sh
new file mode 100755
index 0000000..92354d2
--- /dev/null
+++ b/tests/py/tools/test-sanitizer.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Do some simple sanity checks on tests:
+# - Report tests where reply matches command
+# - Report tests with non-ok exit but reply
+# - Check for duplicate test commands in *.t files
+# - Check for duplicate or stale payload records in *.t.payload* files
+# - Check for duplicate or stale json equivalents in *.t.json files
+
+cd $(dirname $0)/../
+
+[[ $1 ]] && tests="$@" || tests="*/*.t"
+
+reportfile=""
+report() { # (file, msg)
+	[[ "$reportfile" == "$1" ]] || {
+		reportfile="$1"
+		echo ""
+		echo "In $reportfile:"
+	}
+	shift
+	echo "$@"
+}
+
+for t in $tests; do
+	[[ -f $t ]] || continue
+
+	readarray -t cmdlines <<< $(grep -v -e '^ *[:*#-?]' -e '^ *$' $t)
+
+	cmds=""
+	for cmdline in "${cmdlines[@]}"; do
+		readarray -t -d ';' cmdparts <<< "$cmdline"
+		cmd="${cmdparts[0]}"
+		rc="${cmdparts[1]}"
+		out="${cmdparts[2]}"
+
+		[[ -n $cmd ]] || continue
+
+		#echo "cmdline: $cmdline"
+		#echo "cmd: $cmd"
+		#echo "rc: $rc"
+		#echo "out: $out"
+
+		[[ "$cmd" != "$out" ]] || \
+			report $t "reply matches cmd: $cmd"
+		[[ "$rc" != "ok" && "$out" ]] && \
+			report $t "output record with non-ok exit: $cmd"
+
+		cmds+="${cmd}\n"
+	done
+
+	readarray -t dups <<< $(echo -e "$cmds" | sort | uniq -d)
+	for dup in "${dups[@]}"; do
+		[[ -n $dup ]] || continue
+		report $t "duplicate command: $dup"
+	done
+
+	for p in $t.payload* $t.json; do
+		[[ -f $p ]] || continue
+		[[ $p == *.got ]] && continue
+		[[ $p == *.json ]] && t="json" || t="payload"
+
+		pcmds=$(grep '^#' $p)
+		readarray -t dups <<< $(echo "$pcmds" | sort | uniq -d)
+		readarray -t stales <<< $(echo "$pcmds" | while read hash pcmd; do
+			echo -e "$cmds" | grep -qxF "${pcmd}" || echo "# ${pcmd}"
+		done)
+
+		for stale in "${stales[@]}"; do
+			[[ -n $stale ]] || continue
+			report $p "stale $t record: $stale"
+		done
+		for dup in "${dups[@]}"; do
+			[[ -n $dup ]] || continue
+			report $p "duplicate $t record: $dup"
+		done
+	done
+done
diff --git a/tests/py/y b/tests/py/y
new file mode 100644
index 0000000..3ac1e95
--- /dev/null
+++ b/tests/py/y
@@ -0,0 +1,14 @@
+diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t
+index a224d0fef13d..46d9686b7ddd 100644
+--- a/tests/py/ip/sets.t
++++ b/tests/py/ip/sets.t
+@@ -52,6 +52,9 @@ ip saddr != @set33 drop;fail
+ ip saddr . ip daddr @set5 drop;ok
+ add @set5 { ip saddr . ip daddr };ok
+ 
++!map1 type ipv4_addr . ipv4_addr : mark;ok
++add @map1 { ip saddr . ip daddr : meta mark };ok
++
+ # test nested anonymous sets
+ ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 };ok;ip saddr { 1.1.1.0, 2.2.2.0, 3.3.3.0 }
+ ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 };ok;ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 }
diff --git a/tests/shell/README b/tests/shell/README
new file mode 100644
index 0000000..3af17a9
--- /dev/null
+++ b/tests/shell/README
@@ -0,0 +1,35 @@
+This test suite is intended to perform tests on a higher level
+than the other regression test suites.
+
+It can run arbitrary executables which can perform any test, not
+limited to testing the nft syntax or netlink code (which is what
+the regression tests do).
+
+To run the test suite (as root):
+ $ cd tests/shell
+ # ./run-tests.sh
+
+Test files are executable files matching the pattern <<name_N>>,
+where N should be 0 in all new tests. All tests should return 0 on
+success.
+
+Since they are located with `find', test files can be put in any
+subdirectory.
+
+You can turn on a verbose execution by calling:
+ # ./run-tests.sh -v
+
+And generate missing dump files with:
+ # ./run-tests.sh -g <TESTFILE>
+
+Before each test file invocation, `nft flush ruleset' will be called.
+Also, test file process environment will include the variable $NFT
+which contains the nft command being tested.
+
+You can pass an arbitrary $NFT value as well:
+ # NFT=/usr/local/sbin/nft ./run-tests.sh
+
+Note that, to support usage such as NFT='valgrind nft', tests must
+invoke $NFT unquoted.
+
+By default, the tests are run with the nft binary at '../../src/nft'
diff --git a/tests/shell/features/bitshift.nft b/tests/shell/features/bitshift.nft
new file mode 100644
index 0000000..7f9ccb6
--- /dev/null
+++ b/tests/shell/features/bitshift.nft
@@ -0,0 +1,7 @@
+# 567d746b55bc ("netfilter: bitwise: add support for shifts.")
+# v5.6-rc1~151^2~73^2
+table ip t {
+	chain c {
+		meta mark set meta mark << 2
+	}
+}
diff --git a/tests/shell/features/catchall_element.nft b/tests/shell/features/catchall_element.nft
new file mode 100644
index 0000000..1a02fd6
--- /dev/null
+++ b/tests/shell/features/catchall_element.nft
@@ -0,0 +1,8 @@
+# aaa31047a6d2 ("netfilter: nftables: add catch-all set element support")
+# v5.13-rc1~94^2~10^2~2
+table t {
+	map m {
+		type inet_service : inet_service
+		elements = { * : 42 }
+	}
+}
diff --git a/tests/shell/features/chain_binding.nft b/tests/shell/features/chain_binding.nft
new file mode 100644
index 0000000..b381ec5
--- /dev/null
+++ b/tests/shell/features/chain_binding.nft
@@ -0,0 +1,7 @@
+# d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
+# v5.9-rc1~133^2~302^2~1
+table ip t {
+	chain c {
+		jump { counter; }
+	}
+}
diff --git a/tests/shell/features/ctexpect.nft b/tests/shell/features/ctexpect.nft
new file mode 100644
index 0000000..02c3dfd
--- /dev/null
+++ b/tests/shell/features/ctexpect.nft
@@ -0,0 +1,10 @@
+# 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
+# v5.3-rc1~140^2~153^2~19
+table t {
+	ct expectation ctexpect {
+		protocol tcp
+		dport 5432
+		timeout 1h
+		size 12;
+	}
+}
diff --git a/tests/shell/features/cttimeout.nft b/tests/shell/features/cttimeout.nft
new file mode 100644
index 0000000..4be58cd
--- /dev/null
+++ b/tests/shell/features/cttimeout.nft
@@ -0,0 +1,8 @@
+# 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
+# v4.19-rc1~140^2~64^2~3
+table t {
+	ct timeout cttime {
+		protocol tcp;
+		policy = {established: 120 }
+	}
+}
diff --git a/tests/shell/features/destroy.nft b/tests/shell/features/destroy.nft
new file mode 100644
index 0000000..b97242e
--- /dev/null
+++ b/tests/shell/features/destroy.nft
@@ -0,0 +1,3 @@
+# f80a612dd77c ("netfilter: nf_tables: add support to destroy operation")
+# v6.3-rc1~162^2~264^2
+destroy table t
diff --git a/tests/shell/features/inet_ingress.nft b/tests/shell/features/inet_ingress.nft
new file mode 100644
index 0000000..944a5c7
--- /dev/null
+++ b/tests/shell/features/inet_ingress.nft
@@ -0,0 +1,7 @@
+# d3519cb89f6d ("netfilter: nf_tables: add inet ingress support")
+# v5.10-rc1~107^2~17^2~1
+table inet t {
+        chain c {
+                type filter hook ingress device "lo" priority filter; policy accept;
+        }
+}
diff --git a/tests/shell/features/inner_matching.nft b/tests/shell/features/inner_matching.nft
new file mode 100644
index 0000000..6c86fd3
--- /dev/null
+++ b/tests/shell/features/inner_matching.nft
@@ -0,0 +1,7 @@
+# 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
+# v6.2-rc1~99^2~350^2~4
+table ip t {
+        chain c {
+                udp dport 4789 vxlan ip saddr 1.2.3.4
+        }
+}
diff --git a/tests/shell/features/json.sh b/tests/shell/features/json.sh
new file mode 100755
index 0000000..d811570
--- /dev/null
+++ b/tests/shell/features/json.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Detect JSON support. Note that $NFT may not be the binary from our build
+# tree, hence we detect it by running the binary (instead of asking the build
+# configuration).
+$NFT -j list ruleset
diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft
new file mode 100644
index 0000000..06c4c9d
--- /dev/null
+++ b/tests/shell/features/map_lookup.nft
@@ -0,0 +1,11 @@
+# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks")
+# v6.5-rc1~163^2~256^2~8
+table ip t {
+        map m {
+                typeof ip daddr : meta mark
+        }
+
+        chain c {
+                ip saddr @m
+        }
+}
diff --git a/tests/shell/features/netdev_chain_without_device.nft b/tests/shell/features/netdev_chain_without_device.nft
new file mode 100644
index 0000000..25eb200
--- /dev/null
+++ b/tests/shell/features/netdev_chain_without_device.nft
@@ -0,0 +1,7 @@
+# 207296f1a03b ("netfilter: nf_tables: allow to create netdev chain without device")
+# v6.4-rc1~132^2~14^2
+table netdev t {
+	chain c {
+		type filter hook ingress priority 0; policy accept;
+        }
+}
diff --git a/tests/shell/features/netdev_egress.nft b/tests/shell/features/netdev_egress.nft
new file mode 100644
index 0000000..67d706d
--- /dev/null
+++ b/tests/shell/features/netdev_egress.nft
@@ -0,0 +1,7 @@
+# 42df6e1d221d ("netfilter: Introduce egress hook")
+# v5.16-rc1~159^2~167^2~10
+table netdev t {
+	chain c {
+		type filter hook egress devices = { lo } priority 0; policy accept;
+	}
+}
diff --git a/tests/shell/features/osf.nft b/tests/shell/features/osf.nft
new file mode 100644
index 0000000..dbb6b4c
--- /dev/null
+++ b/tests/shell/features/osf.nft
@@ -0,0 +1,7 @@
+# b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
+# v4.19-rc1~140^2~135^2~15
+table t {
+	chain c {
+		osf name "Linux"
+	}
+}
diff --git a/tests/shell/features/reset_rule.sh b/tests/shell/features/reset_rule.sh
new file mode 100755
index 0000000..567ee2f
--- /dev/null
+++ b/tests/shell/features/reset_rule.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# 8daa8fde3fc3 ("netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESET")
+# v6.2-rc1~99^2~210^2~2
+
+unshare -n bash -c "$NFT \"add table t; add chain t c ; add rule t c counter packets 1 bytes 42\"; \
+$NFT reset rules chain t c ; \
+$NFT reset rules chain t c |grep counter\ packets\ 0\ bytes\ 0"
diff --git a/tests/shell/features/reset_set.sh b/tests/shell/features/reset_set.sh
new file mode 100755
index 0000000..3d03417
--- /dev/null
+++ b/tests/shell/features/reset_set.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# 079cd633219d ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET")
+# v6.5-rc1~163^2~9^2~1
+
+unshare -n bash -c "$NFT add table t; \
+ $NFT add set t s { type ipv4_addr\; counter\; elements = { 127.0.0.1 counter packets 1 bytes 2 } } ; \
+ $NFT reset set t s ; \
+ $NFT reset set t s | grep counter\ packets\ 0\ bytes\ 0
+"
diff --git a/tests/shell/features/sctp_chunks.nft b/tests/shell/features/sctp_chunks.nft
new file mode 100644
index 0000000..520afd6
--- /dev/null
+++ b/tests/shell/features/sctp_chunks.nft
@@ -0,0 +1,7 @@
+# 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
+# v5.14-rc1~119^2~373^2~15
+table ip t {
+	chain c {
+		sctp chunk init 0
+	}
+}
diff --git a/tests/shell/features/set_with_two_expressions.nft b/tests/shell/features/set_with_two_expressions.nft
new file mode 100644
index 0000000..97632a7
--- /dev/null
+++ b/tests/shell/features/set_with_two_expressions.nft
@@ -0,0 +1,9 @@
+# 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions")
+# v5.11-rc1~169^2~25^2
+table x {
+        set y {
+                type ipv4_addr
+                size 65535
+                counter quota 500 bytes
+        }
+}
diff --git a/tests/shell/features/table_flag_owner.nft b/tests/shell/features/table_flag_owner.nft
new file mode 100644
index 0000000..aef122a
--- /dev/null
+++ b/tests/shell/features/table_flag_owner.nft
@@ -0,0 +1,5 @@
+# 6001a930ce03 ("netfilter: nftables: introduce table ownership")
+# v5.12-rc1~200^2~6^2
+table t {
+	flags owner;
+}
diff --git a/tests/shell/helpers/nft-valgrind-wrapper.sh b/tests/shell/helpers/nft-valgrind-wrapper.sh
new file mode 100755
index 0000000..98bbdf4
--- /dev/null
+++ b/tests/shell/helpers/nft-valgrind-wrapper.sh
@@ -0,0 +1,31 @@
+#!/bin/bash -e
+
+SUFFIX="$(date "+%H%M%S.%6N").$$"
+
+rc=0
+libtool \
+	--mode=execute \
+	valgrind \
+		--log-file="$NFT_TEST_TESTTMPDIR/valgrind.$SUFFIX.%p.log" \
+		--trace-children=yes \
+		--leak-check=full \
+		--show-leak-kinds=all \
+		--num-callers=100 \
+		--error-exitcode=122 \
+		--vgdb-prefix="$_NFT_TEST_VALGRIND_VGDB_PREFIX-$SUFFIX" \
+		$NFT_TEST_VALGRIND_OPTS \
+		"$NFT_REAL" \
+		"$@" \
+	|| rc=$?
+
+if [ "$rc" -eq 122 ] ; then
+	shopt -s nullglob
+	FILES=( "$NFT_TEST_TESTTMPDIR/valgrind.$SUFFIX."*".log" )
+	shopt -u nullglob
+	(
+		printf '%s\n' "args: $*"
+		printf '%s\n' "${FILES[*]}"
+	) >> "$NFT_TEST_TESTTMPDIR/rc-failed-valgrind"
+fi
+
+exit $rc
diff --git a/tests/shell/helpers/random-source.sh b/tests/shell/helpers/random-source.sh
new file mode 100755
index 0000000..91a8248
--- /dev/null
+++ b/tests/shell/helpers/random-source.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Commands like `sort` and `shuf` have a "--random-source" argument, for
+# generating a stable, reproducible output. However, they require an input
+# that provides sufficiently many bytes (depending on the input).
+#
+# This script generates a stream that can be used like
+#
+#     shuf --random-source=<($0 "$seed")
+
+seed=""
+for a; do
+	seed="$seed${#a}:$a\n"
+done
+
+if command -v openssl &>/dev/null ; then
+	# We have openssl. Use it.
+	# https://www.gnu.org/software/coreutils/manual/html_node/Random-sources.html#Random-sources
+	#
+	# Note that we don't care that different installations/architectures generate the
+	# same output.
+	openssl enc -aes-256-ctr -pass "pass:$seed" -nosalt </dev/zero 2>/dev/null
+else
+	# Hack something. It's much slower.
+	idx=0
+	while : ; do
+		idx="$((idx++))"
+		seed="$(sha256sum <<<"$idx.$seed")"
+		echo ">>>$seed" >> a
+		seed="${seed%% *}"
+		LANG=C awk -v s="$seed" 'BEGIN{
+			for (i=1; i <= length(s); i+=2) {
+				xchar = substr(s, i, 2);
+				decnum = strtonum("0x"xchar);
+				printf("%c", decnum);
+			}
+		}' || break
+	done
+fi
+exit 0
diff --git a/tests/shell/helpers/test-wrapper.sh b/tests/shell/helpers/test-wrapper.sh
new file mode 100755
index 0000000..13b918f
--- /dev/null
+++ b/tests/shell/helpers/test-wrapper.sh
@@ -0,0 +1,223 @@
+#!/bin/bash -e
+
+# This wrapper wraps the invocation of the test. It is called by run-tests.sh,
+# and already in the unshared namespace.
+#
+# For some printf debugging, you can also patch this file.
+
+array_contains() {
+	local needle="$1"
+	local a
+	shift
+	for a; do
+		[ "$a" = "$needle" ] && return 0
+	done
+	return 1
+}
+
+TEST="$1"
+TESTBASE="$(basename "$TEST")"
+TESTDIR="$(dirname "$TEST")"
+
+START_TIME="$(cut -d ' ' -f1 /proc/uptime)"
+
+export TMPDIR="$NFT_TEST_TESTTMPDIR"
+
+CLEANUP_UMOUNT_VAR_RUN=n
+
+cleanup() {
+	if [ "$CLEANUP_UMOUNT_VAR_RUN" = y ] ; then
+		umount "/var/run" &>/dev/null || :
+	fi
+}
+
+trap cleanup EXIT
+
+printf '%s\n' "$TEST" > "$NFT_TEST_TESTTMPDIR/name"
+
+read tainted_before < /proc/sys/kernel/tainted
+
+if [ "$NFT_TEST_HAS_UNSHARED_MOUNT" = y ] ; then
+	# We have a private mount namespace. We will mount /var/run/ as a tmpfs.
+	#
+	# The main purpose is so that we can create /var/run/netns, which is
+	# required for `ip netns add` to work.  When running as rootless, this
+	# is necessary to get such tests to pass. When running rootful, it's
+	# still useful to not touch the "real" /var/run/netns of the system.
+	#
+	# Note that this also hides everything that might reside in /var/run.
+	# That is desirable, as tests should not depend on content there (or if
+	# they do, we need to explicitly handle it as appropriate).
+	if mount -t tmpfs --make-private "/var/run" ; then
+		CLEANUP_UMOUNT_VAR_RUN=y
+	fi
+	mkdir -p /var/run/netns
+fi
+
+TEST_TAGS_PARSED=0
+ensure_TEST_TAGS() {
+	if [ "$TEST_TAGS_PARSED" = 0 ] ; then
+		TEST_TAGS_PARSED=1
+		TEST_TAGS=( $(sed -n '1,10 { s/^.*\<\(NFT_TEST_REQUIRES\|NFT_TEST_SKIP\)\>\s*(\s*\(NFT_TEST_SKIP_[a-zA-Z0-9_]\+\|NFT_TEST_HAVE_[a-zA-Z0-9_]\+\)\s*).*$/\1(\2)/p }' "$1" 2>/dev/null || : ) )
+	fi
+}
+
+rc_test=0
+
+if [ "$rc_test" -eq 0 ] ; then
+	for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_') ; do
+		if [ "${!KEY}" != n ]; then
+			continue
+		fi
+		ensure_TEST_TAGS "$TEST"
+		if array_contains "NFT_TEST_REQUIRES($KEY)" "${TEST_TAGS[@]}" ; then
+			echo "Test skipped due to $KEY=n (test has \"NFT_TEST_REQUIRES($KEY)\" tag)" >> "$NFT_TEST_TESTTMPDIR/testout.log"
+			rc_test=77
+			break
+		fi
+	done
+fi
+
+if [ "$rc_test" -eq 0 ] ; then
+	for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_') ; do
+		if [ "${!KEY}" != y ]; then
+			continue
+		fi
+		ensure_TEST_TAGS "$TEST"
+		if array_contains "NFT_TEST_SKIP($KEY)" "${TEST_TAGS[@]}" ; then
+			echo "Test skipped due to $KEY=y (test has \"NFT_TEST_SKIP($KEY)\" tag)" >> "$NFT_TEST_TESTTMPDIR/testout.log"
+			rc_test=77
+			break
+		fi
+	done
+fi
+
+if [ "$rc_test" -eq 0 ] ; then
+	"$TEST" &>> "$NFT_TEST_TESTTMPDIR/testout.log" || rc_test=$?
+fi
+
+$NFT list ruleset > "$NFT_TEST_TESTTMPDIR/ruleset-after"
+
+read tainted_after < /proc/sys/kernel/tainted
+
+DUMPPATH="$TESTDIR/dumps"
+DUMPFILE="$DUMPPATH/$TESTBASE.nft"
+NODUMPFILE="$DUMPPATH/$TESTBASE.nodump"
+
+dump_written=
+
+# The caller can request a re-geneating of the dumps, by setting
+# DUMPGEN=y.
+#
+# This only will happen if the command completed with success.
+#
+# It also will only happen for tests, that have a "$DUMPPATH" directory. There
+# might be tests, that don't want to have dumps created. The existence of the
+# directory controls that. Tests that have a "$NODUMPFILE" file, don't get a dump generated.
+if [ "$rc_test" -eq 0 -a "$DUMPGEN" = y -a -d "$DUMPPATH" -a ! -f "$NODUMPFILE" ] ; then
+	dump_written=y
+	if [ ! -f "$DUMPFILE" ] ; then
+		# No dumpfile exists yet. We generate both a .nft and a .nodump
+		# file. The user can pick which one to commit to git.
+		: > "$NODUMPFILE"
+	fi
+	cat "$NFT_TEST_TESTTMPDIR/ruleset-after" > "$DUMPFILE"
+fi
+
+rc_dump=0
+if [ "$rc_test" -ne 77 -a -f "$DUMPFILE" ] ; then
+	if [ "$dump_written" != y ] ; then
+		if ! $DIFF -u "$DUMPFILE" "$NFT_TEST_TESTTMPDIR/ruleset-after" &> "$NFT_TEST_TESTTMPDIR/ruleset-diff" ; then
+			rc_dump=1
+		else
+			rm -f "$NFT_TEST_TESTTMPDIR/ruleset-diff"
+		fi
+	fi
+fi
+if [ "$rc_dump" -ne 0 ] ; then
+	echo "$DUMPFILE" > "$NFT_TEST_TESTTMPDIR/rc-failed-dump"
+fi
+
+rc_chkdump=0
+# check that a flush after the test succeeds. We anyway need a clean ruleset
+# for the `nft --check` next.
+$NFT flush ruleset &> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" || rc_chkdump=1
+if [ -f "$DUMPFILE" ] ; then
+	# We have a dumpfile. Call `nft --check` to possibly cover new code
+	# paths.
+	if [ "$rc_test" -eq 77 ] ; then
+		# The test was skipped. Possibly we don't have the required
+		# features to process this file. Ignore any output and exit
+		# code, but still call the program (for valgrind or sanitizer
+		# issue we hope to find).
+		$NFT --check -f "$DUMPFILE" &>/dev/null || :
+	else
+		$NFT --check -f "$DUMPFILE" &>> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" || rc_chkdump=1
+	fi
+fi
+if [ -s "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump" ] ; then
+	# Non-empty output? That is wrong.
+	rc_chkdump=1
+elif [ "$rc_chkdump" -eq 0 ] ; then
+	rm -rf "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump"
+fi
+if [ "$rc_chkdump" -ne 0 ] ; then
+	# Ensure we don't have empty output files. Always write something, so
+	# that `grep ^ -R` lists the file.
+	echo -e "<<<<<\n\nCalling \`nft --check\` (or \`nft flush ruleset\`) failed for \"$DUMPFILE\"" >> "$NFT_TEST_TESTTMPDIR/rc-failed-chkdump"
+fi
+
+rc_valgrind=0
+[ -f "$NFT_TEST_TESTTMPDIR/rc-failed-valgrind" ] && rc_valgrind=1
+
+rc_tainted=0
+if [ "$tainted_before" != "$tainted_after" ] ; then
+	echo "$tainted_after" > "$NFT_TEST_TESTTMPDIR/rc-failed-tainted"
+	rc_tainted=1
+fi
+
+if [ "$rc_valgrind" -ne 0 ] ; then
+	rc_exit=122
+elif [ "$rc_tainted" -ne 0 ] ; then
+	rc_exit=123
+elif [ "$rc_test" -ge 118 -a "$rc_test" -le 124 ] ; then
+	# Special exit codes are reserved. Coerce them.
+	rc_exit=125
+elif [ "$rc_test" -ne 0 ] ; then
+	rc_exit="$rc_test"
+elif [ "$rc_dump" -ne 0 ] ; then
+	rc_exit=124
+elif [ "$rc_chkdump" -ne 0 ] ; then
+	rc_exit=121
+else
+	rc_exit=0
+fi
+
+
+# We always write the real exit code of the test ($rc_test) to one of the files
+# rc-{ok,skipped,failed}, depending on which it is.
+#
+# Note that there might be other rc-failed-{dump,tainted,valgrind} files with
+# additional errors. Note that if such files exist, the overall state will
+# always be failed too (and an "rc-failed" file exists).
+#
+# On failure, we also write the combined "$rc_exit" code from "test-wrapper.sh"
+# to "rc-failed-exit" file.
+#
+# This means, failed tests will have a "rc-failed" file, and additional
+# "rc-failed-*" files exist for further information.
+if [ "$rc_exit" -eq 0 ] ; then
+	RC_FILENAME="rc-ok"
+elif [ "$rc_exit" -eq 77 ] ; then
+	RC_FILENAME="rc-skipped"
+else
+	RC_FILENAME="rc-failed"
+	echo "$rc_exit" > "$NFT_TEST_TESTTMPDIR/rc-failed-exit"
+fi
+echo "$rc_test" > "$NFT_TEST_TESTTMPDIR/$RC_FILENAME"
+
+END_TIME="$(cut -d ' ' -f1 /proc/uptime)"
+WALL_TIME="$(awk -v start="$START_TIME" -v end="$END_TIME" "BEGIN { print(end - start) }")"
+printf "%s\n" "$WALL_TIME" "$START_TIME" "$END_TIME" > "$NFT_TEST_TESTTMPDIR/times"
+
+exit "$rc_exit"
diff --git a/tests/shell/log b/tests/shell/log
new file mode 100644
index 0000000..dd8204a
--- /dev/null
+++ b/tests/shell/log
@@ -0,0 +1,41 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: NFT_TEST_FAIL_ON_SKIP=n
+I: conf: NFT_TEST_RANDOM_SEED=975674303
+I: conf: NFT_TEST_SHUFFLE_TESTS=y
+I: conf: TMPDIR=/tmp
+
+I: conf: NFT_TEST_SKIP_slow=n
+I: conf: NFT_TEST_HAVE_bitshift=y
+I: conf: NFT_TEST_HAVE_catchall_element=y
+I: conf: NFT_TEST_HAVE_chain_binding=y
+I: conf: NFT_TEST_HAVE_ctexpect=y
+I: conf: NFT_TEST_HAVE_cttimeout=y
+I: conf: NFT_TEST_HAVE_destroy=y
+I: conf: NFT_TEST_HAVE_inet_ingress=y
+I: conf: NFT_TEST_HAVE_inner_matching=y
+I: conf: NFT_TEST_HAVE_json=y
+I: conf: NFT_TEST_HAVE_map_lookup=y
+I: conf: NFT_TEST_HAVE_netdev_chain_without_device=y
+I: conf: NFT_TEST_HAVE_netdev_egress=y
+I: conf: NFT_TEST_HAVE_osf=y
+I: conf: NFT_TEST_HAVE_reset_rule=y
+I: conf: NFT_TEST_HAVE_reset_set=y
+I: conf: NFT_TEST_HAVE_sctp_chunks=y
+I: conf: NFT_TEST_HAVE_set_with_two_expressions=y
+I: conf: NFT_TEST_HAVE_table_flag_owner=y
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20231013-172649.494.0MPMPC
+
diff --git a/tests/shell/log-0 b/tests/shell/log-0
new file mode 100644
index 0000000..3b5cc2e
--- /dev/null
+++ b/tests/shell/log-0
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-034240.938.Qsx0OT
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-1 b/tests/shell/log-1
new file mode 100644
index 0000000..d2790d8
--- /dev/null
+++ b/tests/shell/log-1
@@ -0,0 +1,395 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-040313.211.hBf9Yz
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+./helpers/test-wrapper.sh: línea 46: /tmp/nft-test.20230908-040227.551.9oVD5e/test-.-testcases-chains-0020depth_1.41/ruleset-after: No existe el fichero o el directorio
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+./helpers/test-wrapper.sh: línea 46: /tmp/nft-test.20230908-040227.551.9oVD5e/test-.-testcases-chains-0021prio_0.42/ruleset-after: No existe el fichero o el directorio
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-10 b/tests/shell/log-10
new file mode 100644
index 0000000..048215f
--- /dev/null
+++ b/tests/shell/log-10
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-065520.315.73c1aF
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-11 b/tests/shell/log-11
new file mode 100644
index 0000000..6ec6e03
--- /dev/null
+++ b/tests/shell/log-11
@@ -0,0 +1,394 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-071422.873.Iqesdi
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0014objects_0
+./run-tests.sh: línea 417: echo: error de escritura: Llamada al sistema interrumpida
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-12 b/tests/shell/log-12
new file mode 100644
index 0000000..cbaab14
--- /dev/null
+++ b/tests/shell/log-12
@@ -0,0 +1,394 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-073337.934.U6SWhK
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+./run-tests.sh: línea 417: echo: error de escritura: Llamada al sistema interrumpida
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-13 b/tests/shell/log-13
new file mode 100644
index 0000000..0f7960b
--- /dev/null
+++ b/tests/shell/log-13
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-075245.323.jrYR8p
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-14 b/tests/shell/log-14
new file mode 100644
index 0000000..b7fbfe6
--- /dev/null
+++ b/tests/shell/log-14
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-081152.369.B4cloZ
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-15 b/tests/shell/log-15
new file mode 100644
index 0000000..b0ec056
--- /dev/null
+++ b/tests/shell/log-15
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-083048.644.V73BFi
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-16 b/tests/shell/log-16
new file mode 100644
index 0000000..19f44f1
--- /dev/null
+++ b/tests/shell/log-16
@@ -0,0 +1,395 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-085003.385.6jawWe
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+W: [FAILED]	kmemleak detected 2 memory leaks
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0046set_0
+W: [FAILED]	kmemleak detected 0 memory leaks
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-17 b/tests/shell/log-17
new file mode 100644
index 0000000..7856993
--- /dev/null
+++ b/tests/shell/log-17
@@ -0,0 +1,396 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-090913.763.7JmqSw
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+W: [FAILED]     ./testcases/transactions/30s-stress: got 123
+W: [FAILED]     ./testcases/sets/0043concatenated_ranges_1: got 123
+W: [FAILED]     ./testcases/maps/vmap_timeout: got 123
+W: [FAILED]     ./testcases/sets/automerge_0: got 123
+W: [FAILED]     ./testcases/sets/0044interval_overlap_1: got 123
+W: [FAILED]     ./testcases/sets/0044interval_overlap_0: got 123
+W: [FAILED]     ./testcases/sets/0043concatenated_ranges_0: got 123
+
+I: results: [OK] 366 [SKIPPED] 0 [FAILED] 7 [TOTAL] 373
+I: check the temp directory "/tmp/nft-test.20230908-090913.763.7JmqSw" ("/tmp/nft-test.latest.root")
+I:    ls -lad "/tmp/nft-test.latest.root"/*/*
+I:    grep -R ^ "/tmp/nft-test.latest.root"/
diff --git a/tests/shell/log-18 b/tests/shell/log-18
new file mode 100644
index 0000000..c94430e
--- /dev/null
+++ b/tests/shell/log-18
@@ -0,0 +1,394 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-092813.735.QfPduO
+
+W: [FAILED]	kernel is tainted
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-19 b/tests/shell/log-19
new file mode 100644
index 0000000..0d1dde7
--- /dev/null
+++ b/tests/shell/log-19
@@ -0,0 +1,395 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-094709.304.3MOhCT
+
+W: [FAILED]	kernel is tainted
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_non_eq
+./run-tests.sh: línea 417: echo: error de escritura: Llamada al sistema interrumpida
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-2 b/tests/shell/log-2
new file mode 100644
index 0000000..a21ad8b
--- /dev/null
+++ b/tests/shell/log-2
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-042224.066.0IULfA
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-3 b/tests/shell/log-3
new file mode 100644
index 0000000..c671908
--- /dev/null
+++ b/tests/shell/log-3
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-044118.092.gRCtxw
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-4 b/tests/shell/log-4
new file mode 100644
index 0000000..cbbe138
--- /dev/null
+++ b/tests/shell/log-4
@@ -0,0 +1,394 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-050031.108.TYKrPN
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+./run-tests.sh: línea 417: echo: error de escritura: Llamada al sistema interrumpida
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-5 b/tests/shell/log-5
new file mode 100644
index 0000000..093ced7
--- /dev/null
+++ b/tests/shell/log-5
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-051942.497.rZkwem
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-6 b/tests/shell/log-6
new file mode 100644
index 0000000..2e91549
--- /dev/null
+++ b/tests/shell/log-6
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-053846.566.vmUD0F
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-7 b/tests/shell/log-7
new file mode 100644
index 0000000..880f7e5
--- /dev/null
+++ b/tests/shell/log-7
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-055748.021.YK3a5b
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/log-8 b/tests/shell/log-8
new file mode 100644
index 0000000..ba61aa1
--- /dev/null
+++ b/tests/shell/log-8
@@ -0,0 +1,397 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-061702.084.69Rom6
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+W: [FAILED]     ./testcases/sets/reset_command_0: got 1
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+./run-tests.sh: línea 417: echo: error de escritura: Llamada al sistema interrumpida
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 372 [SKIPPED] 0 [FAILED] 1 [TOTAL] 373
+I: check the temp directory "/tmp/nft-test.20230908-061702.084.69Rom6" ("/tmp/nft-test.latest.root")
+I:    ls -lad "/tmp/nft-test.latest.root"/*/*
+I:    grep -R ^ "/tmp/nft-test.latest.root"/
diff --git a/tests/shell/log-9 b/tests/shell/log-9
new file mode 100644
index 0000000..17c9ca2
--- /dev/null
+++ b/tests/shell/log-9
@@ -0,0 +1,393 @@
+I: conf: NFT=./../../src/nft
+I: conf: NFT_REAL=./../../src/nft
+I: conf: VERBOSE=n
+I: conf: DUMPGEN=n
+I: conf: VALGRIND=n
+I: conf: KMEMLEAK=n
+I: conf: NFT_TEST_HAS_REALROOT=y
+I: conf: NFT_TEST_HAS_SOCKET_LIMITS=n
+I: conf: NFT_TEST_UNSHARE_CMD=unshare\ -f\ -n\ -m
+I: conf: NFT_TEST_HAS_UNSHARED=y
+I: conf: NFT_TEST_HAS_UNSHARED_MOUNT=y
+I: conf: NFT_TEST_KEEP_LOGS=n
+I: conf: NFT_TEST_JOBS=12
+I: conf: TMPDIR=/tmp
+
+I: info: NFT_TEST_BASEDIR=.
+I: info: NFT_TEST_TMPDIR=/tmp/nft-test.20230908-063609.833.1uFcfR
+
+I: [OK]         ./testcases/bitwise/0040mark_binop_0
+I: [OK]         ./testcases/bitwise/0040mark_binop_2
+I: [OK]         ./testcases/bitwise/0040mark_binop_1
+I: [OK]         ./testcases/bitwise/0040mark_binop_3
+I: [OK]         ./testcases/bitwise/0040mark_binop_4
+I: [OK]         ./testcases/bitwise/0040mark_binop_5
+I: [OK]         ./testcases/bitwise/0040mark_binop_6
+I: [OK]         ./testcases/bitwise/0040mark_binop_7
+I: [OK]         ./testcases/bitwise/0040mark_binop_8
+I: [OK]         ./testcases/bitwise/0040mark_binop_9
+I: [OK]         ./testcases/cache/0004_cache_update_0
+I: [OK]         ./testcases/cache/0002_interval_0
+I: [OK]         ./testcases/bogons/assert_failures
+I: [OK]         ./testcases/cache/0005_cache_chain_flush
+I: [OK]         ./testcases/cache/0006_cache_table_flush
+I: [OK]         ./testcases/cache/0011_index_0
+I: [OK]         ./testcases/cache/0010_implicit_chain_0
+I: [OK]         ./testcases/cache/0007_echo_cache_init_0
+I: [OK]         ./testcases/cache/0001_cache_handling_0
+I: [OK]         ./testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]         ./testcases/cache/0003_cache_update_0
+I: [OK]         ./testcases/chains/0006masquerade_0
+I: [OK]         ./testcases/chains/0007masquerade_1
+I: [OK]         ./testcases/chains/0004busy_1
+I: [OK]         ./testcases/chains/0005busy_map_1
+I: [OK]         ./testcases/chains/0008masquerade_jump_1
+I: [OK]         ./testcases/chains/0010endless_jump_loop_1
+I: [OK]         ./testcases/chains/0009masquerade_jump_1
+I: [OK]         ./testcases/chains/0013rename_0
+I: [OK]         ./testcases/chains/0014rename_0
+I: [OK]         ./testcases/cache/0008_delete_by_handle_0
+I: [OK]         ./testcases/chains/0011endless_jump_loop_1
+I: [OK]         ./testcases/chains/0015check_jump_loop_1
+I: [OK]         ./testcases/chains/0017masquerade_jump_1
+I: [OK]         ./testcases/chains/0019masquerade_jump_1
+I: [OK]         ./testcases/chains/0018check_jump_loop_1
+I: [OK]         ./testcases/chains/0016delete_handle_0
+I: [OK]         ./testcases/chains/0022prio_dummy_1
+I: [OK]         ./testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]         ./testcases/chains/0028prio_bridge_out_1
+I: [OK]         ./testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]         ./testcases/chains/0001jumps_0
+I: [OK]         ./testcases/chains/0030create_0
+I: [OK]         ./testcases/chains/0031priority_variable_0
+I: [OK]         ./testcases/chains/0032priority_variable_0
+I: [OK]         ./testcases/chains/0003jump_loop_1
+I: [OK]         ./testcases/chains/0033priority_variable_1
+I: [OK]         ./testcases/chains/0002jumps_1
+I: [OK]         ./testcases/chains/0034priority_variable_1
+I: [OK]         ./testcases/chains/0035policy_variable_0
+I: [OK]         ./testcases/chains/0037policy_variable_1
+I: [OK]         ./testcases/chains/0036policy_variable_0
+I: [OK]         ./testcases/chains/0038policy_variable_1
+I: [OK]         ./testcases/chains/0024prio_inet_dstnat_1
+I: [OK]         ./testcases/chains/0023prio_inet_srcnat_1
+I: [OK]         ./testcases/chains/0039negative_priority_0
+I: [OK]         ./testcases/chains/0025prio_arp_1
+I: [OK]         ./testcases/chains/0026prio_netdev_1
+I: [OK]         ./testcases/flowtable/0001flowtable_0
+I: [OK]         ./testcases/comments/comments_0
+I: [OK]         ./testcases/chains/0041chain_binding_0
+I: [OK]         ./testcases/chains/0042chain_variable_0
+I: [OK]         ./testcases/chains/0043chain_ingress_0
+I: [OK]         ./testcases/chains/0044chain_destroy_0
+I: [OK]         ./testcases/chains/netdev_chain_0
+I: [OK]         ./testcases/flowtable/0004delete_after_add_0
+I: [OK]         ./testcases/flowtable/0002create_flowtable_0
+I: [OK]         ./testcases/flowtable/0005delete_in_use_1
+I: [OK]         ./testcases/flowtable/0003add_after_flush_0
+I: [OK]         ./testcases/flowtable/0006segfault_0
+I: [OK]         ./testcases/flowtable/0012flowtable_variable_0
+I: [OK]         ./testcases/flowtable/0013addafterdelete_0
+I: [OK]         ./testcases/flowtable/0010delete_handle_0
+I: [OK]         ./testcases/flowtable/0014addafterdelete_0
+I: [OK]         ./testcases/include/0001absolute_0
+I: [OK]         ./testcases/flowtable/0009deleteafterflush_0
+I: [OK]         ./testcases/include/0002relative_0
+I: [OK]         ./testcases/chains/0020depth_1
+I: [OK]         ./testcases/include/0003includepath_0
+I: [OK]         ./testcases/flowtable/0015destroy_0
+I: [OK]         ./testcases/flowtable/0011deleteafterflush_0
+I: [OK]         ./testcases/flowtable/0008prio_1
+I: [OK]         ./testcases/include/0004endlessloop_1
+I: [OK]         ./testcases/include/0005glob_empty_0
+I: [OK]         ./testcases/include/0006glob_single_0
+I: [OK]         ./testcases/include/0007glob_double_0
+I: [OK]         ./testcases/include/0008glob_nofile_wildcard_0
+I: [OK]         ./testcases/include/0009glob_nofile_1
+I: [OK]         ./testcases/include/0010glob_broken_file_1
+I: [OK]         ./testcases/flowtable/0007prio_0
+I: [OK]         ./testcases/chains/0021prio_0
+I: [OK]         ./testcases/include/0011glob_dependency_0
+I: [OK]         ./testcases/include/0012glob_dependency_1
+I: [OK]         ./testcases/include/0013glob_dotfile_0
+I: [OK]         ./testcases/include/0013input_descriptors_included_files_0
+I: [OK]         ./testcases/include/0014glob_directory_0
+I: [OK]         ./testcases/include/0015doubleincludepath_0
+I: [OK]         ./testcases/include/0016maxdepth_0
+I: [OK]         ./testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]         ./testcases/include/0018include_error_0
+I: [OK]         ./testcases/include/0019include_error_0
+I: [OK]         ./testcases/include/0020include_chain_0
+I: [OK]         ./testcases/listing/0002ruleset_0
+I: [OK]         ./testcases/json/0002table_map_0
+I: [OK]         ./testcases/listing/0001ruleset_0
+I: [OK]         ./testcases/json/0001set_statements_0
+I: [OK]         ./testcases/json/0003json_schema_version_0
+I: [OK]         ./testcases/json/0004json_schema_version_1
+I: [OK]         ./testcases/json/0005secmark_objref_0
+I: [OK]         ./testcases/json/0006obj_comment_0
+I: [OK]         ./testcases/listing/0003table_0
+I: [OK]         ./testcases/listing/0004table_0
+I: [OK]         ./testcases/json/netdev
+I: [OK]         ./testcases/listing/0005ruleset_ip_0
+I: [OK]         ./testcases/listing/0006ruleset_ip6_0
+I: [OK]         ./testcases/listing/0015dynamic_0
+I: [OK]         ./testcases/listing/0008ruleset_arp_0
+I: [OK]         ./testcases/listing/0007ruleset_inet_0
+I: [OK]         ./testcases/listing/0009ruleset_bridge_0
+I: [OK]         ./testcases/listing/0014objects_0
+I: [OK]         ./testcases/listing/0013objects_0
+I: [OK]         ./testcases/listing/0016anonymous_0
+I: [OK]         ./testcases/listing/0017objects_0
+I: [OK]         ./testcases/listing/0018data_0
+I: [OK]         ./testcases/listing/0019set_0
+I: [OK]         ./testcases/listing/0021ruleset_json_terse_0
+I: [OK]         ./testcases/listing/0022terse_0
+I: [OK]         ./testcases/listing/0020flowtable_0
+I: [OK]         ./testcases/listing/0010sets_0
+I: [OK]         ./testcases/listing/0012sets_0
+I: [OK]         ./testcases/listing/0011sets_0
+I: [OK]         ./testcases/maps/0007named_ifname_dtype_0
+I: [OK]         ./testcases/maps/0009vmap_0
+I: [OK]         ./testcases/maps/0010concat_map_0
+I: [OK]         ./testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]         ./testcases/maps/0006interval_map_overlap_0
+I: [OK]         ./testcases/maps/0013map_0
+I: [OK]         ./testcases/maps/0011vmap_0
+I: [OK]         ./testcases/maps/0012map_0
+I: [OK]         ./testcases/maps/0017_map_variable_0
+I: [OK]         ./testcases/maps/0003map_add_many_elements_0
+I: [OK]         ./testcases/maps/anon_objmap_concat
+I: [OK]         ./testcases/maps/0008interval_map_delete_0
+I: [OK]         ./testcases/maps/0014destroy_0
+I: [OK]         ./testcases/maps/different_map_types_1
+I: [OK]         ./testcases/maps/anonymous_snat_map_0
+I: [OK]         ./testcases/maps/map_with_flags_0
+I: [OK]         ./testcases/maps/map_catchall_double_deactivate
+I: [OK]         ./testcases/maps/0016map_leak_0
+I: [OK]         ./testcases/maps/typeof_maps_0
+I: [OK]         ./testcases/maps/named_snat_map_0
+I: [OK]         ./testcases/maps/typeof_integer_0
+I: [OK]         ./testcases/maps/typeof_maps_concat
+I: [OK]         ./testcases/maps/typeof_maps_concat_update_0
+I: [OK]         ./testcases/maps/typeof_maps_update_0
+I: [OK]         ./testcases/maps/typeof_maps_add_delete
+I: [OK]         ./testcases/maps/typeof_raw_0
+I: [OK]         ./testcases/nft-f/0001define_slash_0
+I: [OK]         ./testcases/netns/0001nft-f_0
+I: [OK]         ./testcases/nft-f/0002rollback_rule_0
+I: [OK]         ./testcases/nft-f/0003rollback_jump_0
+I: [OK]         ./testcases/nft-f/0004rollback_set_0
+I: [OK]         ./testcases/nft-f/0005rollback_map_0
+I: [OK]         ./testcases/maps/0018map_leak_timeout_0
+I: [OK]         ./testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]         ./testcases/nft-f/0008split_tables_0
+I: [OK]         ./testcases/nft-f/0006action_object_0
+I: [OK]         ./testcases/nft-f/0009variable_0
+I: [OK]         ./testcases/nft-f/0010variable_0
+I: [OK]         ./testcases/nft-f/0012different_defines_0
+I: [OK]         ./testcases/nft-f/0013defines_1
+I: [OK]         ./testcases/nft-f/0014defines_1
+I: [OK]         ./testcases/nft-f/0015defines_1
+I: [OK]         ./testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]         ./testcases/nft-f/0016redefines_1
+I: [OK]         ./testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]         ./testcases/nft-f/0018jump_variable_0
+I: [OK]         ./testcases/netns/0002loosecommands_0
+I: [OK]         ./testcases/nft-f/0019jump_variable_1
+I: [OK]         ./testcases/nft-f/0020jump_variable_1
+I: [OK]         ./testcases/maps/nat_addr_port
+I: [OK]         ./testcases/nft-f/0021list_ruleset_0
+I: [OK]         ./testcases/nft-f/0022variables_0
+I: [OK]         ./testcases/nft-f/0024priority_0
+I: [OK]         ./testcases/nft-f/0025empty_dynset_0
+I: [OK]         ./testcases/nft-f/0026listing_0
+I: [OK]         ./testcases/nft-f/0023check_1
+I: [OK]         ./testcases/nft-f/0027split_chains_0
+I: [OK]         ./testcases/nft-f/0031vmap_string_0
+I: [OK]         ./testcases/nft-f/0030variable_reuse_0
+I: [OK]         ./testcases/maps/0004interval_map_create_once_0
+I: [OK]         ./testcases/nft-f/0029split_file_0
+I: [OK]         ./testcases/nft-f/0032pknock_0
+I: [OK]         ./testcases/optimizations/dependency_kill
+I: [OK]         ./testcases/nft-f/0028variable_cmdline_0
+I: [OK]         ./testcases/nft-i/0001define_0
+I: [OK]         ./testcases/optimizations/merge_stmts
+I: [OK]         ./testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]         ./testcases/optimizations/merge_stmts_vmap
+I: [OK]         ./testcases/optimizations/merge_vmap_raw
+I: [OK]         ./testcases/optimizations/merge_reject
+I: [OK]         ./testcases/optimizations/merge_stmts_concat
+I: [OK]         ./testcases/optimizations/not_mergeable
+I: [OK]         ./testcases/optimizations/merge_vmaps
+I: [OK]         ./testcases/optimizations/single_anon_set
+I: [OK]         ./testcases/optimizations/skip_merge
+I: [OK]         ./testcases/optimizations/skip_non_eq
+I: [OK]         ./testcases/optimizations/merge_nat
+I: [OK]         ./testcases/optimizations/variables
+I: [OK]         ./testcases/optimizations/skip_unsupported
+I: [OK]         ./testcases/optimizations/ruleset
+I: [OK]         ./testcases/optionals/comments_0
+I: [OK]         ./testcases/optionals/comments_chain_0
+I: [OK]         ./testcases/optionals/comments_objects_0
+I: [OK]         ./testcases/optionals/comments_table_0
+I: [OK]         ./testcases/optionals/comments_handles_0
+I: [OK]         ./testcases/optionals/comments_objects_dup_0
+I: [OK]         ./testcases/optionals/log_prefix_0
+I: [OK]         ./testcases/parsing/describe
+I: [OK]         ./testcases/parsing/large_rule_pipe
+I: [OK]         ./testcases/owner/0001-flowtable-uaf
+I: [OK]         ./testcases/optionals/handles_0
+I: [OK]         ./testcases/optionals/handles_1
+I: [OK]         ./testcases/optionals/update_object_handles_0
+I: [OK]         ./testcases/parsing/log
+I: [OK]         ./testcases/optionals/delete_object_handles_0
+I: [OK]         ./testcases/parsing/octal
+I: [OK]         ./testcases/rule_management/0005replace_1
+I: [OK]         ./testcases/rule_management/0004replace_0
+I: [OK]         ./testcases/rule_management/0003insert_0
+I: [OK]         ./testcases/rule_management/0002addinsertlocation_1
+I: [OK]         ./testcases/rule_management/0006replace_1
+I: [OK]         ./testcases/rule_management/0008delete_1
+I: [OK]         ./testcases/rule_management/0009delete_1
+I: [OK]         ./testcases/rule_management/0007delete_0
+I: [OK]         ./testcases/sets/0001named_interval_0
+I: [OK]         ./testcases/sets/0002named_interval_automerging_0
+I: [OK]         ./testcases/rule_management/0010replace_0
+I: [OK]         ./testcases/rule_management/0012destroy_0
+I: [OK]         ./testcases/sets/0003named_interval_missing_flag_0
+I: [OK]         ./testcases/rule_management/0011reset_0
+I: [OK]         ./testcases/sets/0004named_interval_shadow_0
+I: [OK]         ./testcases/sets/0005named_interval_shadow_0
+I: [OK]         ./testcases/sets/0006create_set_0
+I: [OK]         ./testcases/sets/0008comments_interval_0
+I: [OK]         ./testcases/sets/0008create_verdict_map_0
+I: [OK]         ./testcases/netns/0003many_0
+I: [OK]         ./testcases/sets/0007create_element_0
+I: [OK]         ./testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]         ./testcases/nft-f/0011manydefines_0
+I: [OK]         ./testcases/sets/0015rulesetflush_0
+I: [OK]         ./testcases/sets/0010comments_0
+I: [OK]         ./testcases/sets/0009comments_timeout_0
+I: [OK]         ./testcases/sets/0016element_leak_0
+I: [OK]         ./testcases/sets/0021nesting_0
+I: [OK]         ./testcases/sets/0018set_check_size_1
+I: [OK]         ./testcases/sets/0017add_after_flush_0
+I: [OK]         ./testcases/sets/0020comments_0
+I: [OK]         ./testcases/sets/0023incomplete_add_set_command_0
+I: [OK]         ./testcases/sets/0019set_check_size_0
+I: [OK]         ./testcases/sets/0024named_objects_0
+I: [OK]         ./testcases/sets/0026named_limit_0
+I: [OK]         ./testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]         ./testcases/sets/0022type_selective_flush_0
+I: [OK]         ./testcases/sets/0025anonymous_set_0
+I: [OK]         ./testcases/rule_management/0001addinsertposition_0
+I: [OK]         ./testcases/sets/0031set_timeout_size_0
+I: [OK]         ./testcases/sets/0032restore_set_simple_0
+I: [OK]         ./testcases/sets/0033add_set_simple_flat_0
+I: [OK]         ./testcases/sets/0028autoselect_0
+I: [OK]         ./testcases/sets/0028delete_handle_0
+I: [OK]         ./testcases/sets/0035add_set_elements_flat_0
+I: [OK]         ./testcases/sets/0036add_set_element_expiration_0
+I: [OK]         ./testcases/sets/0037_set_with_inet_service_0
+I: [OK]         ./testcases/sets/0029named_ifname_dtype_0
+I: [OK]         ./testcases/sets/0042update_set_0
+I: [OK]         ./testcases/sets/0039delete_interval_0
+I: [OK]         ./testcases/sets/0038meter_list_0
+I: [OK]         ./testcases/sets/0040get_host_endian_elements_0
+I: [OK]         ./testcases/sets/0045concat_ipv4_service
+I: [OK]         ./testcases/sets/0041interval_0
+I: [OK]         ./testcases/sets/0046netmap_0
+I: [OK]         ./testcases/sets/0047nat_0
+I: [OK]         ./testcases/sets/0011add_many_elements_0
+I: [OK]         ./testcases/sets/0048set_counters_0
+I: [OK]         ./testcases/sets/0049set_define_0
+I: [OK]         ./testcases/sets/0050set_define_1
+I: [OK]         ./testcases/sets/0051set_interval_counter_0
+I: [OK]         ./testcases/sets/0012add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0053echo_0
+I: [OK]         ./testcases/sets/0013add_delete_many_elements_0
+I: [OK]         ./testcases/sets/0052overlap_0
+I: [OK]         ./testcases/sets/0054comments_set_0
+I: [OK]         ./testcases/sets/0055tcpflags_0
+I: [OK]         ./testcases/sets/0034get_element_0
+I: [OK]         ./testcases/sets/0056dynamic_limit_0
+I: [OK]         ./testcases/sets/0058_setupdate_timeout_0
+I: [OK]         ./testcases/sets/0057set_create_fails_0
+I: [OK]         ./testcases/sets/0059set_update_multistmt_0
+I: [OK]         ./testcases/sets/0061anonymous_automerge_0
+I: [OK]         ./testcases/sets/0060set_multistmt_0
+I: [OK]         ./testcases/sets/0060set_multistmt_1
+I: [OK]         ./testcases/sets/0062set_connlimit_0
+I: [OK]         ./testcases/sets/0063set_catchall_0
+I: [OK]         ./testcases/sets/0064map_catchall_0
+I: [OK]         ./testcases/sets/0065_icmp_postprocessing
+I: [OK]         ./testcases/sets/0070stacked_l2_headers
+I: [OK]         ./testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]         ./testcases/sets/0069interval_merge_0
+I: [OK]         ./testcases/sets/collapse_elem_0
+I: [OK]         ./testcases/sets/0067nat_concat_interval_0
+I: [OK]         ./testcases/sets/0072destroy_0
+I: [OK]         ./testcases/sets/concat_interval_0
+I: [OK]         ./testcases/sets/inner_0
+I: [OK]         ./testcases/sets/exact_overlap_0
+I: [OK]         ./testcases/sets/errors_0
+I: [OK]         ./testcases/sets/dynset_missing
+I: [OK]         ./testcases/sets/set_eval_0
+I: [OK]         ./testcases/sets/typeof_raw_0
+I: [OK]         ./testcases/sets/typeof_sets_0
+I: [OK]         ./testcases/sets/typeof_sets_1
+I: [OK]         ./testcases/sets/typeof_sets_concat
+I: [OK]         ./testcases/sets/type_set_symbol
+I: [OK]         ./testcases/transactions/0001table_0
+I: [OK]         ./testcases/transactions/0002table_0
+I: [OK]         ./testcases/sets/reset_command_0
+I: [OK]         ./testcases/transactions/0010chain_0
+I: [OK]         ./testcases/transactions/0011chain_0
+I: [OK]         ./testcases/transactions/0003table_0
+I: [OK]         ./testcases/transactions/0012chain_0
+I: [OK]         ./testcases/sets/0030add_many_elements_interval_0
+I: [OK]         ./testcases/transactions/0013chain_0
+I: [OK]         ./testcases/transactions/0014chain_1
+I: [OK]         ./testcases/transactions/0021rule_0
+I: [OK]         ./testcases/transactions/0020rule_0
+I: [OK]         ./testcases/transactions/0022rule_1
+I: [OK]         ./testcases/transactions/0015chain_0
+I: [OK]         ./testcases/transactions/0023rule_1
+I: [OK]         ./testcases/transactions/0030set_0
+I: [OK]         ./testcases/transactions/0025rule_0
+I: [OK]         ./testcases/transactions/0024rule_0
+I: [OK]         ./testcases/transactions/0031set_0
+I: [OK]         ./testcases/transactions/0032set_0
+I: [OK]         ./testcases/transactions/0033set_0
+I: [OK]         ./testcases/transactions/0034set_0
+I: [OK]         ./testcases/transactions/0035set_0
+I: [OK]         ./testcases/transactions/0036set_1
+I: [OK]         ./testcases/transactions/0037set_0
+I: [OK]         ./testcases/transactions/0038set_0
+I: [OK]         ./testcases/transactions/0039set_0
+I: [OK]         ./testcases/sets/0068interval_stack_overflow_0
+I: [OK]         ./testcases/transactions/0041nat_restore_0
+I: [OK]         ./testcases/transactions/0042_stateful_expr_0
+I: [OK]         ./testcases/transactions/0040set_0
+I: [OK]         ./testcases/transactions/0043set_1
+I: [OK]         ./testcases/transactions/0044rule_0
+I: [OK]         ./testcases/transactions/0045anon-unbind_0
+I: [OK]         ./testcases/transactions/0046set_0
+I: [OK]         ./testcases/transactions/0047set_0
+I: [OK]         ./testcases/transactions/0048helpers_0
+I: [OK]         ./testcases/transactions/0050rule_1
+I: [OK]         ./testcases/transactions/anon_chain_loop
+I: [OK]         ./testcases/transactions/bad_expression
+I: [OK]         ./testcases/sets/sets_with_ifnames
+I: [OK]         ./testcases/transactions/0049huge_0
+I: [OK]         ./testcases/transactions/0051map_0
+I: [OK]         ./testcases/transactions/30s-stress
+I: [OK]         ./testcases/sets/0043concatenated_ranges_1
+I: [OK]         ./testcases/maps/vmap_timeout
+I: [OK]         ./testcases/sets/automerge_0
+I: [OK]         ./testcases/sets/0044interval_overlap_1
+I: [OK]         ./testcases/sets/0044interval_overlap_0
+I: [OK]         ./testcases/sets/0043concatenated_ranges_0
+
+I: results: [OK] 373 [SKIPPED] 0 [FAILED] 0 [TOTAL] 373
diff --git a/tests/shell/overlap-interval.txt b/tests/shell/overlap-interval.txt
new file mode 100644
index 0000000..578c7f8
--- /dev/null
+++ b/tests/shell/overlap-interval.txt
@@ -0,0 +1,430 @@
+testcases/transactions/0050rule_1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+Error: Could not process rule: File exists
+add element t s {  0 -  2 }
+                   ^^^^^^
+Failed to insert  0 -  2 given:
+table ip t {
+	set s {
+		type inet_service
+		flags interval,timeout
+		timeout 1m22s
+		gc-interval 1m22s
+	}
+
+	set c {
+		type inet_service . inet_service
+		flags interval,timeout
+		timeout 1m22s
+		gc-interval 1m22s
+	}
+}
+
+I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+Error: Could not process rule: File exists
+add element t s {  0 -  2 }
+                   ^^^^^^
+Failed to insert  0 -  2 given:
+table ip t {
+	set s {
+		type inet_service
+		flags interval,timeout
+		timeout 1m22s
+		gc-interval 1m22s
+	}
+
+	set c {
+		type inet_service . inet_service
+		flags interval,timeout
+		timeout 1m22s
+		gc-interval 1m22s
+	}
+}
+
+I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
+I: [OK]		testcases/sets/0044interval_overlap_0
+
+I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	testcases/sets/0044interval_overlap_0
diff --git a/tests/shell/run-tests-kmemleak.sh b/tests/shell/run-tests-kmemleak.sh
new file mode 100644
index 0000000..16e6cfd
--- /dev/null
+++ b/tests/shell/run-tests-kmemleak.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+rm -f leak.txt
+
+cat x | while read line
+do
+	echo "running $line..."
+	sh -c 'echo clear > /sys/kernel/debug/kmemleak'
+	./run-tests.sh $line
+	echo "... checking for leaks"
+	sh -c 'echo scan > /sys/kernel/debug/kmemleak'
+	LINES=`cat /sys/kernel/debug/kmemleak | grep nfnetlink | wc -l | cut -d' ' -f 1`
+	echo $LINES
+	if [ $LINES -ne 0 ]
+	then
+		echo "POSSIBLE LEAK!!!!!!!!!"
+		echo "$line" >> leak.txt
+	fi
+done
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
new file mode 100755
index 0000000..22105c2
--- /dev/null
+++ b/tests/shell/run-tests.sh
@@ -0,0 +1,945 @@
+#!/bin/bash
+
+unset LANGUAGE
+export LANG=C
+export LC_ALL=C
+
+GREEN=""
+YELLOW=""
+RED=""
+RESET=""
+if [ -z "$NO_COLOR" ] ; then
+	if [ -n "$CLICOLOR_FORCE" ] || [[ -t 1 ]] ; then
+		# See https://bixense.com/clicolors/ . We only check isatty() on
+		# file descriptor 1, to decide whether colorizing happens (although,
+		# we might also colorize on other places/FDs).
+		GREEN=$'\e[32m'
+		YELLOW=$'\e[33m'
+		RED=$'\e[31m'
+		RESET=$'\e[0m'
+	fi
+fi
+
+array_contains() {
+	local needle="$1"
+	local a
+	shift
+	for a; do
+		[ "$a" = "$needle" ] && return 0
+	done
+	return 1
+}
+
+colorize_keywords() {
+	local out_variable="$1"
+	local color="$2"
+	local val="$3"
+	local val2
+	shift 3
+
+	printf -v val2 '%q' "$val"
+	array_contains "$val" "$@" && val2="$color$val2$RESET"
+	printf -v "$out_variable" '%s' "$val2"
+}
+
+strtonum() {
+	local s="$1"
+	local n
+	local n2
+
+	re='^[[:space:]]*([0-9]+)[[:space:]]*$'
+	if [[ "$s" =~ $re ]] ; then
+		n="${BASH_REMATCH[1]}"
+		if [ "$(( n + 0 ))" = "$n" ] ; then
+			echo "$n"
+			return 0
+		fi
+	fi
+	re='^[[:space:]]*0x([0-9a-fA-F]+)[[:space:]]*$'
+	if [[ "$s" =~ $re ]] ; then
+		n="${BASH_REMATCH[1]}"
+		n2="$(( 16#$n + 0 ))"
+		if [ "$n2" = "$(printf '%d' "0x$n" 2>/dev/null)" ] ; then
+			echo "$n2"
+			return 0
+		fi
+	fi
+	return 1
+}
+
+_msg() {
+	local level="$1"
+	shift
+
+	if [ "$level" = E ] ; then
+		printf '%s\n' "$RED$level$RESET: $*"
+	elif [ "$level" = W ] ; then
+		printf '%s\n' "$YELLOW$level$RESET: $*"
+	else
+		printf '%s\n' "$level: $*"
+	fi
+	if [ "$level" = E ] ; then
+		exit 1
+	fi
+}
+
+msg_error() {
+	_msg E "$@"
+}
+
+msg_warn() {
+	_msg W "$@"
+}
+
+msg_info() {
+	_msg I "$@"
+}
+
+align_text() {
+	local _OUT_VARNAME="$1"
+	local _LEFT_OR_RIGHT="$2"
+	local _INDENT="$3"
+	shift 3
+	local _text="$*"
+	local _text_plain
+	local _text_align
+	local _text_result
+	local _i
+
+	# This function is needed, because "$text" might contain color escape
+	# sequences. A plain `printf '%12s' "$text"` will not align properly.
+
+	# strip escape sequences
+	_text_plain="${_text//$'\e['[0-9]m/}"
+	_text_plain="${_text_plain//$'\e['[0-9][0-9]m/}"
+
+	_text_align=""
+	for (( _i = "${#_text_plain}" ; "$_i" < "$_INDENT" ; _i++ )) ; do
+		_text_align="$_text_align "
+	done
+
+	if [ "$_LEFT_OR_RIGHT" = left ] ; then
+		_text_result="$(printf "%s$_text_align-" "$_text")"
+	else
+		_text_result="$(printf "$_text_align%s-" "$_text")"
+	fi
+	_text_result="${_text_result%-}"
+
+	eval "$_OUT_VARNAME=\"\$_text_result\""
+}
+
+bool_n() {
+	case "$1" in
+		n|N|no|No|NO|0|false|False|FALSE)
+			printf n
+			;;
+		*)
+			printf y
+			;;
+	esac
+}
+
+bool_y() {
+	case "$1" in
+		y|Y|yes|Yes|YES|1|true|True|TRUE)
+			printf y
+			;;
+		*)
+			printf n
+			;;
+	esac
+}
+
+usage() {
+	echo " $0 [OPTIONS] [TESTS...]"
+	echo
+	echo "OPTIONS:"
+	echo " -h|--help       : Print usage."
+	echo " -L|--list-tests : List test names and quit."
+	echo " -v              : Sets VERBOSE=y."
+	echo " -g              : Sets DUMPGEN=y."
+	echo " -V              : Sets VALGRIND=y."
+	echo " -K              : Sets KMEMLEAK=y."
+	echo " -R|--without-realroot : Sets NFT_TEST_HAS_REALROOT=n."
+	echo " -U|--no-unshare : Sets NFT_TEST_UNSHARE_CMD=\"\"."
+	echo " -k|--keep-logs  : Sets NFT_TEST_KEEP_LOGS=y."
+	echo " -s|--sequential : Sets NFT_TEST_JOBS=0, which also enables global cleanups."
+	echo "                   Also sets NFT_TEST_SHUFFLE_TESTS=n if left unspecified."
+	echo " -Q|--quick      : Sets NFT_TEST_SKIP_slow=y."
+	echo " -S|--setup-host : Modify the host to run as rootless. Otherwise, some tests will be"
+	echo "                   skipped. Basically, this bumps /proc/sys/net/core/{wmem_max,rmem_max}."
+	echo "                   Must run as root and this option must be specified alone."
+	echo " --              : Separate options from tests."
+	echo " [TESTS...]      : Other options are treated as test names,"
+	echo "                   that is, executables that are run by the runner."
+	echo
+	echo "ENVIRONMENT VARIABLES:"
+	echo " NFT=<CMD>     : Path to nft executable. Will be called as \`\$NFT [...]\` so"
+	echo "                 it can be a command with parameters. Note that in this mode quoting"
+	echo "                 does not work, so the usage is limited and the command cannot contain"
+	echo "                 spaces."
+	echo " NFT_REAL=<CMD> : Real nft comand. Usually this is just the same as \$NFT,"
+	echo "                 however, you may set NFT='valgrind nft' and NFT_REAL to the real command."
+	echo " VERBOSE=*|y   : Enable verbose output."
+	echo " DUMPGEN=*|y   : Regenerate dump files. Dump files are only recreated if the"
+	echo "                 test completes successfully and the \"dumps\" directory for the"
+	echo "                 test exits."
+	echo " VALGRIND=*|y  : Run \$NFT in valgrind."
+	echo " KMEMLEAK=*|y  : Check for kernel memleaks."
+	echo " NFT_TEST_HAS_REALROOT=*|y : To indicate whether the test has real root permissions."
+	echo "                 Usually, you don't need this and it gets autodetected."
+	echo "                 You might want to set it, if you know better than the"
+	echo "                 \`id -u\` check, whether the user is root in the main namespace."
+	echo "                 Note that without real root, certain tests may not work,"
+	echo "                 e.g. due to limited /proc/sys/net/core/{wmem_max,rmem_max}."
+	echo "                 Checks that cannot pass in such environment should check for"
+	echo "                 [ \"\$NFT_TEST_HAS_REALROOT\" != y ] and skip gracefully."
+	echo " NFT_TEST_HAS_SOCKET_LIMITS=*|n : some tests will fail if /proc/sys/net/core/{wmem_max,rmem_max} is"
+	echo "                 too small. When running as real root, then test can override those limits. However,"
+	echo "                 with rootless the test would fail. Tests will check for [ "\$NFT_TEST_HAS_SOCKET_LIMITS" = y ]"
+	echo "                 and skip. You may set NFT_TEST_HAS_SOCKET_LIMITS=n if you ensure those limits are"
+	echo "                 suitable to run the test rootless. Otherwise will be autodetected."
+	echo "                 Set /proc/sys/net/core/{wmem_max,rmem_max} to at least 4MB to get them to pass automatically."
+	echo " NFT_TEST_UNSHARE_CMD=cmd : when set, this is the command line for an unshare"
+	echo "                 command, which is used to sandbox each test invocation. By"
+	echo "                 setting it to empty, no unsharing is done."
+	echo "                 By default it is unset, in which case it's autodetected as"
+	echo "                 \`unshare -f -p\` (for root) or as \`unshare -f -p --mount-proc -U --map-root-user -n\`"
+	echo "                 for non-root."
+	echo "                 When setting this, you may also want to set NFT_TEST_HAS_UNSHARED=,"
+	echo "                 NFT_TEST_HAS_REALROOT= and NFT_TEST_HAS_UNSHARED_MOUNT= accordingly."
+	echo " NFT_TEST_HAS_UNSHARED=*|y : To indicate to the test whether the test run will be unshared."
+	echo "                 Test may consider this."
+	echo "                 This is only honored when \$NFT_TEST_UNSHARE_CMD= is set. Otherwise it's detected."
+	echo " NFT_TEST_HAS_UNSHARED_MOUNT=*|y : To indicate to the test whether the test run will have a private"
+	echo "                 mount namespace."
+	echo "                 This is only honored when \$NFT_TEST_UNSHARE_CMD= is set. Otherwise it's detected."
+	echo " NFT_TEST_KEEP_LOGS=*|y: Keep the temp directory. On success, it will be deleted by default."
+	echo " NFT_TEST_JOBS=<NUM}>: number of jobs for parallel execution. Defaults to \"\$(nproc)*1.5\" for parallel run."
+	echo "                 Setting this to \"0\" or \"1\", means to run jobs sequentially."
+	echo "                 Setting this to \"0\" means also to perform global cleanups between tests (remove"
+	echo "                 kernel modules)."
+	echo "                 Parallel jobs requires unshare and are disabled with NFT_TEST_UNSHARE_CMD=\"\"."
+	echo " NFT_TEST_FAIL_ON_SKIP=*|y: if any jobs are skipped, exit with error."
+	echo " NFT_TEST_RANDOM_SEED=<SEED>: The test runner will export the environment variable NFT_TEST_RANDOM_SEED"
+	echo "                 set to a random number. This can be used as a stable seed for tests to randomize behavior."
+	echo "                 Set this to a fixed value to get reproducible behavior."
+	echo " NFT_TEST_SHUFFLE_TESTS=*|n|y: control whether to randomly shuffle the order of tests. By default, if"
+	echo "                 tests are specified explicitly, they are not shuffled while they are shuffled when"
+	echo "                 all tests are run. The shuffling is based on NFT_TEST_RANDOM_SEED."
+	echo " TMPDIR=<PATH> : select a different base directory for the result data."
+	echo
+	echo " NFT_TEST_HAVE_<FEATURE>=*|y: Some tests requires certain features or will be skipped."
+	echo "                 The features are autodetected, but you can force it by setting the variable."
+	echo "                 Supported <FEATURE>s are: ${_HAVE_OPTS[@]}."
+	echo " NFT_TEST_SKIP_<OPTION>=*|y: if set, certain tests are skipped."
+	echo "                 Supported <OPTION>s are: ${_SKIP_OPTS[@]}."
+}
+
+NFT_TEST_BASEDIR="$(dirname "$0")"
+
+# Export the base directory. It may be used by tests.
+export NFT_TEST_BASEDIR
+
+_HAVE_OPTS=()
+shopt -s nullglob
+F=( "$NFT_TEST_BASEDIR/features/"*.nft "$NFT_TEST_BASEDIR/features/"*.sh )
+shopt -u nullglob
+for file in "${F[@]}"; do
+	feat="${file##*/}"
+	feat="${feat%.*}"
+	re="^[a-z_0-9]+$"
+	if [[ "$feat" =~ $re ]] && ! array_contains "$feat" "${_HAVE_OPTS[@]}" && [[ "$file" != *.sh || -x "$file" ]] ; then
+		_HAVE_OPTS+=( "$feat" )
+	else
+		msg_warn "Ignore feature file \"$file\""
+	fi
+done
+_HAVE_OPTS=( $(printf '%s\n' "${_HAVE_OPTS[@]}" | sort) )
+
+for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_' | sort) ; do
+	if ! array_contains "${KEY#NFT_TEST_HAVE_}" "${_HAVE_OPTS[@]}" ; then
+		unset "$KEY"
+	fi
+done
+
+_SKIP_OPTS=( slow )
+for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_' | sort) ; do
+	if ! array_contains "${KEY#NFT_TEST_SKIP_}" "${_SKIP_OPTS[@]}" ; then
+		unset "$KEY"
+	fi
+done
+
+_NFT_TEST_JOBS_DEFAULT="$(nproc)"
+[ "$_NFT_TEST_JOBS_DEFAULT" -gt 0 ] 2>/dev/null || _NFT_TEST_JOBS_DEFAULT=1
+_NFT_TEST_JOBS_DEFAULT="$(( _NFT_TEST_JOBS_DEFAULT + (_NFT_TEST_JOBS_DEFAULT + 1) / 2 ))"
+
+VERBOSE="$(bool_y "$VERBOSE")"
+DUMPGEN="$(bool_y "$DUMPGEN")"
+VALGRIND="$(bool_y "$VALGRIND")"
+KMEMLEAK="$(bool_y "$KMEMLEAK")"
+NFT_TEST_KEEP_LOGS="$(bool_y "$NFT_TEST_KEEP_LOGS")"
+NFT_TEST_HAS_REALROOT="$NFT_TEST_HAS_REALROOT"
+NFT_TEST_JOBS="${NFT_TEST_JOBS:-$_NFT_TEST_JOBS_DEFAULT}"
+NFT_TEST_FAIL_ON_SKIP="$(bool_y "$NFT_TEST_FAIL_ON_SKIP")"
+NFT_TEST_RANDOM_SEED="$NFT_TEST_RANDOM_SEED"
+NFT_TEST_SHUFFLE_TESTS="$NFT_TEST_SHUFFLE_TESTS"
+NFT_TEST_SKIP_slow="$(bool_y "$NFT_TEST_SKIP_slow")"
+DO_LIST_TESTS=
+
+if [ -z "$NFT_TEST_RANDOM_SEED" ] ; then
+	# Choose a random value.
+	n="$SRANDOM"
+else
+	# Parse as number.
+	n="$(strtonum "$NFT_TEST_RANDOM_SEED")"
+	if [ -z "$n" ] ; then
+		# If not a number, pick a hash based on the SHA-sum of the seed.
+		n="$(printf "%d" "0x$(sha256sum <<<"NFT_TEST_RANDOM_SEED:$NFT_TEST_RANDOM_SEED" | sed -n '1 { s/^\(........\).*/\1/p }')")"
+	fi
+fi
+# Limit a 31 bit decimal so tests can rely on this being in a certain
+# restricted form.
+NFT_TEST_RANDOM_SEED="$(( $n % 0x80000000 ))"
+export NFT_TEST_RANDOM_SEED
+
+TESTS=()
+
+SETUP_HOST=
+SETUP_HOST_OTHER=
+
+ARGV_ORIG=( "$@" )
+
+while [ $# -gt 0 ] ; do
+	A="$1"
+	shift
+	case "$A" in
+		-S|--setup-host)
+			;;
+		*)
+			SETUP_HOST_OTHER=y
+			;;
+	esac
+	case "$A" in
+		-S|--setup-host)
+			SETUP_HOST="$A"
+			;;
+		-v)
+			VERBOSE=y
+			;;
+		-g)
+			DUMPGEN=y
+			;;
+		-V)
+			VALGRIND=y
+			;;
+		-K)
+			KMEMLEAK=y
+			;;
+		-h|--help)
+			usage
+			exit 0
+			;;
+		-k|--keep-logs)
+			NFT_TEST_KEEP_LOGS=y
+			;;
+		-L|--list-tests)
+			DO_LIST_TESTS=y
+			;;
+		-R|--without-realroot)
+			NFT_TEST_HAS_REALROOT=n
+			;;
+		-U|--no-unshare)
+			NFT_TEST_UNSHARE_CMD=
+			;;
+		-s|--sequential)
+			NFT_TEST_JOBS=0
+			if [ -z "$NFT_TEST_SHUFFLE_TESTS" ] ; then
+				NFT_TEST_SHUFFLE_TESTS=n
+			fi
+			;;
+		-Q|--quick)
+			NFT_TEST_SKIP_slow=y
+			;;
+		--)
+			TESTS+=( "$@" )
+			shift $#
+			;;
+		*)
+			TESTS+=( "$A" )
+			;;
+	esac
+done
+
+sysctl_bump() {
+	local sysctl="$1"
+	local val="$2"
+	local cur;
+
+	cur="$(cat "$sysctl" 2>/dev/null)" || :
+	if [ -n "$cur" -a "$cur" -ge "$val" ] ; then
+		echo "# Skip: echo $val > $sysctl (current value $cur)"
+		return 0
+	fi
+	echo "    echo $val > $sysctl (previous value $cur)"
+	echo "$val" > "$sysctl"
+}
+
+setup_host() {
+	echo "Setting up host for running as rootless (requires root)."
+	sysctl_bump /proc/sys/net/core/rmem_max $((4000*1024)) || return $?
+	sysctl_bump /proc/sys/net/core/wmem_max $((4000*1024)) || return $?
+}
+
+if [ -n "$SETUP_HOST" ] ; then
+	if [ "$SETUP_HOST_OTHER" = y ] ; then
+		msg_error "The $SETUP_HOST option must be specified alone."
+	fi
+	setup_host
+	exit $?
+fi
+
+find_tests() {
+	find "$1" -type f -executable | sort
+}
+
+if [ "${#TESTS[@]}" -eq 0 ] ; then
+	d="$NFT_TEST_BASEDIR/testcases/"
+	d="${d#./}"
+	TESTS=( $(find_tests "$d") )
+	test "${#TESTS[@]}" -gt 0 || msg_error "Could not find tests"
+	if [ -z "$NFT_TEST_SHUFFLE_TESTS" ] ; then
+		NFT_TEST_SHUFFLE_TESTS=y
+	fi
+fi
+
+TESTSOLD=( "${TESTS[@]}" )
+TESTS=()
+for t in "${TESTSOLD[@]}" ; do
+	if [ -f "$t" -a -x "$t" ] ; then
+		TESTS+=( "$t" )
+	elif [ -d "$t" ] ; then
+		TESTS+=( $(find_tests "$t") )
+	else
+		msg_error "Unknown test \"$t\""
+	fi
+done
+
+NFT_TEST_SHUFFLE_TESTS="$(bool_y "$NFT_TEST_SHUFFLE_TESTS")"
+
+if [ "$DO_LIST_TESTS" = y ] ; then
+	printf '%s\n' "${TESTS[@]}"
+	exit 0
+fi
+
+START_TIME="$(cut -d ' ' -f1 /proc/uptime)"
+
+_TMPDIR="${TMPDIR:-/tmp}"
+
+# Export the orignal TMPDIR for the tests. "test-wrapper.sh" sets TMPDIR to
+# NFT_TEST_TESTTMPDIR, so that temporary files are placed along side the
+# test data. In some cases, we may want to know the original TMPDIR.
+export NFT_TEST_TMPDIR_ORIG="$_TMPDIR"
+
+if [ "$NFT_TEST_HAS_REALROOT" = "" ] ; then
+	# The caller didn't set NFT_TEST_HAS_REALROOT and didn't specify
+	# -R/--without-root option. Autodetect it based on `id -u`.
+	export NFT_TEST_HAS_REALROOT="$(test "$(id -u)" = "0" && echo y || echo n)"
+else
+	NFT_TEST_HAS_REALROOT="$(bool_y "$NFT_TEST_HAS_REALROOT")"
+fi
+export NFT_TEST_HAS_REALROOT
+
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = "" ] ; then
+	if [ "$NFT_TEST_HAS_REALROOT" = y ] ; then
+		NFT_TEST_HAS_SOCKET_LIMITS=n
+	elif [ "$(cat /proc/sys/net/core/wmem_max 2>/dev/null)" -ge $((4000*1024)) ] 2>/dev/null && \
+	     [ "$(cat /proc/sys/net/core/rmem_max 2>/dev/null)" -ge $((4000*1024)) ] 2>/dev/null ; then
+		NFT_TEST_HAS_SOCKET_LIMITS=n
+	else
+		NFT_TEST_HAS_SOCKET_LIMITS=y
+	fi
+else
+	NFT_TEST_HAS_SOCKET_LIMITS="$(bool_n "$NFT_TEST_HAS_SOCKET_LIMITS")"
+fi
+export NFT_TEST_HAS_SOCKET_LIMITS
+
+detect_unshare() {
+	if ! $1 true &>/dev/null ; then
+		return 1
+	fi
+	NFT_TEST_UNSHARE_CMD="$1"
+	return 0
+}
+
+if [ -n "${NFT_TEST_UNSHARE_CMD+x}" ] ; then
+	# User overrides the unshare command.
+	if ! detect_unshare "$NFT_TEST_UNSHARE_CMD" ; then
+		msg_error "Cannot unshare via NFT_TEST_UNSHARE_CMD=$(printf '%q' "$NFT_TEST_UNSHARE_CMD")"
+	fi
+	if [ -z "${NFT_TEST_HAS_UNSHARED+x}" ] ; then
+		# Autodetect NFT_TEST_HAS_UNSHARED based one whether
+		# $NFT_TEST_UNSHARE_CMD is set.
+		if [ -n "$NFT_TEST_UNSHARE_CMD" ] ; then
+			NFT_TEST_HAS_UNSHARED="y"
+		else
+			NFT_TEST_HAS_UNSHARED="n"
+		fi
+	else
+		NFT_TEST_HAS_UNSHARED="$(bool_y "$NFT_TEST_HAS_UNSHARED")"
+	fi
+	if [ -z "${NFT_TEST_HAS_UNSHARED_MOUNT+x}" ] ; then
+		NFT_TEST_HAS_UNSHARED_MOUNT=n
+		if [ "$NFT_TEST_HAS_UNSHARED" == y ] ; then
+			case "$NFT_TEST_UNSHARE_CMD" in
+				unshare*-m*|unshare*--mount-proc*)
+					NFT_TEST_HAS_UNSHARED_MOUNT=y
+					;;
+			esac
+		fi
+	else
+		NFT_TEST_HAS_UNSHARED_MOUNT="$(bool_y "$NFT_TEST_HAS_UNSHARED_MOUNT")"
+	fi
+else
+	NFT_TEST_HAS_UNSHARED_MOUNT=n
+	if [ "$NFT_TEST_HAS_REALROOT" = y ] ; then
+		# We appear to have real root. So try to unshare
+		# without a separate USERNS. CLONE_NEWUSER will break
+		# tests that are limited by
+		# /proc/sys/net/core/{wmem_max,rmem_max}. With real
+		# root, we want to test that.
+		if detect_unshare "unshare -f -n -m" ; then
+			NFT_TEST_HAS_UNSHARED_MOUNT=y
+		else
+			detect_unshare "unshare -f -n" ||
+			detect_unshare "unshare -f -p -m --mount-proc -U --map-root-user -n" ||
+			detect_unshare "unshare -f -U --map-root-user -n"
+		fi
+	else
+		if detect_unshare "unshare -f -p -m --mount-proc -U --map-root-user -n" ; then
+			NFT_TEST_HAS_UNSHARED_MOUNT=y
+		else
+			detect_unshare "unshare -f -U --map-root-user -n"
+		fi
+	fi
+	if [ -z "$NFT_TEST_UNSHARE_CMD" ] ; then
+		msg_error "Unshare does not work. Run as root with -U/--no-unshare or set NFT_TEST_UNSHARE_CMD"
+	fi
+	NFT_TEST_HAS_UNSHARED=y
+fi
+# If tests wish, they can know whether they are unshared via this variable.
+export NFT_TEST_HAS_UNSHARED
+export NFT_TEST_HAS_UNSHARED_MOUNT
+
+# normalize the jobs number to be an integer.
+case "$NFT_TEST_JOBS" in
+	''|*[!0-9]*) NFT_TEST_JOBS=_NFT_TEST_JOBS_DEFAULT ;;
+esac
+if [ -z "$NFT_TEST_UNSHARE_CMD" -a "$NFT_TEST_JOBS" -gt 1 ] ; then
+	NFT_TEST_JOBS=1
+fi
+
+[ -z "$NFT" ] && NFT="$NFT_TEST_BASEDIR/../../src/nft"
+${NFT} > /dev/null 2>&1
+ret=$?
+if [ ${ret} -eq 126 ] || [ ${ret} -eq 127 ]; then
+	msg_error "cannot execute nft command: $NFT"
+fi
+
+NFT_REAL="${NFT_REAL-$NFT}"
+
+feature_probe()
+{
+	local with_path="$NFT_TEST_BASEDIR/features/$1"
+
+	if [ -r "$with_path.nft" ] ; then
+		$NFT_TEST_UNSHARE_CMD "$NFT_REAL" --check -f "$with_path.nft" &>/dev/null
+		return $?
+	fi
+
+	if [ -x "$with_path.sh" ] ; then
+		NFT="$NFT_REAL" $NFT_TEST_UNSHARE_CMD "$with_path.sh" &>/dev/null
+		return $?
+	fi
+
+	return 1
+}
+
+for feat in "${_HAVE_OPTS[@]}" ; do
+	var="NFT_TEST_HAVE_$feat"
+	if [ -z "${!var+x}" ] ; then
+		val='y'
+		feature_probe "$feat" || val='n'
+	else
+		val="$(bool_n "${!var}")"
+	fi
+	eval "export $var=$val"
+done
+
+if [ "$NFT_TEST_JOBS" -eq 0 ] ; then
+	MODPROBE="$(which modprobe)"
+	if [ ! -x "$MODPROBE" ] ; then
+		msg_error "no modprobe binary found"
+	fi
+fi
+
+DIFF="$(which diff)"
+if [ ! -x "$DIFF" ] ; then
+	DIFF=true
+fi
+
+declare -A JOBS_PIDLIST
+
+_NFT_TEST_VALGRIND_VGDB_PREFIX=
+
+cleanup_on_exit() {
+	pids_search=''
+	for pid in "${!JOBS_PIDLIST[@]}" ; do
+		kill -- "-$pid" &>/dev/null
+		pids_search="$pids_search\\|\\<$pid\\>"
+	done
+	if [ -n "$pids_search" ] ; then
+		pids_search="${pids_search:2}"
+		for i in {1..100}; do
+			ps xh -o pgrp | grep -q "$pids_search" || break
+			sleep 0.01
+		done
+	fi
+	if [ "$NFT_TEST_KEEP_LOGS" != y -a -n "$NFT_TEST_TMPDIR" ] ; then
+		rm -rf "$NFT_TEST_TMPDIR"
+	fi
+	if [ -n "$_NFT_TEST_VALGRIND_VGDB_PREFIX" ] ; then
+		rm -rf "$_NFT_TEST_VALGRIND_VGDB_PREFIX"* &>/dev/null
+	fi
+}
+
+trap 'exit 130' SIGINT
+trap 'exit 143' SIGTERM
+trap 'rc=$?; cleanup_on_exit; exit $rc' EXIT
+
+TIMESTAMP=$(date '+%Y%m%d-%H%M%S.%3N')
+NFT_TEST_TMPDIR="$(mktemp --tmpdir="$_TMPDIR" -d "nft-test.$TIMESTAMP$NFT_TEST_TMPDIR_TAG.XXXXXX")" ||
+	msg_error "Failure to create temp directory in \"$_TMPDIR\""
+chmod 755 "$NFT_TEST_TMPDIR"
+
+exec &> >(tee "$NFT_TEST_TMPDIR/test.log")
+
+msg_info "conf: NFT=$(printf '%q' "$NFT")"
+msg_info "conf: NFT_REAL=$(printf '%q' "$NFT_REAL")"
+msg_info "conf: VERBOSE=$(printf '%q' "$VERBOSE")"
+msg_info "conf: DUMPGEN=$(printf '%q' "$DUMPGEN")"
+msg_info "conf: VALGRIND=$(printf '%q' "$VALGRIND")"
+msg_info "conf: KMEMLEAK=$(printf '%q' "$KMEMLEAK")"
+msg_info "conf: NFT_TEST_HAS_REALROOT=$(printf '%q' "$NFT_TEST_HAS_REALROOT")"
+colorize_keywords value "$YELLOW" "$NFT_TEST_HAS_SOCKET_LIMITS" y
+msg_info "conf: NFT_TEST_HAS_SOCKET_LIMITS=$value"
+msg_info "conf: NFT_TEST_UNSHARE_CMD=$(printf '%q' "$NFT_TEST_UNSHARE_CMD")"
+msg_info "conf: NFT_TEST_HAS_UNSHARED=$(printf '%q' "$NFT_TEST_HAS_UNSHARED")"
+msg_info "conf: NFT_TEST_HAS_UNSHARED_MOUNT=$(printf '%q' "$NFT_TEST_HAS_UNSHARED_MOUNT")"
+msg_info "conf: NFT_TEST_KEEP_LOGS=$(printf '%q' "$NFT_TEST_KEEP_LOGS")"
+msg_info "conf: NFT_TEST_JOBS=$NFT_TEST_JOBS"
+msg_info "conf: NFT_TEST_FAIL_ON_SKIP=$NFT_TEST_FAIL_ON_SKIP"
+msg_info "conf: NFT_TEST_RANDOM_SEED=$NFT_TEST_RANDOM_SEED"
+msg_info "conf: NFT_TEST_SHUFFLE_TESTS=$NFT_TEST_SHUFFLE_TESTS"
+msg_info "conf: TMPDIR=$(printf '%q' "$_TMPDIR")"
+echo
+for KEY in $(compgen -v | grep '^NFT_TEST_SKIP_' | sort) ; do
+	colorize_keywords value "$YELLOW" "${!KEY}" y
+	msg_info "conf: $KEY=$value"
+	export "$KEY"
+done
+for KEY in $(compgen -v | grep '^NFT_TEST_HAVE_' | sort) ; do
+	colorize_keywords value "$YELLOW" "${!KEY}" n
+	msg_info "conf: $KEY=$value"
+	export "$KEY"
+done
+
+NFT_TEST_LATEST="$_TMPDIR/nft-test.latest.$USER"
+
+ln -snf "$NFT_TEST_TMPDIR" "$NFT_TEST_LATEST"
+
+# export the tmp directory for tests. They may use it, but create distinct
+# files! On success, it will be deleted on EXIT. See also "--keep-logs"
+export NFT_TEST_TMPDIR
+
+echo
+msg_info "info: NFT_TEST_BASEDIR=$(printf '%q' "$NFT_TEST_BASEDIR")"
+msg_info "info: NFT_TEST_TMPDIR=$(printf '%q' "$NFT_TEST_TMPDIR")"
+
+if [ "$VALGRIND" == "y" ]; then
+	NFT="$NFT_TEST_BASEDIR/helpers/nft-valgrind-wrapper.sh"
+	msg_info "info: NFT=$(printf '%q' "$NFT")"
+	_NFT_TEST_VALGRIND_VGDB_PREFIX="$NFT_TEST_TMPDIR_ORIG/vgdb-pipe-nft-test-$TIMESTAMP.$$.$RANDOM"
+	export _NFT_TEST_VALGRIND_VGDB_PREFIX
+fi
+
+kernel_cleanup() {
+	if [ "$NFT_TEST_JOBS" -ne 0 ] ; then
+		# When we run jobs in parallel (even with only one "parallel"
+		# job via `NFT_TEST_JOBS=1`), we skip such global cleanups.
+		return
+	fi
+	if [ "$NFT_TEST_HAS_UNSHARED" != y ] ; then
+		$NFT flush ruleset
+	fi
+	$MODPROBE -raq \
+	nft_reject_ipv4 nft_reject_bridge nft_reject_ipv6 nft_reject \
+	nft_redir_ipv4 nft_redir_ipv6 nft_redir \
+	nft_dup_ipv4 nft_dup_ipv6 nft_dup nft_nat \
+	nft_masq_ipv4 nft_masq_ipv6 nft_masq \
+	nft_exthdr nft_payload nft_cmp nft_range \
+	nft_quota nft_queue nft_numgen nft_osf nft_socket nft_tproxy \
+	nft_meta nft_meta_bridge nft_counter nft_log nft_limit \
+	nft_fib nft_fib_ipv4 nft_fib_ipv6 nft_fib_inet \
+	nft_hash nft_ct nft_compat nft_rt nft_objref \
+	nft_set_hash nft_set_rbtree nft_set_bitmap \
+	nft_synproxy nft_connlimit \
+	nft_chain_nat \
+	nft_chain_route_ipv4 nft_chain_route_ipv6 \
+	nft_dup_netdev nft_fwd_netdev \
+	nft_reject nft_reject_inet nft_reject_netdev \
+	nf_tables_set nf_tables \
+	nf_flow_table nf_flow_table_ipv4 nf_flow_tables_ipv6 \
+	nf_flow_table_inet nft_flow_offload \
+	nft_xfrm
+}
+
+echo ""
+ok=0
+skipped=0
+failed=0
+
+kmem_runs=0
+kmemleak_found=0
+
+check_kmemleak_force()
+{
+	test -f /sys/kernel/debug/kmemleak || return 0
+
+	echo scan > /sys/kernel/debug/kmemleak
+
+	lines=$(grep "unreferenced object" /sys/kernel/debug/kmemleak | wc -l)
+	if [ $lines -ne $kmemleak_found ];then
+		msg_warn "[FAILED]	kmemleak detected $lines memory leaks"
+		kmemleak_found=$lines
+	fi
+
+	if [ $lines -ne 0 ];then
+		return 1
+	fi
+
+	return 0
+}
+
+check_kmemleak()
+{
+	test -f /sys/kernel/debug/kmemleak || return
+
+	if [ "$KMEMLEAK" == "y" ] ; then
+		check_kmemleak_force
+		return
+	fi
+
+	kmem_runs=$((kmem_runs + 1))
+	if [ $((kmem_runs % 30)) -eq 0 ]; then
+		# scan slows tests down quite a bit, hence
+		# do this only for every 30th test file by
+		# default.
+		check_kmemleak_force
+	fi
+}
+
+read kernel_tainted < /proc/sys/kernel/tainted
+if [ "$kernel_tainted" -ne 0 ] ; then
+	msg_warn "kernel is tainted"
+	echo
+fi
+
+print_test_header() {
+	local msglevel="$1"
+	local testfile="$2"
+	local testidx_completed="$3"
+	local status="$4"
+	local text
+	local s_idx
+
+	s_idx="${#TESTS[@]}"
+	align_text text right "${#s_idx}" "$testidx_completed"
+	s_idx="$text/${#TESTS[@]}"
+
+	align_text text left 12 "[$status]"
+	_msg "$msglevel" "$text $s_idx $testfile"
+}
+
+print_test_result() {
+	local NFT_TEST_TESTTMPDIR="$1"
+	local testfile="$2"
+	local rc_got="$3"
+
+	local result_msg_level="I"
+	local result_msg_files=( "$NFT_TEST_TESTTMPDIR/testout.log" "$NFT_TEST_TESTTMPDIR/ruleset-diff" )
+	local result_msg_status
+
+	if [ "$rc_got" -eq 0 ] ; then
+		((ok++))
+		result_msg_status="${GREEN}OK$RESET"
+	elif [ "$rc_got" -eq 77 ] ; then
+		((skipped++))
+		result_msg_status="${YELLOW}SKIPPED$RESET"
+	else
+		((failed++))
+		result_msg_level="W"
+		if [ "$rc_got" -eq 121 ] ; then
+			result_msg_status="CHK DUMP"
+		elif [ "$rc_got" -eq 122 ] ; then
+			result_msg_status="VALGRIND"
+		elif [ "$rc_got" -eq 123 ] ; then
+			result_msg_status="TAINTED"
+		elif [ "$rc_got" -eq 124 ] ; then
+			result_msg_status="DUMP FAIL"
+		else
+			result_msg_status="FAILED"
+		fi
+		result_msg_status="$RED$result_msg_status$RESET"
+		result_msg_files=( "$NFT_TEST_TESTTMPDIR/testout.log" )
+	fi
+
+	print_test_header "$result_msg_level" "$testfile" "$((ok + skipped + failed))" "$result_msg_status"
+
+	if [ "$VERBOSE" = "y" ] ; then
+		local f
+
+		for f in "${result_msg_files[@]}"; do
+			if [ -s "$f" ] ; then
+				cat "$f"
+			fi
+		done
+
+		if [ "$rc_got" -ne 0 ] ; then
+			msg_info "check \"$NFT_TEST_TESTTMPDIR\""
+		fi
+	fi
+}
+
+declare -A JOBS_TEMPDIR
+
+job_start() {
+	local testfile="$1"
+	local testidx="$2"
+
+	if [ "$NFT_TEST_JOBS" -le 1 ] ; then
+		print_test_header I "$testfile" "$testidx" "EXECUTING"
+	fi
+
+	NFT_TEST_TESTTMPDIR="${JOBS_TEMPDIR["$testfile"]}" \
+	NFT="$NFT" NFT_REAL="$NFT_REAL" DIFF="$DIFF" DUMPGEN="$DUMPGEN" $NFT_TEST_UNSHARE_CMD "$NFT_TEST_BASEDIR/helpers/test-wrapper.sh" "$testfile"
+	local rc_got=$?
+
+	if [ "$NFT_TEST_JOBS" -le 1 ] ; then
+		echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line
+	fi
+
+	return "$rc_got"
+}
+
+job_wait()
+{
+	local num_jobs="$1"
+
+	while [ "$JOBS_N_RUNNING" -gt 0 -a "$JOBS_N_RUNNING" -ge "$num_jobs" ] ; do
+		wait -n -p JOBCOMPLETED
+		local rc_got="$?"
+		local testfile2="${JOBS_PIDLIST[$JOBCOMPLETED]}"
+		unset JOBS_PIDLIST[$JOBCOMPLETED]
+		print_test_result "${JOBS_TEMPDIR["$testfile2"]}" "$testfile2" "$rc_got"
+		((JOBS_N_RUNNING--))
+		check_kmemleak
+	done
+}
+
+if [ "$NFT_TEST_SHUFFLE_TESTS" = y ] ; then
+	TESTS=( $(printf '%s\n' "${TESTS[@]}" | shuf --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "nft-test-shuffle-tests" "$NFT_TEST_RANDOM_SEED") ) )
+fi
+
+TESTIDX=0
+JOBS_N_RUNNING=0
+for testfile in "${TESTS[@]}" ; do
+	job_wait "$NFT_TEST_JOBS"
+
+	kernel_cleanup
+
+	((TESTIDX++))
+
+	NFT_TEST_TESTTMPDIR="$NFT_TEST_TMPDIR/test-${testfile//\//-}.$TESTIDX"
+	mkdir "$NFT_TEST_TESTTMPDIR"
+	chmod 755 "$NFT_TEST_TESTTMPDIR"
+	JOBS_TEMPDIR["$testfile"]="$NFT_TEST_TESTTMPDIR"
+
+	[[ -o monitor ]] && set_old_state='set -m' || set_old_state='set +m'
+	set -m
+	( job_start "$testfile" "$TESTIDX" ) &
+	pid=$!
+	eval "$set_old_state"
+	JOBS_PIDLIST[$pid]="$testfile"
+	((JOBS_N_RUNNING++))
+done
+
+job_wait 0
+
+echo ""
+
+# kmemleak may report suspected leaks
+# that get free'd after all, so always do
+# a check after all test cases
+# have completed and reset the counter
+# so another warning gets emitted.
+kmemleak_found=0
+check_kmemleak_force
+
+failed_total="$failed"
+if [ "$NFT_TEST_FAIL_ON_SKIP" = y ] ; then
+	failed_total="$((failed_total + skipped))"
+fi
+
+if [ "$failed_total" -gt 0 ] ; then
+	RR="$RED"
+elif [ "$skipped" -gt 0 ] ; then
+	RR="$YELLOW"
+else
+	RR="$GREEN"
+fi
+msg_info "${RR}results$RESET: [OK] $GREEN$ok$RESET [SKIPPED] $YELLOW$skipped$RESET [FAILED] $RED$failed$RESET [TOTAL] $((ok+skipped+failed))"
+
+kernel_cleanup
+
+#    ( \
+#        for d in /tmp/nft-test.latest.*/test-*/ ; do \
+#               printf '%10.2f  %s\n' \
+#                      "$(sed '1!d' "$d/times")" \
+#                      "$(cat "$d/name")" ; \
+#        done \
+#        | sort -n \
+#        | awk '{print $0; s+=$1} END{printf("%10.2f\n", s)}' ; \
+#        printf '%10.2f wall time\n' "$(sed '1!d' /tmp/nft-test.latest.*/times)" \
+#    )
+END_TIME="$(cut -d ' ' -f1 /proc/uptime)"
+WALL_TIME="$(awk -v start="$START_TIME" -v end="$END_TIME" "BEGIN { print(end - start) }")"
+printf "%s\n" "$WALL_TIME" "$START_TIME" "$END_TIME" > "$NFT_TEST_TMPDIR/times"
+
+if [ "$failed_total" -gt 0 -o "$NFT_TEST_KEEP_LOGS" = y ] ; then
+	msg_info "check the temp directory \"$NFT_TEST_TMPDIR\" (\"$NFT_TEST_LATEST\")"
+	msg_info "   ls -lad \"$NFT_TEST_LATEST\"/*/*"
+	msg_info "   grep -R ^ \"$NFT_TEST_LATEST\"/"
+	NFT_TEST_TMPDIR=
+fi
+
+if [ "$failed" -gt 0 ] ; then
+	exit 1
+elif [ "$NFT_TEST_FAIL_ON_SKIP" = y -a "$skipped" -gt 0 ] ; then
+	msg_info "some tests were skipped. Fail due to NFT_TEST_FAIL_ON_SKIP=y"
+	exit 1
+elif [ "$ok" -eq 0 -a "$skipped" -gt 0 ] ; then
+	exit 77
+else
+	exit 0
+fi
diff --git a/tests/shell/stable-log/log-4.14 b/tests/shell/stable-log/log-4.14
new file mode 100644
index 0000000..2424f9a
--- /dev/null
+++ b/tests/shell/stable-log/log-4.14
@@ -0,0 +1,750 @@
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_0
+W: [FAILED]	././testcases/bitwise/0040mark_binop_0
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_1
+W: [FAILED]	././testcases/bitwise/0040mark_binop_1
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_2
+W: [FAILED]	././testcases/bitwise/0040mark_binop_2
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_3
+W: [FAILED]	././testcases/bitwise/0040mark_binop_3
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_4
+W: [FAILED]	././testcases/bitwise/0040mark_binop_4
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_5
+W: [FAILED]	././testcases/bitwise/0040mark_binop_5
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_6
+W: [FAILED]	././testcases/bitwise/0040mark_binop_6
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_7
+W: [FAILED]	././testcases/bitwise/0040mark_binop_7
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_8
+W: [FAILED]	././testcases/bitwise/0040mark_binop_8
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_9
+W: [FAILED]	././testcases/bitwise/0040mark_binop_9
+I: [EXECUTING]	././testcases/bogons/assert_failures
+I: [OK]		././testcases/bogons/assert_failures
+I: [EXECUTING]	././testcases/cache/0001_cache_handling_0
+I: [OK]		././testcases/cache/0001_cache_handling_0
+I: [EXECUTING]	././testcases/cache/0002_interval_0
+I: [OK]		././testcases/cache/0002_interval_0
+I: [EXECUTING]	././testcases/cache/0003_cache_update_0
+I: [OK]		././testcases/cache/0003_cache_update_0
+I: [EXECUTING]	././testcases/cache/0004_cache_update_0
+I: [OK]		././testcases/cache/0004_cache_update_0
+I: [EXECUTING]	././testcases/cache/0005_cache_chain_flush
+I: [OK]		././testcases/cache/0005_cache_chain_flush
+I: [EXECUTING]	././testcases/cache/0006_cache_table_flush
+I: [OK]		././testcases/cache/0006_cache_table_flush
+I: [EXECUTING]	././testcases/cache/0007_echo_cache_init_0
+I: [OK]		././testcases/cache/0007_echo_cache_init_0
+I: [EXECUTING]	././testcases/cache/0008_delete_by_handle_0
+W: [FAILED]	././testcases/cache/0008_delete_by_handle_0
+I: [EXECUTING]	././testcases/cache/0009_delete_by_handle_incorrect_0
+W: [FAILED]	././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [EXECUTING]	././testcases/cache/0010_implicit_chain_0
+W: [FAILED]	././testcases/cache/0010_implicit_chain_0
+I: [EXECUTING]	././testcases/cache/0011_index_0
+W: [DUMP FAIL]	././testcases/cache/0011_index_0
+I: [EXECUTING]	././testcases/chains/0001jumps_0
+I: [OK]		././testcases/chains/0001jumps_0
+I: [EXECUTING]	././testcases/chains/0002jumps_1
+I: [OK]		././testcases/chains/0002jumps_1
+I: [EXECUTING]	././testcases/chains/0003jump_loop_1
+I: [OK]		././testcases/chains/0003jump_loop_1
+I: [EXECUTING]	././testcases/chains/0004busy_1
+I: [OK]		././testcases/chains/0004busy_1
+I: [EXECUTING]	././testcases/chains/0005busy_map_1
+I: [OK]		././testcases/chains/0005busy_map_1
+I: [EXECUTING]	././testcases/chains/0006masquerade_0
+I: [OK]		././testcases/chains/0006masquerade_0
+I: [EXECUTING]	././testcases/chains/0007masquerade_1
+I: [OK]		././testcases/chains/0007masquerade_1
+I: [EXECUTING]	././testcases/chains/0008masquerade_jump_1
+I: [OK]		././testcases/chains/0008masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0009masquerade_jump_1
+I: [OK]		././testcases/chains/0009masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0010endless_jump_loop_1
+I: [OK]		././testcases/chains/0010endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0011endless_jump_loop_1
+I: [OK]		././testcases/chains/0011endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0013rename_0
+I: [OK]		././testcases/chains/0013rename_0
+I: [EXECUTING]	././testcases/chains/0014rename_0
+I: [OK]		././testcases/chains/0014rename_0
+I: [EXECUTING]	././testcases/chains/0015check_jump_loop_1
+I: [OK]		././testcases/chains/0015check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0016delete_handle_0
+W: [FAILED]	././testcases/chains/0016delete_handle_0
+I: [EXECUTING]	././testcases/chains/0017masquerade_jump_1
+W: [FAILED]	././testcases/chains/0017masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0018check_jump_loop_1
+I: [OK]		././testcases/chains/0018check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0019masquerade_jump_1
+W: [FAILED]	././testcases/chains/0019masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0020depth_1
+W: [FAILED]	././testcases/chains/0020depth_1
+I: [EXECUTING]	././testcases/chains/0021prio_0
+W: [FAILED]	././testcases/chains/0021prio_0
+I: [EXECUTING]	././testcases/chains/0022prio_dummy_1
+I: [OK]		././testcases/chains/0022prio_dummy_1
+I: [EXECUTING]	././testcases/chains/0023prio_inet_srcnat_1
+I: [OK]		././testcases/chains/0023prio_inet_srcnat_1
+I: [EXECUTING]	././testcases/chains/0024prio_inet_dstnat_1
+I: [OK]		././testcases/chains/0024prio_inet_dstnat_1
+I: [EXECUTING]	././testcases/chains/0025prio_arp_1
+I: [OK]		././testcases/chains/0025prio_arp_1
+I: [EXECUTING]	././testcases/chains/0026prio_netdev_1
+I: [OK]		././testcases/chains/0026prio_netdev_1
+I: [EXECUTING]	././testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]		././testcases/chains/0027prio_bridge_dstnat_1
+I: [EXECUTING]	././testcases/chains/0028prio_bridge_out_1
+I: [OK]		././testcases/chains/0028prio_bridge_out_1
+I: [EXECUTING]	././testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]		././testcases/chains/0029prio_bridge_srcnat_1
+I: [EXECUTING]	././testcases/chains/0030create_0
+I: [OK]		././testcases/chains/0030create_0
+I: [EXECUTING]	././testcases/chains/0031priority_variable_0
+I: [OK]		././testcases/chains/0031priority_variable_0
+I: [EXECUTING]	././testcases/chains/0032priority_variable_0
+I: [OK]		././testcases/chains/0032priority_variable_0
+I: [EXECUTING]	././testcases/chains/0033priority_variable_1
+I: [OK]		././testcases/chains/0033priority_variable_1
+I: [EXECUTING]	././testcases/chains/0034priority_variable_1
+I: [OK]		././testcases/chains/0034priority_variable_1
+I: [EXECUTING]	././testcases/chains/0035policy_variable_0
+I: [OK]		././testcases/chains/0035policy_variable_0
+I: [EXECUTING]	././testcases/chains/0036policy_variable_0
+I: [OK]		././testcases/chains/0036policy_variable_0
+I: [EXECUTING]	././testcases/chains/0037policy_variable_1
+I: [OK]		././testcases/chains/0037policy_variable_1
+I: [EXECUTING]	././testcases/chains/0038policy_variable_1
+I: [OK]		././testcases/chains/0038policy_variable_1
+I: [EXECUTING]	././testcases/chains/0039negative_priority_0
+I: [OK]		././testcases/chains/0039negative_priority_0
+I: [EXECUTING]	././testcases/chains/0041chain_binding_0
+W: [FAILED]	././testcases/chains/0041chain_binding_0
+I: [EXECUTING]	././testcases/chains/0042chain_variable_0
+W: [FAILED]	././testcases/chains/0042chain_variable_0
+I: [EXECUTING]	././testcases/chains/0043chain_ingress_0
+W: [FAILED]	././testcases/chains/0043chain_ingress_0
+I: [EXECUTING]	././testcases/chains/0044chain_destroy_0
+W: [FAILED]	././testcases/chains/0044chain_destroy_0
+I: [EXECUTING]	././testcases/chains/netdev_chain_0
+W: [FAILED]	././testcases/chains/netdev_chain_0
+I: [EXECUTING]	././testcases/comments/comments_0
+I: [OK]		././testcases/comments/comments_0
+I: [EXECUTING]	././testcases/flowtable/0001flowtable_0
+W: [FAILED]	././testcases/flowtable/0001flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0002create_flowtable_0
+W: [FAILED]	././testcases/flowtable/0002create_flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0003add_after_flush_0
+W: [FAILED]	././testcases/flowtable/0003add_after_flush_0
+I: [EXECUTING]	././testcases/flowtable/0004delete_after_add_0
+W: [FAILED]	././testcases/flowtable/0004delete_after_add_0
+I: [EXECUTING]	././testcases/flowtable/0005delete_in_use_1
+W: [FAILED]	././testcases/flowtable/0005delete_in_use_1
+I: [EXECUTING]	././testcases/flowtable/0006segfault_0
+I: [OK]		././testcases/flowtable/0006segfault_0
+I: [EXECUTING]	././testcases/flowtable/0007prio_0
+W: [FAILED]	././testcases/flowtable/0007prio_0
+I: [EXECUTING]	././testcases/flowtable/0008prio_1
+I: [OK]		././testcases/flowtable/0008prio_1
+I: [EXECUTING]	././testcases/flowtable/0009deleteafterflush_0
+W: [FAILED]	././testcases/flowtable/0009deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0010delete_handle_0
+W: [FAILED]	././testcases/flowtable/0010delete_handle_0
+I: [EXECUTING]	././testcases/flowtable/0011deleteafterflush_0
+W: [FAILED]	././testcases/flowtable/0011deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0012flowtable_variable_0
+W: [FAILED]	././testcases/flowtable/0012flowtable_variable_0
+I: [EXECUTING]	././testcases/flowtable/0013addafterdelete_0
+W: [FAILED]	././testcases/flowtable/0013addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0014addafterdelete_0
+W: [FAILED]	././testcases/flowtable/0014addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0015destroy_0
+W: [FAILED]	././testcases/flowtable/0015destroy_0
+I: [EXECUTING]	././testcases/include/0001absolute_0
+I: [OK]		././testcases/include/0001absolute_0
+I: [EXECUTING]	././testcases/include/0002relative_0
+I: [OK]		././testcases/include/0002relative_0
+I: [EXECUTING]	././testcases/include/0003includepath_0
+I: [OK]		././testcases/include/0003includepath_0
+I: [EXECUTING]	././testcases/include/0004endlessloop_1
+I: [OK]		././testcases/include/0004endlessloop_1
+I: [EXECUTING]	././testcases/include/0005glob_empty_0
+I: [OK]		././testcases/include/0005glob_empty_0
+I: [EXECUTING]	././testcases/include/0006glob_single_0
+I: [OK]		././testcases/include/0006glob_single_0
+I: [EXECUTING]	././testcases/include/0007glob_double_0
+I: [OK]		././testcases/include/0007glob_double_0
+I: [EXECUTING]	././testcases/include/0008glob_nofile_wildcard_0
+I: [OK]		././testcases/include/0008glob_nofile_wildcard_0
+I: [EXECUTING]	././testcases/include/0009glob_nofile_1
+I: [OK]		././testcases/include/0009glob_nofile_1
+I: [EXECUTING]	././testcases/include/0010glob_broken_file_1
+I: [OK]		././testcases/include/0010glob_broken_file_1
+I: [EXECUTING]	././testcases/include/0011glob_dependency_0
+I: [OK]		././testcases/include/0011glob_dependency_0
+I: [EXECUTING]	././testcases/include/0012glob_dependency_1
+I: [OK]		././testcases/include/0012glob_dependency_1
+I: [EXECUTING]	././testcases/include/0013glob_dotfile_0
+I: [OK]		././testcases/include/0013glob_dotfile_0
+I: [EXECUTING]	././testcases/include/0013input_descriptors_included_files_0
+I: [OK]		././testcases/include/0013input_descriptors_included_files_0
+I: [EXECUTING]	././testcases/include/0014glob_directory_0
+I: [OK]		././testcases/include/0014glob_directory_0
+I: [EXECUTING]	././testcases/include/0015doubleincludepath_0
+I: [OK]		././testcases/include/0015doubleincludepath_0
+I: [EXECUTING]	././testcases/include/0016maxdepth_0
+I: [OK]		././testcases/include/0016maxdepth_0
+I: [EXECUTING]	././testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]		././testcases/include/0017glob_more_than_maxdepth_1
+I: [EXECUTING]	././testcases/include/0018include_error_0
+I: [OK]		././testcases/include/0018include_error_0
+I: [EXECUTING]	././testcases/include/0019include_error_0
+I: [OK]		././testcases/include/0019include_error_0
+I: [EXECUTING]	././testcases/include/0020include_chain_0
+I: [OK]		././testcases/include/0020include_chain_0
+I: [EXECUTING]	././testcases/json/0001set_statements_0
+W: [FAILED]	././testcases/json/0001set_statements_0
+I: [EXECUTING]	././testcases/json/0002table_map_0
+W: [DUMP FAIL]	././testcases/json/0002table_map_0
+I: [EXECUTING]	././testcases/json/0003json_schema_version_0
+I: [OK]		././testcases/json/0003json_schema_version_0
+I: [EXECUTING]	././testcases/json/0004json_schema_version_1
+I: [OK]		././testcases/json/0004json_schema_version_1
+I: [EXECUTING]	././testcases/json/0005secmark_objref_0
+W: [FAILED]	././testcases/json/0005secmark_objref_0
+I: [EXECUTING]	././testcases/json/0006obj_comment_0
+W: [DUMP FAIL]	././testcases/json/0006obj_comment_0
+I: [EXECUTING]	././testcases/json/netdev
+I: [OK]		././testcases/json/netdev
+I: [EXECUTING]	././testcases/listing/0001ruleset_0
+I: [OK]		././testcases/listing/0001ruleset_0
+I: [EXECUTING]	././testcases/listing/0002ruleset_0
+I: [OK]		././testcases/listing/0002ruleset_0
+I: [EXECUTING]	././testcases/listing/0003table_0
+I: [OK]		././testcases/listing/0003table_0
+I: [EXECUTING]	././testcases/listing/0004table_0
+I: [OK]		././testcases/listing/0004table_0
+I: [EXECUTING]	././testcases/listing/0005ruleset_ip_0
+I: [OK]		././testcases/listing/0005ruleset_ip_0
+I: [EXECUTING]	././testcases/listing/0006ruleset_ip6_0
+I: [OK]		././testcases/listing/0006ruleset_ip6_0
+I: [EXECUTING]	././testcases/listing/0007ruleset_inet_0
+I: [OK]		././testcases/listing/0007ruleset_inet_0
+I: [EXECUTING]	././testcases/listing/0008ruleset_arp_0
+I: [OK]		././testcases/listing/0008ruleset_arp_0
+I: [EXECUTING]	././testcases/listing/0009ruleset_bridge_0
+I: [OK]		././testcases/listing/0009ruleset_bridge_0
+I: [EXECUTING]	././testcases/listing/0010sets_0
+W: [FAILED]	././testcases/listing/0010sets_0
+I: [EXECUTING]	././testcases/listing/0011sets_0
+W: [FAILED]	././testcases/listing/0011sets_0
+I: [EXECUTING]	././testcases/listing/0012sets_0
+I: [OK]		././testcases/listing/0012sets_0
+I: [EXECUTING]	././testcases/listing/0013objects_0
+W: [FAILED]	././testcases/listing/0013objects_0
+I: [EXECUTING]	././testcases/listing/0014objects_0
+I: [OK]		././testcases/listing/0014objects_0
+I: [EXECUTING]	././testcases/listing/0015dynamic_0
+W: [FAILED]	././testcases/listing/0015dynamic_0
+I: [EXECUTING]	././testcases/listing/0016anonymous_0
+I: [OK]		././testcases/listing/0016anonymous_0
+I: [EXECUTING]	././testcases/listing/0017objects_0
+I: [OK]		././testcases/listing/0017objects_0
+I: [EXECUTING]	././testcases/listing/0018data_0
+I: [OK]		././testcases/listing/0018data_0
+I: [EXECUTING]	././testcases/listing/0019set_0
+I: [OK]		././testcases/listing/0019set_0
+I: [EXECUTING]	././testcases/listing/0020flowtable_0
+I: [OK]		././testcases/listing/0020flowtable_0
+I: [EXECUTING]	././testcases/listing/0021ruleset_json_terse_0
+I: [OK]		././testcases/listing/0021ruleset_json_terse_0
+I: [EXECUTING]	././testcases/listing/0022terse_0
+I: [OK]		././testcases/listing/0022terse_0
+I: [EXECUTING]	././testcases/maps/0003map_add_many_elements_0
+I: [OK]		././testcases/maps/0003map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0004interval_map_create_once_0
+I: [OK]		././testcases/maps/0004interval_map_create_once_0
+I: [EXECUTING]	././testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]		././testcases/maps/0005interval_map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0006interval_map_overlap_0
+I: [OK]		././testcases/maps/0006interval_map_overlap_0
+I: [EXECUTING]	././testcases/maps/0007named_ifname_dtype_0
+I: [OK]		././testcases/maps/0007named_ifname_dtype_0
+I: [EXECUTING]	././testcases/maps/0008interval_map_delete_0
+I: [OK]		././testcases/maps/0008interval_map_delete_0
+I: [EXECUTING]	././testcases/maps/0009vmap_0
+W: [DUMP FAIL]	././testcases/maps/0009vmap_0
+I: [EXECUTING]	././testcases/maps/0010concat_map_0
+W: [FAILED]	././testcases/maps/0010concat_map_0
+I: [EXECUTING]	././testcases/maps/0011vmap_0
+W: [FAILED]	././testcases/maps/0011vmap_0
+I: [EXECUTING]	././testcases/maps/0012map_0
+W: [FAILED]	././testcases/maps/0012map_0
+I: [EXECUTING]	././testcases/maps/0013map_0
+W: [FAILED]	././testcases/maps/0013map_0
+I: [EXECUTING]	././testcases/maps/0014destroy_0
+W: [FAILED]	././testcases/maps/0014destroy_0
+I: [EXECUTING]	././testcases/maps/0016map_leak_0
+I: [OK]		././testcases/maps/0016map_leak_0
+I: [EXECUTING]	././testcases/maps/0017_map_variable_0
+W: [FAILED]	././testcases/maps/0017_map_variable_0
+I: [EXECUTING]	././testcases/maps/0018map_leak_timeout_0
+I: [OK]		././testcases/maps/0018map_leak_timeout_0
+I: [EXECUTING]	././testcases/maps/anon_objmap_concat
+W: [FAILED]	././testcases/maps/anon_objmap_concat
+I: [EXECUTING]	././testcases/maps/anonymous_snat_map_0
+I: [OK]		././testcases/maps/anonymous_snat_map_0
+I: [EXECUTING]	././testcases/maps/different_map_types_1
+I: [OK]		././testcases/maps/different_map_types_1
+I: [EXECUTING]	././testcases/maps/map_catchall_double_deactivate
+W: [FAILED]	././testcases/maps/map_catchall_double_deactivate
+I: [EXECUTING]	././testcases/maps/map_with_flags_0
+I: [OK]		././testcases/maps/map_with_flags_0
+I: [EXECUTING]	././testcases/maps/named_snat_map_0
+I: [OK]		././testcases/maps/named_snat_map_0
+I: [EXECUTING]	././testcases/maps/nat_addr_port
+W: [FAILED]	././testcases/maps/nat_addr_port
+I: [EXECUTING]	././testcases/maps/typeof_integer_0
+W: [FAILED]	././testcases/maps/typeof_integer_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_0
+W: [FAILED]	././testcases/maps/typeof_maps_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_add_delete
+W: [FAILED]	././testcases/maps/typeof_maps_add_delete
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat
+W: [FAILED]	././testcases/maps/typeof_maps_concat
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat_update_0
+W: [FAILED]	././testcases/maps/typeof_maps_concat_update_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_update_0
+W: [FAILED]	././testcases/maps/typeof_maps_update_0
+I: [EXECUTING]	././testcases/maps/typeof_raw_0
+W: [FAILED]	././testcases/maps/typeof_raw_0
+I: [EXECUTING]	././testcases/maps/vmap_timeout
+W: [FAILED]	././testcases/maps/vmap_timeout
+I: [EXECUTING]	././testcases/netns/0001nft-f_0
+W: [FAILED]	././testcases/netns/0001nft-f_0
+I: [EXECUTING]	././testcases/netns/0002loosecommands_0
+I: [OK]		././testcases/netns/0002loosecommands_0
+I: [EXECUTING]	././testcases/netns/0003many_0
+W: [FAILED]	././testcases/netns/0003many_0
+I: [EXECUTING]	././testcases/nft-f/0001define_slash_0
+I: [OK]		././testcases/nft-f/0001define_slash_0
+I: [EXECUTING]	././testcases/nft-f/0002rollback_rule_0
+I: [OK]		././testcases/nft-f/0002rollback_rule_0
+I: [EXECUTING]	././testcases/nft-f/0003rollback_jump_0
+I: [OK]		././testcases/nft-f/0003rollback_jump_0
+I: [EXECUTING]	././testcases/nft-f/0004rollback_set_0
+I: [OK]		././testcases/nft-f/0004rollback_set_0
+I: [EXECUTING]	././testcases/nft-f/0005rollback_map_0
+I: [OK]		././testcases/nft-f/0005rollback_map_0
+I: [EXECUTING]	././testcases/nft-f/0006action_object_0
+I: [OK]		././testcases/nft-f/0006action_object_0
+I: [EXECUTING]	././testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]		././testcases/nft-f/0007action_object_set_segfault_1
+I: [EXECUTING]	././testcases/nft-f/0008split_tables_0
+I: [OK]		././testcases/nft-f/0008split_tables_0
+I: [EXECUTING]	././testcases/nft-f/0009variable_0
+I: [OK]		././testcases/nft-f/0009variable_0
+I: [EXECUTING]	././testcases/nft-f/0010variable_0
+I: [OK]		././testcases/nft-f/0010variable_0
+I: [EXECUTING]	././testcases/nft-f/0011manydefines_0
+I: [OK]		././testcases/nft-f/0011manydefines_0
+I: [EXECUTING]	././testcases/nft-f/0012different_defines_0
+I: [OK]		././testcases/nft-f/0012different_defines_0
+I: [EXECUTING]	././testcases/nft-f/0013defines_1
+I: [OK]		././testcases/nft-f/0013defines_1
+I: [EXECUTING]	././testcases/nft-f/0014defines_1
+I: [OK]		././testcases/nft-f/0014defines_1
+I: [EXECUTING]	././testcases/nft-f/0015defines_1
+I: [OK]		././testcases/nft-f/0015defines_1
+I: [EXECUTING]	././testcases/nft-f/0016redefines_1
+I: [OK]		././testcases/nft-f/0016redefines_1
+I: [EXECUTING]	././testcases/nft-f/0017ct_timeout_obj_0
+W: [FAILED]	././testcases/nft-f/0017ct_timeout_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018ct_expectation_obj_0
+W: [FAILED]	././testcases/nft-f/0018ct_expectation_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018jump_variable_0
+I: [OK]		././testcases/nft-f/0018jump_variable_0
+I: [EXECUTING]	././testcases/nft-f/0019jump_variable_1
+I: [OK]		././testcases/nft-f/0019jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0020jump_variable_1
+I: [OK]		././testcases/nft-f/0020jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0021list_ruleset_0
+I: [OK]		././testcases/nft-f/0021list_ruleset_0
+I: [EXECUTING]	././testcases/nft-f/0022variables_0
+W: [DUMP FAIL]	././testcases/nft-f/0022variables_0
+I: [EXECUTING]	././testcases/nft-f/0023check_1
+I: [OK]		././testcases/nft-f/0023check_1
+I: [EXECUTING]	././testcases/nft-f/0024priority_0
+I: [OK]		././testcases/nft-f/0024priority_0
+I: [EXECUTING]	././testcases/nft-f/0025empty_dynset_0
+W: [DUMP FAIL]	././testcases/nft-f/0025empty_dynset_0
+I: [EXECUTING]	././testcases/nft-f/0026listing_0
+I: [OK]		././testcases/nft-f/0026listing_0
+I: [EXECUTING]	././testcases/nft-f/0027split_chains_0
+I: [OK]		././testcases/nft-f/0027split_chains_0
+I: [EXECUTING]	././testcases/nft-f/0028variable_cmdline_0
+I: [OK]		././testcases/nft-f/0028variable_cmdline_0
+I: [EXECUTING]	././testcases/nft-f/0029split_file_0
+I: [OK]		././testcases/nft-f/0029split_file_0
+I: [EXECUTING]	././testcases/nft-f/0030variable_reuse_0
+I: [OK]		././testcases/nft-f/0030variable_reuse_0
+I: [EXECUTING]	././testcases/nft-f/0031vmap_string_0
+I: [OK]		././testcases/nft-f/0031vmap_string_0
+I: [EXECUTING]	././testcases/nft-f/0032pknock_0
+W: [DUMP FAIL]	././testcases/nft-f/0032pknock_0
+I: [EXECUTING]	././testcases/nft-i/0001define_0
+I: [OK]		././testcases/nft-i/0001define_0
+I: [EXECUTING]	././testcases/optimizations/dependency_kill
+W: [DUMP FAIL]	././testcases/optimizations/dependency_kill
+I: [EXECUTING]	././testcases/optimizations/merge_nat
+W: [FAILED]	././testcases/optimizations/merge_nat
+I: [EXECUTING]	././testcases/optimizations/merge_reject
+I: [OK]		././testcases/optimizations/merge_reject
+I: [EXECUTING]	././testcases/optimizations/merge_stmts
+I: [OK]		././testcases/optimizations/merge_stmts
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat
+W: [FAILED]	././testcases/optimizations/merge_stmts_concat
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_concat_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_vmap
+W: [DUMP FAIL]	././testcases/optimizations/merge_stmts_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_vmap_raw
+W: [FAILED]	././testcases/optimizations/merge_vmap_raw
+I: [EXECUTING]	././testcases/optimizations/merge_vmaps
+W: [FAILED]	././testcases/optimizations/merge_vmaps
+I: [EXECUTING]	././testcases/optimizations/not_mergeable
+I: [OK]		././testcases/optimizations/not_mergeable
+I: [EXECUTING]	././testcases/optimizations/ruleset
+W: [FAILED]	././testcases/optimizations/ruleset
+I: [EXECUTING]	././testcases/optimizations/single_anon_set
+W: [DUMP FAIL]	././testcases/optimizations/single_anon_set
+I: [EXECUTING]	././testcases/optimizations/skip_merge
+I: [OK]		././testcases/optimizations/skip_merge
+I: [EXECUTING]	././testcases/optimizations/skip_non_eq
+I: [OK]		././testcases/optimizations/skip_non_eq
+I: [EXECUTING]	././testcases/optimizations/skip_unsupported
+I: [OK]		././testcases/optimizations/skip_unsupported
+I: [EXECUTING]	././testcases/optimizations/variables
+I: [OK]		././testcases/optimizations/variables
+I: [EXECUTING]	././testcases/optionals/comments_0
+I: [OK]		././testcases/optionals/comments_0
+I: [EXECUTING]	././testcases/optionals/comments_chain_0
+W: [DUMP FAIL]	././testcases/optionals/comments_chain_0
+I: [EXECUTING]	././testcases/optionals/comments_handles_0
+I: [OK]		././testcases/optionals/comments_handles_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_0
+W: [FAILED]	././testcases/optionals/comments_objects_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_dup_0
+I: [OK]		././testcases/optionals/comments_objects_dup_0
+I: [EXECUTING]	././testcases/optionals/comments_table_0
+W: [DUMP FAIL]	././testcases/optionals/comments_table_0
+I: [EXECUTING]	././testcases/optionals/delete_object_handles_0
+W: [FAILED]	././testcases/optionals/delete_object_handles_0
+I: [EXECUTING]	././testcases/optionals/handles_0
+I: [OK]		././testcases/optionals/handles_0
+I: [EXECUTING]	././testcases/optionals/handles_1
+I: [OK]		././testcases/optionals/handles_1
+I: [EXECUTING]	././testcases/optionals/log_prefix_0
+I: [OK]		././testcases/optionals/log_prefix_0
+I: [EXECUTING]	././testcases/optionals/update_object_handles_0
+W: [FAILED]	././testcases/optionals/update_object_handles_0
+I: [EXECUTING]	././testcases/owner/0001-flowtable-uaf
+W: [FAILED]	././testcases/owner/0001-flowtable-uaf
+I: [EXECUTING]	././testcases/parsing/describe
+I: [OK]		././testcases/parsing/describe
+I: [EXECUTING]	././testcases/parsing/large_rule_pipe
+I: [OK]		././testcases/parsing/large_rule_pipe
+I: [EXECUTING]	././testcases/parsing/log
+I: [OK]		././testcases/parsing/log
+I: [EXECUTING]	././testcases/parsing/octal
+I: [OK]		././testcases/parsing/octal
+I: [EXECUTING]	././testcases/rule_management/0001addinsertposition_0
+I: [OK]		././testcases/rule_management/0001addinsertposition_0
+I: [EXECUTING]	././testcases/rule_management/0002addinsertlocation_1
+I: [OK]		././testcases/rule_management/0002addinsertlocation_1
+I: [EXECUTING]	././testcases/rule_management/0003insert_0
+I: [OK]		././testcases/rule_management/0003insert_0
+I: [EXECUTING]	././testcases/rule_management/0004replace_0
+I: [OK]		././testcases/rule_management/0004replace_0
+I: [EXECUTING]	././testcases/rule_management/0005replace_1
+I: [OK]		././testcases/rule_management/0005replace_1
+I: [EXECUTING]	././testcases/rule_management/0006replace_1
+I: [OK]		././testcases/rule_management/0006replace_1
+I: [EXECUTING]	././testcases/rule_management/0007delete_0
+I: [OK]		././testcases/rule_management/0007delete_0
+I: [EXECUTING]	././testcases/rule_management/0008delete_1
+I: [OK]		././testcases/rule_management/0008delete_1
+I: [EXECUTING]	././testcases/rule_management/0009delete_1
+I: [OK]		././testcases/rule_management/0009delete_1
+I: [EXECUTING]	././testcases/rule_management/0010replace_0
+I: [OK]		././testcases/rule_management/0010replace_0
+I: [EXECUTING]	././testcases/rule_management/0011reset_0
+W: [FAILED]	././testcases/rule_management/0011reset_0
+I: [EXECUTING]	././testcases/rule_management/0012destroy_0
+W: [FAILED]	././testcases/rule_management/0012destroy_0
+I: [EXECUTING]	././testcases/sets/0001named_interval_0
+I: [OK]		././testcases/sets/0001named_interval_0
+I: [EXECUTING]	././testcases/sets/0002named_interval_automerging_0
+I: [OK]		././testcases/sets/0002named_interval_automerging_0
+I: [EXECUTING]	././testcases/sets/0003named_interval_missing_flag_0
+I: [OK]		././testcases/sets/0003named_interval_missing_flag_0
+I: [EXECUTING]	././testcases/sets/0004named_interval_shadow_0
+I: [OK]		././testcases/sets/0004named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0005named_interval_shadow_0
+I: [OK]		././testcases/sets/0005named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0006create_set_0
+I: [OK]		././testcases/sets/0006create_set_0
+I: [EXECUTING]	././testcases/sets/0007create_element_0
+I: [OK]		././testcases/sets/0007create_element_0
+I: [EXECUTING]	././testcases/sets/0008comments_interval_0
+I: [OK]		././testcases/sets/0008comments_interval_0
+I: [EXECUTING]	././testcases/sets/0008create_verdict_map_0
+I: [OK]		././testcases/sets/0008create_verdict_map_0
+I: [EXECUTING]	././testcases/sets/0009comments_timeout_0
+I: [OK]		././testcases/sets/0009comments_timeout_0
+I: [EXECUTING]	././testcases/sets/0010comments_0
+I: [OK]		././testcases/sets/0010comments_0
+I: [EXECUTING]	././testcases/sets/0011add_many_elements_0
+I: [OK]		././testcases/sets/0011add_many_elements_0
+I: [EXECUTING]	././testcases/sets/0012add_delete_many_elements_0
+I: [OK]		././testcases/sets/0012add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0013add_delete_many_elements_0
+I: [OK]		././testcases/sets/0013add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]		././testcases/sets/0014malformed_set_is_not_defined_0
+I: [EXECUTING]	././testcases/sets/0015rulesetflush_0
+I: [OK]		././testcases/sets/0015rulesetflush_0
+I: [EXECUTING]	././testcases/sets/0016element_leak_0
+I: [OK]		././testcases/sets/0016element_leak_0
+I: [EXECUTING]	././testcases/sets/0017add_after_flush_0
+I: [OK]		././testcases/sets/0017add_after_flush_0
+I: [EXECUTING]	././testcases/sets/0018set_check_size_1
+I: [OK]		././testcases/sets/0018set_check_size_1
+I: [EXECUTING]	././testcases/sets/0019set_check_size_0
+I: [OK]		././testcases/sets/0019set_check_size_0
+I: [EXECUTING]	././testcases/sets/0020comments_0
+I: [OK]		././testcases/sets/0020comments_0
+I: [EXECUTING]	././testcases/sets/0021nesting_0
+I: [OK]		././testcases/sets/0021nesting_0
+I: [EXECUTING]	././testcases/sets/0022type_selective_flush_0
+W: [DUMP FAIL]	././testcases/sets/0022type_selective_flush_0
+I: [EXECUTING]	././testcases/sets/0023incomplete_add_set_command_0
+I: [OK]		././testcases/sets/0023incomplete_add_set_command_0
+I: [EXECUTING]	././testcases/sets/0024named_objects_0
+W: [FAILED]	././testcases/sets/0024named_objects_0
+I: [EXECUTING]	././testcases/sets/0025anonymous_set_0
+I: [OK]		././testcases/sets/0025anonymous_set_0
+I: [EXECUTING]	././testcases/sets/0026named_limit_0
+I: [OK]		././testcases/sets/0026named_limit_0
+I: [EXECUTING]	././testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]		././testcases/sets/0027ipv6_maps_ipv4_0
+I: [EXECUTING]	././testcases/sets/0028autoselect_0
+W: [FAILED]	././testcases/sets/0028autoselect_0
+I: [EXECUTING]	././testcases/sets/0028delete_handle_0
+W: [FAILED]	././testcases/sets/0028delete_handle_0
+I: [EXECUTING]	././testcases/sets/0029named_ifname_dtype_0
+I: [OK]		././testcases/sets/0029named_ifname_dtype_0
+I: [EXECUTING]	././testcases/sets/0030add_many_elements_interval_0
+I: [OK]		././testcases/sets/0030add_many_elements_interval_0
+I: [EXECUTING]	././testcases/sets/0031set_timeout_size_0
+W: [FAILED]	././testcases/sets/0031set_timeout_size_0
+I: [EXECUTING]	././testcases/sets/0032restore_set_simple_0
+I: [OK]		././testcases/sets/0032restore_set_simple_0
+I: [EXECUTING]	././testcases/sets/0033add_set_simple_flat_0
+I: [OK]		././testcases/sets/0033add_set_simple_flat_0
+I: [EXECUTING]	././testcases/sets/0034get_element_0
+W: [FAILED]	././testcases/sets/0034get_element_0
+I: [EXECUTING]	././testcases/sets/0035add_set_elements_flat_0
+I: [OK]		././testcases/sets/0035add_set_elements_flat_0
+I: [EXECUTING]	././testcases/sets/0036add_set_element_expiration_0
+W: [FAILED]	././testcases/sets/0036add_set_element_expiration_0
+I: [EXECUTING]	././testcases/sets/0037_set_with_inet_service_0
+I: [OK]		././testcases/sets/0037_set_with_inet_service_0
+I: [EXECUTING]	././testcases/sets/0038meter_list_0
+W: [FAILED]	././testcases/sets/0038meter_list_0
+I: [EXECUTING]	././testcases/sets/0039delete_interval_0
+I: [OK]		././testcases/sets/0039delete_interval_0
+I: [EXECUTING]	././testcases/sets/0040get_host_endian_elements_0
+W: [FAILED]	././testcases/sets/0040get_host_endian_elements_0
+I: [EXECUTING]	././testcases/sets/0041interval_0
+W: [FAILED]	././testcases/sets/0041interval_0
+I: [EXECUTING]	././testcases/sets/0042update_set_0
+W: [FAILED]	././testcases/sets/0042update_set_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_0
+W: [FAILED]	././testcases/sets/0043concatenated_ranges_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_1
+W: [FAILED]	././testcases/sets/0043concatenated_ranges_1
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_0
+W: [FAILED]	././testcases/sets/0044interval_overlap_0
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_1
+I: [OK]		././testcases/sets/0044interval_overlap_1
+I: [EXECUTING]	././testcases/sets/0045concat_ipv4_service
+W: [FAILED]	././testcases/sets/0045concat_ipv4_service
+I: [EXECUTING]	././testcases/sets/0046netmap_0
+W: [FAILED]	././testcases/sets/0046netmap_0
+I: [EXECUTING]	././testcases/sets/0047nat_0
+W: [FAILED]	././testcases/sets/0047nat_0
+I: [EXECUTING]	././testcases/sets/0048set_counters_0
+W: [DUMP FAIL]	././testcases/sets/0048set_counters_0
+I: [EXECUTING]	././testcases/sets/0049set_define_0
+I: [OK]		././testcases/sets/0049set_define_0
+I: [EXECUTING]	././testcases/sets/0050set_define_1
+I: [OK]		././testcases/sets/0050set_define_1
+I: [EXECUTING]	././testcases/sets/0051set_interval_counter_0
+W: [DUMP FAIL]	././testcases/sets/0051set_interval_counter_0
+I: [EXECUTING]	././testcases/sets/0052overlap_0
+I: [OK]		././testcases/sets/0052overlap_0
+I: [EXECUTING]	././testcases/sets/0053echo_0
+I: [OK]		././testcases/sets/0053echo_0
+I: [EXECUTING]	././testcases/sets/0054comments_set_0
+I: [OK]		././testcases/sets/0054comments_set_0
+I: [EXECUTING]	././testcases/sets/0055tcpflags_0
+I: [OK]		././testcases/sets/0055tcpflags_0
+I: [EXECUTING]	././testcases/sets/0056dynamic_limit_0
+I: [OK]		././testcases/sets/0056dynamic_limit_0
+I: [EXECUTING]	././testcases/sets/0057set_create_fails_0
+I: [OK]		././testcases/sets/0057set_create_fails_0
+I: [EXECUTING]	././testcases/sets/0058_setupdate_timeout_0
+W: [FAILED]	././testcases/sets/0058_setupdate_timeout_0
+I: [EXECUTING]	././testcases/sets/0059set_update_multistmt_0
+W: [FAILED]	././testcases/sets/0059set_update_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_0
+W: [FAILED]	././testcases/sets/0060set_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_1
+W: [FAILED]	././testcases/sets/0060set_multistmt_1
+I: [EXECUTING]	././testcases/sets/0061anonymous_automerge_0
+I: [OK]		././testcases/sets/0061anonymous_automerge_0
+I: [EXECUTING]	././testcases/sets/0062set_connlimit_0
+I: [OK]		././testcases/sets/0062set_connlimit_0
+I: [EXECUTING]	././testcases/sets/0063set_catchall_0
+W: [FAILED]	././testcases/sets/0063set_catchall_0
+I: [EXECUTING]	././testcases/sets/0064map_catchall_0
+W: [FAILED]	././testcases/sets/0064map_catchall_0
+I: [EXECUTING]	././testcases/sets/0065_icmp_postprocessing
+I: [OK]		././testcases/sets/0065_icmp_postprocessing
+I: [EXECUTING]	././testcases/sets/0067nat_concat_interval_0
+W: [FAILED]	././testcases/sets/0067nat_concat_interval_0
+I: [EXECUTING]	././testcases/sets/0068interval_stack_overflow_0
+I: [OK]		././testcases/sets/0068interval_stack_overflow_0
+I: [EXECUTING]	././testcases/sets/0069interval_merge_0
+I: [OK]		././testcases/sets/0069interval_merge_0
+I: [EXECUTING]	././testcases/sets/0070stacked_l2_headers
+W: [FAILED]	././testcases/sets/0070stacked_l2_headers
+I: [EXECUTING]	././testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]		././testcases/sets/0071unclosed_prefix_interval_0
+I: [EXECUTING]	././testcases/sets/0072destroy_0
+W: [FAILED]	././testcases/sets/0072destroy_0
+I: [EXECUTING]	././testcases/sets/automerge_0
+W: [FAILED]	././testcases/sets/automerge_0
+I: [EXECUTING]	././testcases/sets/collapse_elem_0
+I: [OK]		././testcases/sets/collapse_elem_0
+I: [EXECUTING]	././testcases/sets/concat_interval_0
+W: [FAILED]	././testcases/sets/concat_interval_0
+I: [EXECUTING]	././testcases/sets/dynset_missing
+W: [FAILED]	././testcases/sets/dynset_missing
+I: [EXECUTING]	././testcases/sets/errors_0
+I: [OK]		././testcases/sets/errors_0
+I: [EXECUTING]	././testcases/sets/exact_overlap_0
+I: [OK]		././testcases/sets/exact_overlap_0
+I: [EXECUTING]	././testcases/sets/inner_0
+W: [FAILED]	././testcases/sets/inner_0
+I: [EXECUTING]	././testcases/sets/reset_command_0
+W: [FAILED]	././testcases/sets/reset_command_0
+I: [EXECUTING]	././testcases/sets/set_eval_0
+I: [OK]		././testcases/sets/set_eval_0
+I: [EXECUTING]	././testcases/sets/sets_with_ifnames
+W: [FAILED]	././testcases/sets/sets_with_ifnames
+I: [EXECUTING]	././testcases/sets/typeof_raw_0
+W: [FAILED]	././testcases/sets/typeof_raw_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_0
+W: [FAILED]	././testcases/sets/typeof_sets_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_1
+I: [OK]		././testcases/sets/typeof_sets_1
+I: [EXECUTING]	././testcases/sets/typeof_sets_concat
+W: [FAILED]	././testcases/sets/typeof_sets_concat
+I: [EXECUTING]	././testcases/sets/type_set_symbol
+W: [FAILED]	././testcases/sets/type_set_symbol
+I: [EXECUTING]	././testcases/transactions/0001table_0
+I: [OK]		././testcases/transactions/0001table_0
+I: [EXECUTING]	././testcases/transactions/0002table_0
+I: [OK]		././testcases/transactions/0002table_0
+I: [EXECUTING]	././testcases/transactions/0003table_0
+I: [OK]		././testcases/transactions/0003table_0
+I: [EXECUTING]	././testcases/transactions/0010chain_0
+I: [OK]		././testcases/transactions/0010chain_0
+I: [EXECUTING]	././testcases/transactions/0011chain_0
+I: [OK]		././testcases/transactions/0011chain_0
+I: [EXECUTING]	././testcases/transactions/0012chain_0
+I: [OK]		././testcases/transactions/0012chain_0
+I: [EXECUTING]	././testcases/transactions/0013chain_0
+I: [OK]		././testcases/transactions/0013chain_0
+I: [EXECUTING]	././testcases/transactions/0014chain_1
+I: [OK]		././testcases/transactions/0014chain_1
+I: [EXECUTING]	././testcases/transactions/0015chain_0
+I: [OK]		././testcases/transactions/0015chain_0
+I: [EXECUTING]	././testcases/transactions/0020rule_0
+I: [OK]		././testcases/transactions/0020rule_0
+I: [EXECUTING]	././testcases/transactions/0021rule_0
+I: [OK]		././testcases/transactions/0021rule_0
+I: [EXECUTING]	././testcases/transactions/0022rule_1
+I: [OK]		././testcases/transactions/0022rule_1
+I: [EXECUTING]	././testcases/transactions/0023rule_1
+I: [OK]		././testcases/transactions/0023rule_1
+I: [EXECUTING]	././testcases/transactions/0024rule_0
+W: [DUMP FAIL]	././testcases/transactions/0024rule_0
+I: [EXECUTING]	././testcases/transactions/0025rule_0
+I: [OK]		././testcases/transactions/0025rule_0
+I: [EXECUTING]	././testcases/transactions/0030set_0
+I: [OK]		././testcases/transactions/0030set_0
+I: [EXECUTING]	././testcases/transactions/0031set_0
+I: [OK]		././testcases/transactions/0031set_0
+I: [EXECUTING]	././testcases/transactions/0032set_0
+I: [OK]		././testcases/transactions/0032set_0
+I: [EXECUTING]	././testcases/transactions/0033set_0
+I: [OK]		././testcases/transactions/0033set_0
+I: [EXECUTING]	././testcases/transactions/0034set_0
+I: [OK]		././testcases/transactions/0034set_0
+I: [EXECUTING]	././testcases/transactions/0035set_0
+I: [OK]		././testcases/transactions/0035set_0
+I: [EXECUTING]	././testcases/transactions/0036set_1
+I: [OK]		././testcases/transactions/0036set_1
+I: [EXECUTING]	././testcases/transactions/0037set_0
+I: [OK]		././testcases/transactions/0037set_0
+I: [EXECUTING]	././testcases/transactions/0038set_0
+I: [OK]		././testcases/transactions/0038set_0
+I: [EXECUTING]	././testcases/transactions/0039set_0
+I: [OK]		././testcases/transactions/0039set_0
+I: [EXECUTING]	././testcases/transactions/0040set_0
+I: [OK]		././testcases/transactions/0040set_0
+I: [EXECUTING]	././testcases/transactions/0041nat_restore_0
+I: [OK]		././testcases/transactions/0041nat_restore_0
+I: [EXECUTING]	././testcases/transactions/0042_stateful_expr_0
+I: [OK]		././testcases/transactions/0042_stateful_expr_0
+I: [EXECUTING]	././testcases/transactions/0043set_1
+I: [OK]		././testcases/transactions/0043set_1
+I: [EXECUTING]	././testcases/transactions/0044rule_0
+I: [OK]		././testcases/transactions/0044rule_0
+I: [EXECUTING]	././testcases/transactions/0045anon-unbind_0
+I: [OK]		././testcases/transactions/0045anon-unbind_0
+I: [EXECUTING]	././testcases/transactions/0046set_0
+I: [OK]		././testcases/transactions/0046set_0
+I: [EXECUTING]	././testcases/transactions/0047set_0
+I: [OK]		././testcases/transactions/0047set_0
+I: [EXECUTING]	././testcases/transactions/0048helpers_0
+I: [OK]		././testcases/transactions/0048helpers_0
+I: [EXECUTING]	././testcases/transactions/0049huge_0
+W: [FAILED]	././testcases/transactions/0049huge_0
+I: [EXECUTING]	././testcases/transactions/0050rule_1
+I: [OK]		././testcases/transactions/0050rule_1
+I: [EXECUTING]	././testcases/transactions/0051map_0
+I: [OK]		././testcases/transactions/0051map_0
+I: [EXECUTING]	././testcases/transactions/30s-stress
+W: [FAILED]	././testcases/transactions/30s-stress
+I: [EXECUTING]	././testcases/transactions/anon_chain_loop
+I: [OK]		././testcases/transactions/anon_chain_loop
+I: [EXECUTING]	././testcases/transactions/bad_expression
+I: [OK]		././testcases/transactions/bad_expression
+
+I: results: [OK] 246 [FAILED] 127 [TOTAL] 373
diff --git a/tests/shell/stable-log/log-4.19 b/tests/shell/stable-log/log-4.19
new file mode 100644
index 0000000..fd325cd
--- /dev/null
+++ b/tests/shell/stable-log/log-4.19
@@ -0,0 +1,750 @@
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_0
+W: [FAILED]	././testcases/bitwise/0040mark_binop_0
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_1
+W: [FAILED]	././testcases/bitwise/0040mark_binop_1
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_2
+W: [FAILED]	././testcases/bitwise/0040mark_binop_2
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_3
+W: [FAILED]	././testcases/bitwise/0040mark_binop_3
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_4
+W: [FAILED]	././testcases/bitwise/0040mark_binop_4
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_5
+W: [FAILED]	././testcases/bitwise/0040mark_binop_5
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_6
+W: [FAILED]	././testcases/bitwise/0040mark_binop_6
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_7
+W: [FAILED]	././testcases/bitwise/0040mark_binop_7
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_8
+W: [FAILED]	././testcases/bitwise/0040mark_binop_8
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_9
+W: [FAILED]	././testcases/bitwise/0040mark_binop_9
+I: [EXECUTING]	././testcases/bogons/assert_failures
+I: [OK]		././testcases/bogons/assert_failures
+I: [EXECUTING]	././testcases/cache/0001_cache_handling_0
+I: [OK]		././testcases/cache/0001_cache_handling_0
+I: [EXECUTING]	././testcases/cache/0002_interval_0
+I: [OK]		././testcases/cache/0002_interval_0
+I: [EXECUTING]	././testcases/cache/0003_cache_update_0
+I: [OK]		././testcases/cache/0003_cache_update_0
+I: [EXECUTING]	././testcases/cache/0004_cache_update_0
+I: [OK]		././testcases/cache/0004_cache_update_0
+I: [EXECUTING]	././testcases/cache/0005_cache_chain_flush
+I: [OK]		././testcases/cache/0005_cache_chain_flush
+I: [EXECUTING]	././testcases/cache/0006_cache_table_flush
+I: [OK]		././testcases/cache/0006_cache_table_flush
+I: [EXECUTING]	././testcases/cache/0007_echo_cache_init_0
+I: [OK]		././testcases/cache/0007_echo_cache_init_0
+I: [EXECUTING]	././testcases/cache/0008_delete_by_handle_0
+W: [FAILED]	././testcases/cache/0008_delete_by_handle_0
+I: [EXECUTING]	././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]		././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [EXECUTING]	././testcases/cache/0010_implicit_chain_0
+W: [FAILED]	././testcases/cache/0010_implicit_chain_0
+I: [EXECUTING]	././testcases/cache/0011_index_0
+W: [DUMP FAIL]	././testcases/cache/0011_index_0
+I: [EXECUTING]	././testcases/chains/0001jumps_0
+I: [OK]		././testcases/chains/0001jumps_0
+I: [EXECUTING]	././testcases/chains/0002jumps_1
+I: [OK]		././testcases/chains/0002jumps_1
+I: [EXECUTING]	././testcases/chains/0003jump_loop_1
+I: [OK]		././testcases/chains/0003jump_loop_1
+I: [EXECUTING]	././testcases/chains/0004busy_1
+I: [OK]		././testcases/chains/0004busy_1
+I: [EXECUTING]	././testcases/chains/0005busy_map_1
+I: [OK]		././testcases/chains/0005busy_map_1
+I: [EXECUTING]	././testcases/chains/0006masquerade_0
+I: [OK]		././testcases/chains/0006masquerade_0
+I: [EXECUTING]	././testcases/chains/0007masquerade_1
+I: [OK]		././testcases/chains/0007masquerade_1
+I: [EXECUTING]	././testcases/chains/0008masquerade_jump_1
+I: [OK]		././testcases/chains/0008masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0009masquerade_jump_1
+I: [OK]		././testcases/chains/0009masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0010endless_jump_loop_1
+I: [OK]		././testcases/chains/0010endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0011endless_jump_loop_1
+I: [OK]		././testcases/chains/0011endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0013rename_0
+I: [OK]		././testcases/chains/0013rename_0
+I: [EXECUTING]	././testcases/chains/0014rename_0
+I: [OK]		././testcases/chains/0014rename_0
+I: [EXECUTING]	././testcases/chains/0015check_jump_loop_1
+I: [OK]		././testcases/chains/0015check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0016delete_handle_0
+I: [OK]		././testcases/chains/0016delete_handle_0
+I: [EXECUTING]	././testcases/chains/0017masquerade_jump_1
+I: [OK]		././testcases/chains/0017masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0018check_jump_loop_1
+I: [OK]		././testcases/chains/0018check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0019masquerade_jump_1
+I: [OK]		././testcases/chains/0019masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0020depth_1
+I: [OK]		././testcases/chains/0020depth_1
+I: [EXECUTING]	././testcases/chains/0021prio_0
+W: [FAILED]	././testcases/chains/0021prio_0
+I: [EXECUTING]	././testcases/chains/0022prio_dummy_1
+I: [OK]		././testcases/chains/0022prio_dummy_1
+I: [EXECUTING]	././testcases/chains/0023prio_inet_srcnat_1
+I: [OK]		././testcases/chains/0023prio_inet_srcnat_1
+I: [EXECUTING]	././testcases/chains/0024prio_inet_dstnat_1
+I: [OK]		././testcases/chains/0024prio_inet_dstnat_1
+I: [EXECUTING]	././testcases/chains/0025prio_arp_1
+I: [OK]		././testcases/chains/0025prio_arp_1
+I: [EXECUTING]	././testcases/chains/0026prio_netdev_1
+I: [OK]		././testcases/chains/0026prio_netdev_1
+I: [EXECUTING]	././testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]		././testcases/chains/0027prio_bridge_dstnat_1
+I: [EXECUTING]	././testcases/chains/0028prio_bridge_out_1
+I: [OK]		././testcases/chains/0028prio_bridge_out_1
+I: [EXECUTING]	././testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]		././testcases/chains/0029prio_bridge_srcnat_1
+I: [EXECUTING]	././testcases/chains/0030create_0
+I: [OK]		././testcases/chains/0030create_0
+I: [EXECUTING]	././testcases/chains/0031priority_variable_0
+I: [OK]		././testcases/chains/0031priority_variable_0
+I: [EXECUTING]	././testcases/chains/0032priority_variable_0
+I: [OK]		././testcases/chains/0032priority_variable_0
+I: [EXECUTING]	././testcases/chains/0033priority_variable_1
+I: [OK]		././testcases/chains/0033priority_variable_1
+I: [EXECUTING]	././testcases/chains/0034priority_variable_1
+I: [OK]		././testcases/chains/0034priority_variable_1
+I: [EXECUTING]	././testcases/chains/0035policy_variable_0
+I: [OK]		././testcases/chains/0035policy_variable_0
+I: [EXECUTING]	././testcases/chains/0036policy_variable_0
+I: [OK]		././testcases/chains/0036policy_variable_0
+I: [EXECUTING]	././testcases/chains/0037policy_variable_1
+I: [OK]		././testcases/chains/0037policy_variable_1
+I: [EXECUTING]	././testcases/chains/0038policy_variable_1
+I: [OK]		././testcases/chains/0038policy_variable_1
+I: [EXECUTING]	././testcases/chains/0039negative_priority_0
+I: [OK]		././testcases/chains/0039negative_priority_0
+I: [EXECUTING]	././testcases/chains/0041chain_binding_0
+W: [FAILED]	././testcases/chains/0041chain_binding_0
+I: [EXECUTING]	././testcases/chains/0042chain_variable_0
+W: [FAILED]	././testcases/chains/0042chain_variable_0
+I: [EXECUTING]	././testcases/chains/0043chain_ingress_0
+W: [FAILED]	././testcases/chains/0043chain_ingress_0
+I: [EXECUTING]	././testcases/chains/0044chain_destroy_0
+W: [FAILED]	././testcases/chains/0044chain_destroy_0
+I: [EXECUTING]	././testcases/chains/netdev_chain_0
+W: [FAILED]	././testcases/chains/netdev_chain_0
+I: [EXECUTING]	././testcases/comments/comments_0
+I: [OK]		././testcases/comments/comments_0
+I: [EXECUTING]	././testcases/flowtable/0001flowtable_0
+I: [OK]		././testcases/flowtable/0001flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0002create_flowtable_0
+I: [OK]		././testcases/flowtable/0002create_flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0003add_after_flush_0
+I: [OK]		././testcases/flowtable/0003add_after_flush_0
+I: [EXECUTING]	././testcases/flowtable/0004delete_after_add_0
+I: [OK]		././testcases/flowtable/0004delete_after_add_0
+I: [EXECUTING]	././testcases/flowtable/0005delete_in_use_1
+I: [OK]		././testcases/flowtable/0005delete_in_use_1
+I: [EXECUTING]	././testcases/flowtable/0006segfault_0
+I: [OK]		././testcases/flowtable/0006segfault_0
+I: [EXECUTING]	././testcases/flowtable/0007prio_0
+I: [OK]		././testcases/flowtable/0007prio_0
+I: [EXECUTING]	././testcases/flowtable/0008prio_1
+I: [OK]		././testcases/flowtable/0008prio_1
+I: [EXECUTING]	././testcases/flowtable/0009deleteafterflush_0
+I: [OK]		././testcases/flowtable/0009deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0010delete_handle_0
+I: [OK]		././testcases/flowtable/0010delete_handle_0
+I: [EXECUTING]	././testcases/flowtable/0011deleteafterflush_0
+I: [OK]		././testcases/flowtable/0011deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0012flowtable_variable_0
+W: [DUMP FAIL]	././testcases/flowtable/0012flowtable_variable_0
+I: [EXECUTING]	././testcases/flowtable/0013addafterdelete_0
+W: [FAILED]	././testcases/flowtable/0013addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0014addafterdelete_0
+W: [FAILED]	././testcases/flowtable/0014addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0015destroy_0
+W: [FAILED]	././testcases/flowtable/0015destroy_0
+I: [EXECUTING]	././testcases/include/0001absolute_0
+I: [OK]		././testcases/include/0001absolute_0
+I: [EXECUTING]	././testcases/include/0002relative_0
+I: [OK]		././testcases/include/0002relative_0
+I: [EXECUTING]	././testcases/include/0003includepath_0
+I: [OK]		././testcases/include/0003includepath_0
+I: [EXECUTING]	././testcases/include/0004endlessloop_1
+I: [OK]		././testcases/include/0004endlessloop_1
+I: [EXECUTING]	././testcases/include/0005glob_empty_0
+I: [OK]		././testcases/include/0005glob_empty_0
+I: [EXECUTING]	././testcases/include/0006glob_single_0
+I: [OK]		././testcases/include/0006glob_single_0
+I: [EXECUTING]	././testcases/include/0007glob_double_0
+I: [OK]		././testcases/include/0007glob_double_0
+I: [EXECUTING]	././testcases/include/0008glob_nofile_wildcard_0
+I: [OK]		././testcases/include/0008glob_nofile_wildcard_0
+I: [EXECUTING]	././testcases/include/0009glob_nofile_1
+I: [OK]		././testcases/include/0009glob_nofile_1
+I: [EXECUTING]	././testcases/include/0010glob_broken_file_1
+I: [OK]		././testcases/include/0010glob_broken_file_1
+I: [EXECUTING]	././testcases/include/0011glob_dependency_0
+I: [OK]		././testcases/include/0011glob_dependency_0
+I: [EXECUTING]	././testcases/include/0012glob_dependency_1
+I: [OK]		././testcases/include/0012glob_dependency_1
+I: [EXECUTING]	././testcases/include/0013glob_dotfile_0
+I: [OK]		././testcases/include/0013glob_dotfile_0
+I: [EXECUTING]	././testcases/include/0013input_descriptors_included_files_0
+I: [OK]		././testcases/include/0013input_descriptors_included_files_0
+I: [EXECUTING]	././testcases/include/0014glob_directory_0
+I: [OK]		././testcases/include/0014glob_directory_0
+I: [EXECUTING]	././testcases/include/0015doubleincludepath_0
+I: [OK]		././testcases/include/0015doubleincludepath_0
+I: [EXECUTING]	././testcases/include/0016maxdepth_0
+I: [OK]		././testcases/include/0016maxdepth_0
+I: [EXECUTING]	././testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]		././testcases/include/0017glob_more_than_maxdepth_1
+I: [EXECUTING]	././testcases/include/0018include_error_0
+I: [OK]		././testcases/include/0018include_error_0
+I: [EXECUTING]	././testcases/include/0019include_error_0
+I: [OK]		././testcases/include/0019include_error_0
+I: [EXECUTING]	././testcases/include/0020include_chain_0
+I: [OK]		././testcases/include/0020include_chain_0
+I: [EXECUTING]	././testcases/json/0001set_statements_0
+W: [FAILED]	././testcases/json/0001set_statements_0
+I: [EXECUTING]	././testcases/json/0002table_map_0
+W: [FAILED]	././testcases/json/0002table_map_0
+I: [EXECUTING]	././testcases/json/0003json_schema_version_0
+I: [OK]		././testcases/json/0003json_schema_version_0
+I: [EXECUTING]	././testcases/json/0004json_schema_version_1
+I: [OK]		././testcases/json/0004json_schema_version_1
+I: [EXECUTING]	././testcases/json/0005secmark_objref_0
+W: [FAILED]	././testcases/json/0005secmark_objref_0
+I: [EXECUTING]	././testcases/json/0006obj_comment_0
+W: [DUMP FAIL]	././testcases/json/0006obj_comment_0
+I: [EXECUTING]	././testcases/json/netdev
+I: [OK]		././testcases/json/netdev
+I: [EXECUTING]	././testcases/listing/0001ruleset_0
+I: [OK]		././testcases/listing/0001ruleset_0
+I: [EXECUTING]	././testcases/listing/0002ruleset_0
+I: [OK]		././testcases/listing/0002ruleset_0
+I: [EXECUTING]	././testcases/listing/0003table_0
+I: [OK]		././testcases/listing/0003table_0
+I: [EXECUTING]	././testcases/listing/0004table_0
+I: [OK]		././testcases/listing/0004table_0
+I: [EXECUTING]	././testcases/listing/0005ruleset_ip_0
+I: [OK]		././testcases/listing/0005ruleset_ip_0
+I: [EXECUTING]	././testcases/listing/0006ruleset_ip6_0
+I: [OK]		././testcases/listing/0006ruleset_ip6_0
+I: [EXECUTING]	././testcases/listing/0007ruleset_inet_0
+I: [OK]		././testcases/listing/0007ruleset_inet_0
+I: [EXECUTING]	././testcases/listing/0008ruleset_arp_0
+I: [OK]		././testcases/listing/0008ruleset_arp_0
+I: [EXECUTING]	././testcases/listing/0009ruleset_bridge_0
+I: [OK]		././testcases/listing/0009ruleset_bridge_0
+I: [EXECUTING]	././testcases/listing/0010sets_0
+I: [OK]		././testcases/listing/0010sets_0
+I: [EXECUTING]	././testcases/listing/0011sets_0
+I: [OK]		././testcases/listing/0011sets_0
+I: [EXECUTING]	././testcases/listing/0012sets_0
+I: [OK]		././testcases/listing/0012sets_0
+I: [EXECUTING]	././testcases/listing/0013objects_0
+W: [FAILED]	././testcases/listing/0013objects_0
+I: [EXECUTING]	././testcases/listing/0014objects_0
+I: [OK]		././testcases/listing/0014objects_0
+I: [EXECUTING]	././testcases/listing/0015dynamic_0
+I: [OK]		././testcases/listing/0015dynamic_0
+I: [EXECUTING]	././testcases/listing/0016anonymous_0
+I: [OK]		././testcases/listing/0016anonymous_0
+I: [EXECUTING]	././testcases/listing/0017objects_0
+I: [OK]		././testcases/listing/0017objects_0
+I: [EXECUTING]	././testcases/listing/0018data_0
+I: [OK]		././testcases/listing/0018data_0
+I: [EXECUTING]	././testcases/listing/0019set_0
+I: [OK]		././testcases/listing/0019set_0
+I: [EXECUTING]	././testcases/listing/0020flowtable_0
+I: [OK]		././testcases/listing/0020flowtable_0
+I: [EXECUTING]	././testcases/listing/0021ruleset_json_terse_0
+I: [OK]		././testcases/listing/0021ruleset_json_terse_0
+I: [EXECUTING]	././testcases/listing/0022terse_0
+I: [OK]		././testcases/listing/0022terse_0
+I: [EXECUTING]	././testcases/maps/0003map_add_many_elements_0
+I: [OK]		././testcases/maps/0003map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0004interval_map_create_once_0
+I: [OK]		././testcases/maps/0004interval_map_create_once_0
+I: [EXECUTING]	././testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]		././testcases/maps/0005interval_map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0006interval_map_overlap_0
+I: [OK]		././testcases/maps/0006interval_map_overlap_0
+I: [EXECUTING]	././testcases/maps/0007named_ifname_dtype_0
+I: [OK]		././testcases/maps/0007named_ifname_dtype_0
+I: [EXECUTING]	././testcases/maps/0008interval_map_delete_0
+I: [OK]		././testcases/maps/0008interval_map_delete_0
+I: [EXECUTING]	././testcases/maps/0009vmap_0
+W: [DUMP FAIL]	././testcases/maps/0009vmap_0
+I: [EXECUTING]	././testcases/maps/0010concat_map_0
+W: [FAILED]	././testcases/maps/0010concat_map_0
+I: [EXECUTING]	././testcases/maps/0011vmap_0
+W: [FAILED]	././testcases/maps/0011vmap_0
+I: [EXECUTING]	././testcases/maps/0012map_0
+W: [FAILED]	././testcases/maps/0012map_0
+I: [EXECUTING]	././testcases/maps/0013map_0
+W: [FAILED]	././testcases/maps/0013map_0
+I: [EXECUTING]	././testcases/maps/0014destroy_0
+W: [FAILED]	././testcases/maps/0014destroy_0
+I: [EXECUTING]	././testcases/maps/0016map_leak_0
+I: [OK]		././testcases/maps/0016map_leak_0
+I: [EXECUTING]	././testcases/maps/0017_map_variable_0
+W: [FAILED]	././testcases/maps/0017_map_variable_0
+I: [EXECUTING]	././testcases/maps/0018map_leak_timeout_0
+I: [OK]		././testcases/maps/0018map_leak_timeout_0
+I: [EXECUTING]	././testcases/maps/anon_objmap_concat
+W: [FAILED]	././testcases/maps/anon_objmap_concat
+I: [EXECUTING]	././testcases/maps/anonymous_snat_map_0
+I: [OK]		././testcases/maps/anonymous_snat_map_0
+I: [EXECUTING]	././testcases/maps/different_map_types_1
+I: [OK]		././testcases/maps/different_map_types_1
+I: [EXECUTING]	././testcases/maps/map_catchall_double_deactivate
+W: [FAILED]	././testcases/maps/map_catchall_double_deactivate
+I: [EXECUTING]	././testcases/maps/map_with_flags_0
+I: [OK]		././testcases/maps/map_with_flags_0
+I: [EXECUTING]	././testcases/maps/named_snat_map_0
+I: [OK]		././testcases/maps/named_snat_map_0
+I: [EXECUTING]	././testcases/maps/nat_addr_port
+W: [FAILED]	././testcases/maps/nat_addr_port
+I: [EXECUTING]	././testcases/maps/typeof_integer_0
+W: [FAILED]	././testcases/maps/typeof_integer_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_0
+W: [FAILED]	././testcases/maps/typeof_maps_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_add_delete
+W: [FAILED]	././testcases/maps/typeof_maps_add_delete
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat
+I: [OK]		././testcases/maps/typeof_maps_concat
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat_update_0
+I: [OK]		././testcases/maps/typeof_maps_concat_update_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_update_0
+I: [OK]		././testcases/maps/typeof_maps_update_0
+I: [EXECUTING]	././testcases/maps/typeof_raw_0
+W: [FAILED]	././testcases/maps/typeof_raw_0
+I: [EXECUTING]	././testcases/maps/vmap_timeout
+W: [FAILED]	././testcases/maps/vmap_timeout
+I: [EXECUTING]	././testcases/netns/0001nft-f_0
+I: [OK]		././testcases/netns/0001nft-f_0
+I: [EXECUTING]	././testcases/netns/0002loosecommands_0
+I: [OK]		././testcases/netns/0002loosecommands_0
+I: [EXECUTING]	././testcases/netns/0003many_0
+I: [OK]		././testcases/netns/0003many_0
+I: [EXECUTING]	././testcases/nft-f/0001define_slash_0
+I: [OK]		././testcases/nft-f/0001define_slash_0
+I: [EXECUTING]	././testcases/nft-f/0002rollback_rule_0
+I: [OK]		././testcases/nft-f/0002rollback_rule_0
+I: [EXECUTING]	././testcases/nft-f/0003rollback_jump_0
+I: [OK]		././testcases/nft-f/0003rollback_jump_0
+I: [EXECUTING]	././testcases/nft-f/0004rollback_set_0
+I: [OK]		././testcases/nft-f/0004rollback_set_0
+I: [EXECUTING]	././testcases/nft-f/0005rollback_map_0
+I: [OK]		././testcases/nft-f/0005rollback_map_0
+I: [EXECUTING]	././testcases/nft-f/0006action_object_0
+I: [OK]		././testcases/nft-f/0006action_object_0
+I: [EXECUTING]	././testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]		././testcases/nft-f/0007action_object_set_segfault_1
+I: [EXECUTING]	././testcases/nft-f/0008split_tables_0
+I: [OK]		././testcases/nft-f/0008split_tables_0
+I: [EXECUTING]	././testcases/nft-f/0009variable_0
+I: [OK]		././testcases/nft-f/0009variable_0
+I: [EXECUTING]	././testcases/nft-f/0010variable_0
+I: [OK]		././testcases/nft-f/0010variable_0
+I: [EXECUTING]	././testcases/nft-f/0011manydefines_0
+I: [OK]		././testcases/nft-f/0011manydefines_0
+I: [EXECUTING]	././testcases/nft-f/0012different_defines_0
+I: [OK]		././testcases/nft-f/0012different_defines_0
+I: [EXECUTING]	././testcases/nft-f/0013defines_1
+I: [OK]		././testcases/nft-f/0013defines_1
+I: [EXECUTING]	././testcases/nft-f/0014defines_1
+I: [OK]		././testcases/nft-f/0014defines_1
+I: [EXECUTING]	././testcases/nft-f/0015defines_1
+I: [OK]		././testcases/nft-f/0015defines_1
+I: [EXECUTING]	././testcases/nft-f/0016redefines_1
+I: [OK]		././testcases/nft-f/0016redefines_1
+I: [EXECUTING]	././testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]		././testcases/nft-f/0017ct_timeout_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018ct_expectation_obj_0
+W: [FAILED]	././testcases/nft-f/0018ct_expectation_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018jump_variable_0
+I: [OK]		././testcases/nft-f/0018jump_variable_0
+I: [EXECUTING]	././testcases/nft-f/0019jump_variable_1
+I: [OK]		././testcases/nft-f/0019jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0020jump_variable_1
+I: [OK]		././testcases/nft-f/0020jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0021list_ruleset_0
+I: [OK]		././testcases/nft-f/0021list_ruleset_0
+I: [EXECUTING]	././testcases/nft-f/0022variables_0
+I: [OK]		././testcases/nft-f/0022variables_0
+I: [EXECUTING]	././testcases/nft-f/0023check_1
+W: [FAILED]	././testcases/nft-f/0023check_1
+I: [EXECUTING]	././testcases/nft-f/0024priority_0
+I: [OK]		././testcases/nft-f/0024priority_0
+I: [EXECUTING]	././testcases/nft-f/0025empty_dynset_0
+W: [DUMP FAIL]	././testcases/nft-f/0025empty_dynset_0
+I: [EXECUTING]	././testcases/nft-f/0026listing_0
+I: [OK]		././testcases/nft-f/0026listing_0
+I: [EXECUTING]	././testcases/nft-f/0027split_chains_0
+I: [OK]		././testcases/nft-f/0027split_chains_0
+I: [EXECUTING]	././testcases/nft-f/0028variable_cmdline_0
+I: [OK]		././testcases/nft-f/0028variable_cmdline_0
+I: [EXECUTING]	././testcases/nft-f/0029split_file_0
+I: [OK]		././testcases/nft-f/0029split_file_0
+I: [EXECUTING]	././testcases/nft-f/0030variable_reuse_0
+I: [OK]		././testcases/nft-f/0030variable_reuse_0
+I: [EXECUTING]	././testcases/nft-f/0031vmap_string_0
+I: [OK]		././testcases/nft-f/0031vmap_string_0
+I: [EXECUTING]	././testcases/nft-f/0032pknock_0
+I: [OK]		././testcases/nft-f/0032pknock_0
+I: [EXECUTING]	././testcases/nft-i/0001define_0
+I: [OK]		././testcases/nft-i/0001define_0
+I: [EXECUTING]	././testcases/optimizations/dependency_kill
+I: [OK]		././testcases/optimizations/dependency_kill
+I: [EXECUTING]	././testcases/optimizations/merge_nat
+W: [FAILED]	././testcases/optimizations/merge_nat
+I: [EXECUTING]	././testcases/optimizations/merge_reject
+I: [OK]		././testcases/optimizations/merge_reject
+I: [EXECUTING]	././testcases/optimizations/merge_stmts
+I: [OK]		././testcases/optimizations/merge_stmts
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat
+W: [FAILED]	././testcases/optimizations/merge_stmts_concat
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_concat_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_vmap
+W: [DUMP FAIL]	././testcases/optimizations/merge_stmts_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_vmap_raw
+W: [FAILED]	././testcases/optimizations/merge_vmap_raw
+I: [EXECUTING]	././testcases/optimizations/merge_vmaps
+W: [FAILED]	././testcases/optimizations/merge_vmaps
+I: [EXECUTING]	././testcases/optimizations/not_mergeable
+I: [OK]		././testcases/optimizations/not_mergeable
+I: [EXECUTING]	././testcases/optimizations/ruleset
+W: [FAILED]	././testcases/optimizations/ruleset
+I: [EXECUTING]	././testcases/optimizations/single_anon_set
+W: [DUMP FAIL]	././testcases/optimizations/single_anon_set
+I: [EXECUTING]	././testcases/optimizations/skip_merge
+I: [OK]		././testcases/optimizations/skip_merge
+I: [EXECUTING]	././testcases/optimizations/skip_non_eq
+I: [OK]		././testcases/optimizations/skip_non_eq
+I: [EXECUTING]	././testcases/optimizations/skip_unsupported
+I: [OK]		././testcases/optimizations/skip_unsupported
+I: [EXECUTING]	././testcases/optimizations/variables
+I: [OK]		././testcases/optimizations/variables
+I: [EXECUTING]	././testcases/optionals/comments_0
+I: [OK]		././testcases/optionals/comments_0
+I: [EXECUTING]	././testcases/optionals/comments_chain_0
+W: [DUMP FAIL]	././testcases/optionals/comments_chain_0
+I: [EXECUTING]	././testcases/optionals/comments_handles_0
+I: [OK]		././testcases/optionals/comments_handles_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_0
+W: [FAILED]	././testcases/optionals/comments_objects_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_dup_0
+I: [OK]		././testcases/optionals/comments_objects_dup_0
+I: [EXECUTING]	././testcases/optionals/comments_table_0
+W: [DUMP FAIL]	././testcases/optionals/comments_table_0
+I: [EXECUTING]	././testcases/optionals/delete_object_handles_0
+I: [OK]		././testcases/optionals/delete_object_handles_0
+I: [EXECUTING]	././testcases/optionals/handles_0
+I: [OK]		././testcases/optionals/handles_0
+I: [EXECUTING]	././testcases/optionals/handles_1
+I: [OK]		././testcases/optionals/handles_1
+I: [EXECUTING]	././testcases/optionals/log_prefix_0
+I: [OK]		././testcases/optionals/log_prefix_0
+I: [EXECUTING]	././testcases/optionals/update_object_handles_0
+W: [FAILED]	././testcases/optionals/update_object_handles_0
+I: [EXECUTING]	././testcases/owner/0001-flowtable-uaf
+W: [FAILED]	././testcases/owner/0001-flowtable-uaf
+I: [EXECUTING]	././testcases/parsing/describe
+I: [OK]		././testcases/parsing/describe
+I: [EXECUTING]	././testcases/parsing/large_rule_pipe
+I: [OK]		././testcases/parsing/large_rule_pipe
+I: [EXECUTING]	././testcases/parsing/log
+I: [OK]		././testcases/parsing/log
+I: [EXECUTING]	././testcases/parsing/octal
+I: [OK]		././testcases/parsing/octal
+I: [EXECUTING]	././testcases/rule_management/0001addinsertposition_0
+I: [OK]		././testcases/rule_management/0001addinsertposition_0
+I: [EXECUTING]	././testcases/rule_management/0002addinsertlocation_1
+I: [OK]		././testcases/rule_management/0002addinsertlocation_1
+I: [EXECUTING]	././testcases/rule_management/0003insert_0
+I: [OK]		././testcases/rule_management/0003insert_0
+I: [EXECUTING]	././testcases/rule_management/0004replace_0
+I: [OK]		././testcases/rule_management/0004replace_0
+I: [EXECUTING]	././testcases/rule_management/0005replace_1
+I: [OK]		././testcases/rule_management/0005replace_1
+I: [EXECUTING]	././testcases/rule_management/0006replace_1
+I: [OK]		././testcases/rule_management/0006replace_1
+I: [EXECUTING]	././testcases/rule_management/0007delete_0
+I: [OK]		././testcases/rule_management/0007delete_0
+I: [EXECUTING]	././testcases/rule_management/0008delete_1
+I: [OK]		././testcases/rule_management/0008delete_1
+I: [EXECUTING]	././testcases/rule_management/0009delete_1
+I: [OK]		././testcases/rule_management/0009delete_1
+I: [EXECUTING]	././testcases/rule_management/0010replace_0
+I: [OK]		././testcases/rule_management/0010replace_0
+I: [EXECUTING]	././testcases/rule_management/0011reset_0
+W: [FAILED]	././testcases/rule_management/0011reset_0
+I: [EXECUTING]	././testcases/rule_management/0012destroy_0
+W: [FAILED]	././testcases/rule_management/0012destroy_0
+I: [EXECUTING]	././testcases/sets/0001named_interval_0
+I: [OK]		././testcases/sets/0001named_interval_0
+I: [EXECUTING]	././testcases/sets/0002named_interval_automerging_0
+I: [OK]		././testcases/sets/0002named_interval_automerging_0
+I: [EXECUTING]	././testcases/sets/0003named_interval_missing_flag_0
+I: [OK]		././testcases/sets/0003named_interval_missing_flag_0
+I: [EXECUTING]	././testcases/sets/0004named_interval_shadow_0
+I: [OK]		././testcases/sets/0004named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0005named_interval_shadow_0
+I: [OK]		././testcases/sets/0005named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0006create_set_0
+I: [OK]		././testcases/sets/0006create_set_0
+I: [EXECUTING]	././testcases/sets/0007create_element_0
+I: [OK]		././testcases/sets/0007create_element_0
+I: [EXECUTING]	././testcases/sets/0008comments_interval_0
+I: [OK]		././testcases/sets/0008comments_interval_0
+I: [EXECUTING]	././testcases/sets/0008create_verdict_map_0
+I: [OK]		././testcases/sets/0008create_verdict_map_0
+I: [EXECUTING]	././testcases/sets/0009comments_timeout_0
+I: [OK]		././testcases/sets/0009comments_timeout_0
+I: [EXECUTING]	././testcases/sets/0010comments_0
+I: [OK]		././testcases/sets/0010comments_0
+I: [EXECUTING]	././testcases/sets/0011add_many_elements_0
+I: [OK]		././testcases/sets/0011add_many_elements_0
+I: [EXECUTING]	././testcases/sets/0012add_delete_many_elements_0
+I: [OK]		././testcases/sets/0012add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0013add_delete_many_elements_0
+I: [OK]		././testcases/sets/0013add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]		././testcases/sets/0014malformed_set_is_not_defined_0
+I: [EXECUTING]	././testcases/sets/0015rulesetflush_0
+I: [OK]		././testcases/sets/0015rulesetflush_0
+I: [EXECUTING]	././testcases/sets/0016element_leak_0
+I: [OK]		././testcases/sets/0016element_leak_0
+I: [EXECUTING]	././testcases/sets/0017add_after_flush_0
+I: [OK]		././testcases/sets/0017add_after_flush_0
+I: [EXECUTING]	././testcases/sets/0018set_check_size_1
+I: [OK]		././testcases/sets/0018set_check_size_1
+I: [EXECUTING]	././testcases/sets/0019set_check_size_0
+I: [OK]		././testcases/sets/0019set_check_size_0
+I: [EXECUTING]	././testcases/sets/0020comments_0
+I: [OK]		././testcases/sets/0020comments_0
+I: [EXECUTING]	././testcases/sets/0021nesting_0
+I: [OK]		././testcases/sets/0021nesting_0
+I: [EXECUTING]	././testcases/sets/0022type_selective_flush_0
+I: [OK]		././testcases/sets/0022type_selective_flush_0
+I: [EXECUTING]	././testcases/sets/0023incomplete_add_set_command_0
+I: [OK]		././testcases/sets/0023incomplete_add_set_command_0
+I: [EXECUTING]	././testcases/sets/0024named_objects_0
+W: [FAILED]	././testcases/sets/0024named_objects_0
+I: [EXECUTING]	././testcases/sets/0025anonymous_set_0
+I: [OK]		././testcases/sets/0025anonymous_set_0
+I: [EXECUTING]	././testcases/sets/0026named_limit_0
+I: [OK]		././testcases/sets/0026named_limit_0
+I: [EXECUTING]	././testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]		././testcases/sets/0027ipv6_maps_ipv4_0
+I: [EXECUTING]	././testcases/sets/0028autoselect_0
+I: [OK]		././testcases/sets/0028autoselect_0
+I: [EXECUTING]	././testcases/sets/0028delete_handle_0
+I: [OK]		././testcases/sets/0028delete_handle_0
+I: [EXECUTING]	././testcases/sets/0029named_ifname_dtype_0
+I: [OK]		././testcases/sets/0029named_ifname_dtype_0
+I: [EXECUTING]	././testcases/sets/0030add_many_elements_interval_0
+I: [OK]		././testcases/sets/0030add_many_elements_interval_0
+I: [EXECUTING]	././testcases/sets/0031set_timeout_size_0
+I: [OK]		././testcases/sets/0031set_timeout_size_0
+I: [EXECUTING]	././testcases/sets/0032restore_set_simple_0
+I: [OK]		././testcases/sets/0032restore_set_simple_0
+I: [EXECUTING]	././testcases/sets/0033add_set_simple_flat_0
+I: [OK]		././testcases/sets/0033add_set_simple_flat_0
+I: [EXECUTING]	././testcases/sets/0034get_element_0
+W: [FAILED]	././testcases/sets/0034get_element_0
+I: [EXECUTING]	././testcases/sets/0035add_set_elements_flat_0
+I: [OK]		././testcases/sets/0035add_set_elements_flat_0
+I: [EXECUTING]	././testcases/sets/0036add_set_element_expiration_0
+W: [FAILED]	././testcases/sets/0036add_set_element_expiration_0
+I: [EXECUTING]	././testcases/sets/0037_set_with_inet_service_0
+I: [OK]		././testcases/sets/0037_set_with_inet_service_0
+I: [EXECUTING]	././testcases/sets/0038meter_list_0
+I: [OK]		././testcases/sets/0038meter_list_0
+I: [EXECUTING]	././testcases/sets/0039delete_interval_0
+I: [OK]		././testcases/sets/0039delete_interval_0
+I: [EXECUTING]	././testcases/sets/0040get_host_endian_elements_0
+I: [OK]		././testcases/sets/0040get_host_endian_elements_0
+I: [EXECUTING]	././testcases/sets/0041interval_0
+I: [OK]		././testcases/sets/0041interval_0
+I: [EXECUTING]	././testcases/sets/0042update_set_0
+I: [OK]		././testcases/sets/0042update_set_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_0
+W: [FAILED]	././testcases/sets/0043concatenated_ranges_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_1
+W: [FAILED]	././testcases/sets/0043concatenated_ranges_1
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_0
+W: [FAILED]	././testcases/sets/0044interval_overlap_0
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_1
+I: [OK]		././testcases/sets/0044interval_overlap_1
+I: [EXECUTING]	././testcases/sets/0045concat_ipv4_service
+I: [OK]		././testcases/sets/0045concat_ipv4_service
+I: [EXECUTING]	././testcases/sets/0046netmap_0
+W: [FAILED]	././testcases/sets/0046netmap_0
+I: [EXECUTING]	././testcases/sets/0047nat_0
+W: [FAILED]	././testcases/sets/0047nat_0
+I: [EXECUTING]	././testcases/sets/0048set_counters_0
+W: [DUMP FAIL]	././testcases/sets/0048set_counters_0
+I: [EXECUTING]	././testcases/sets/0049set_define_0
+I: [OK]		././testcases/sets/0049set_define_0
+I: [EXECUTING]	././testcases/sets/0050set_define_1
+I: [OK]		././testcases/sets/0050set_define_1
+I: [EXECUTING]	././testcases/sets/0051set_interval_counter_0
+W: [DUMP FAIL]	././testcases/sets/0051set_interval_counter_0
+I: [EXECUTING]	././testcases/sets/0052overlap_0
+I: [OK]		././testcases/sets/0052overlap_0
+I: [EXECUTING]	././testcases/sets/0053echo_0
+I: [OK]		././testcases/sets/0053echo_0
+I: [EXECUTING]	././testcases/sets/0054comments_set_0
+I: [OK]		././testcases/sets/0054comments_set_0
+I: [EXECUTING]	././testcases/sets/0055tcpflags_0
+I: [OK]		././testcases/sets/0055tcpflags_0
+I: [EXECUTING]	././testcases/sets/0056dynamic_limit_0
+I: [OK]		././testcases/sets/0056dynamic_limit_0
+I: [EXECUTING]	././testcases/sets/0057set_create_fails_0
+I: [OK]		././testcases/sets/0057set_create_fails_0
+I: [EXECUTING]	././testcases/sets/0058_setupdate_timeout_0
+W: [DUMP FAIL]	././testcases/sets/0058_setupdate_timeout_0
+I: [EXECUTING]	././testcases/sets/0059set_update_multistmt_0
+W: [FAILED]	././testcases/sets/0059set_update_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_0
+W: [FAILED]	././testcases/sets/0060set_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_1
+W: [FAILED]	././testcases/sets/0060set_multistmt_1
+I: [EXECUTING]	././testcases/sets/0061anonymous_automerge_0
+I: [OK]		././testcases/sets/0061anonymous_automerge_0
+I: [EXECUTING]	././testcases/sets/0062set_connlimit_0
+I: [OK]		././testcases/sets/0062set_connlimit_0
+I: [EXECUTING]	././testcases/sets/0063set_catchall_0
+W: [FAILED]	././testcases/sets/0063set_catchall_0
+I: [EXECUTING]	././testcases/sets/0064map_catchall_0
+W: [FAILED]	././testcases/sets/0064map_catchall_0
+I: [EXECUTING]	././testcases/sets/0065_icmp_postprocessing
+I: [OK]		././testcases/sets/0065_icmp_postprocessing
+I: [EXECUTING]	././testcases/sets/0067nat_concat_interval_0
+W: [FAILED]	././testcases/sets/0067nat_concat_interval_0
+I: [EXECUTING]	././testcases/sets/0068interval_stack_overflow_0
+I: [OK]		././testcases/sets/0068interval_stack_overflow_0
+I: [EXECUTING]	././testcases/sets/0069interval_merge_0
+I: [OK]		././testcases/sets/0069interval_merge_0
+I: [EXECUTING]	././testcases/sets/0070stacked_l2_headers
+I: [OK]		././testcases/sets/0070stacked_l2_headers
+I: [EXECUTING]	././testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]		././testcases/sets/0071unclosed_prefix_interval_0
+I: [EXECUTING]	././testcases/sets/0072destroy_0
+W: [FAILED]	././testcases/sets/0072destroy_0
+I: [EXECUTING]	././testcases/sets/automerge_0
+I: [OK]		././testcases/sets/automerge_0
+I: [EXECUTING]	././testcases/sets/collapse_elem_0
+I: [OK]		././testcases/sets/collapse_elem_0
+I: [EXECUTING]	././testcases/sets/concat_interval_0
+W: [FAILED]	././testcases/sets/concat_interval_0
+I: [EXECUTING]	././testcases/sets/dynset_missing
+W: [FAILED]	././testcases/sets/dynset_missing
+I: [EXECUTING]	././testcases/sets/errors_0
+I: [OK]		././testcases/sets/errors_0
+I: [EXECUTING]	././testcases/sets/exact_overlap_0
+I: [OK]		././testcases/sets/exact_overlap_0
+I: [EXECUTING]	././testcases/sets/inner_0
+W: [FAILED]	././testcases/sets/inner_0
+I: [EXECUTING]	././testcases/sets/reset_command_0
+W: [FAILED]	././testcases/sets/reset_command_0
+I: [EXECUTING]	././testcases/sets/set_eval_0
+I: [OK]		././testcases/sets/set_eval_0
+I: [EXECUTING]	././testcases/sets/sets_with_ifnames
+W: [FAILED]	././testcases/sets/sets_with_ifnames
+I: [EXECUTING]	././testcases/sets/typeof_raw_0
+W: [FAILED]	././testcases/sets/typeof_raw_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_0
+W: [FAILED]	././testcases/sets/typeof_sets_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_1
+I: [OK]		././testcases/sets/typeof_sets_1
+I: [EXECUTING]	././testcases/sets/typeof_sets_concat
+I: [OK]		././testcases/sets/typeof_sets_concat
+I: [EXECUTING]	././testcases/sets/type_set_symbol
+I: [OK]		././testcases/sets/type_set_symbol
+I: [EXECUTING]	././testcases/transactions/0001table_0
+I: [OK]		././testcases/transactions/0001table_0
+I: [EXECUTING]	././testcases/transactions/0002table_0
+I: [OK]		././testcases/transactions/0002table_0
+I: [EXECUTING]	././testcases/transactions/0003table_0
+I: [OK]		././testcases/transactions/0003table_0
+I: [EXECUTING]	././testcases/transactions/0010chain_0
+I: [OK]		././testcases/transactions/0010chain_0
+I: [EXECUTING]	././testcases/transactions/0011chain_0
+I: [OK]		././testcases/transactions/0011chain_0
+I: [EXECUTING]	././testcases/transactions/0012chain_0
+I: [OK]		././testcases/transactions/0012chain_0
+I: [EXECUTING]	././testcases/transactions/0013chain_0
+I: [OK]		././testcases/transactions/0013chain_0
+I: [EXECUTING]	././testcases/transactions/0014chain_1
+I: [OK]		././testcases/transactions/0014chain_1
+I: [EXECUTING]	././testcases/transactions/0015chain_0
+I: [OK]		././testcases/transactions/0015chain_0
+I: [EXECUTING]	././testcases/transactions/0020rule_0
+I: [OK]		././testcases/transactions/0020rule_0
+I: [EXECUTING]	././testcases/transactions/0021rule_0
+I: [OK]		././testcases/transactions/0021rule_0
+I: [EXECUTING]	././testcases/transactions/0022rule_1
+I: [OK]		././testcases/transactions/0022rule_1
+I: [EXECUTING]	././testcases/transactions/0023rule_1
+I: [OK]		././testcases/transactions/0023rule_1
+I: [EXECUTING]	././testcases/transactions/0024rule_0
+W: [DUMP FAIL]	././testcases/transactions/0024rule_0
+I: [EXECUTING]	././testcases/transactions/0025rule_0
+I: [OK]		././testcases/transactions/0025rule_0
+I: [EXECUTING]	././testcases/transactions/0030set_0
+I: [OK]		././testcases/transactions/0030set_0
+I: [EXECUTING]	././testcases/transactions/0031set_0
+I: [OK]		././testcases/transactions/0031set_0
+I: [EXECUTING]	././testcases/transactions/0032set_0
+I: [OK]		././testcases/transactions/0032set_0
+I: [EXECUTING]	././testcases/transactions/0033set_0
+I: [OK]		././testcases/transactions/0033set_0
+I: [EXECUTING]	././testcases/transactions/0034set_0
+I: [OK]		././testcases/transactions/0034set_0
+I: [EXECUTING]	././testcases/transactions/0035set_0
+I: [OK]		././testcases/transactions/0035set_0
+I: [EXECUTING]	././testcases/transactions/0036set_1
+I: [OK]		././testcases/transactions/0036set_1
+I: [EXECUTING]	././testcases/transactions/0037set_0
+I: [OK]		././testcases/transactions/0037set_0
+I: [EXECUTING]	././testcases/transactions/0038set_0
+I: [OK]		././testcases/transactions/0038set_0
+I: [EXECUTING]	././testcases/transactions/0039set_0
+I: [OK]		././testcases/transactions/0039set_0
+I: [EXECUTING]	././testcases/transactions/0040set_0
+I: [OK]		././testcases/transactions/0040set_0
+I: [EXECUTING]	././testcases/transactions/0041nat_restore_0
+I: [OK]		././testcases/transactions/0041nat_restore_0
+I: [EXECUTING]	././testcases/transactions/0042_stateful_expr_0
+I: [OK]		././testcases/transactions/0042_stateful_expr_0
+I: [EXECUTING]	././testcases/transactions/0043set_1
+I: [OK]		././testcases/transactions/0043set_1
+I: [EXECUTING]	././testcases/transactions/0044rule_0
+I: [OK]		././testcases/transactions/0044rule_0
+I: [EXECUTING]	././testcases/transactions/0045anon-unbind_0
+I: [OK]		././testcases/transactions/0045anon-unbind_0
+I: [EXECUTING]	././testcases/transactions/0046set_0
+I: [OK]		././testcases/transactions/0046set_0
+I: [EXECUTING]	././testcases/transactions/0047set_0
+I: [OK]		././testcases/transactions/0047set_0
+I: [EXECUTING]	././testcases/transactions/0048helpers_0
+I: [OK]		././testcases/transactions/0048helpers_0
+I: [EXECUTING]	././testcases/transactions/0049huge_0
+I: [OK]		././testcases/transactions/0049huge_0
+I: [EXECUTING]	././testcases/transactions/0050rule_1
+I: [OK]		././testcases/transactions/0050rule_1
+I: [EXECUTING]	././testcases/transactions/0051map_0
+I: [OK]		././testcases/transactions/0051map_0
+I: [EXECUTING]	././testcases/transactions/30s-stress
+I: [OK]		././testcases/transactions/30s-stress
+I: [EXECUTING]	././testcases/transactions/anon_chain_loop
+I: [OK]		././testcases/transactions/anon_chain_loop
+I: [EXECUTING]	././testcases/transactions/bad_expression
+I: [OK]		././testcases/transactions/bad_expression
+
+I: results: [OK] 287 [FAILED] 86 [TOTAL] 373
diff --git a/tests/shell/stable-log/log-5.10 b/tests/shell/stable-log/log-5.10
new file mode 100644
index 0000000..51fc992
--- /dev/null
+++ b/tests/shell/stable-log/log-5.10
@@ -0,0 +1,754 @@
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_0
+I: [OK]		././testcases/bitwise/0040mark_binop_0
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_1
+I: [OK]		././testcases/bitwise/0040mark_binop_1
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_2
+I: [OK]		././testcases/bitwise/0040mark_binop_2
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_3
+I: [OK]		././testcases/bitwise/0040mark_binop_3
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_4
+I: [OK]		././testcases/bitwise/0040mark_binop_4
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_5
+I: [OK]		././testcases/bitwise/0040mark_binop_5
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_6
+I: [OK]		././testcases/bitwise/0040mark_binop_6
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_7
+I: [OK]		././testcases/bitwise/0040mark_binop_7
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_8
+I: [OK]		././testcases/bitwise/0040mark_binop_8
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_9
+I: [OK]		././testcases/bitwise/0040mark_binop_9
+I: [EXECUTING]	././testcases/bogons/assert_failures
+I: [OK]		././testcases/bogons/assert_failures
+I: [EXECUTING]	././testcases/cache/0001_cache_handling_0
+I: [OK]		././testcases/cache/0001_cache_handling_0
+I: [EXECUTING]	././testcases/cache/0002_interval_0
+I: [OK]		././testcases/cache/0002_interval_0
+I: [EXECUTING]	././testcases/cache/0003_cache_update_0
+I: [OK]		././testcases/cache/0003_cache_update_0
+I: [EXECUTING]	././testcases/cache/0004_cache_update_0
+I: [OK]		././testcases/cache/0004_cache_update_0
+I: [EXECUTING]	././testcases/cache/0005_cache_chain_flush
+I: [OK]		././testcases/cache/0005_cache_chain_flush
+I: [EXECUTING]	././testcases/cache/0006_cache_table_flush
+I: [OK]		././testcases/cache/0006_cache_table_flush
+I: [EXECUTING]	././testcases/cache/0007_echo_cache_init_0
+I: [OK]		././testcases/cache/0007_echo_cache_init_0
+I: [EXECUTING]	././testcases/cache/0008_delete_by_handle_0
+I: [OK]		././testcases/cache/0008_delete_by_handle_0
+I: [EXECUTING]	././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]		././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [EXECUTING]	././testcases/cache/0010_implicit_chain_0
+I: [OK]		././testcases/cache/0010_implicit_chain_0
+I: [EXECUTING]	././testcases/cache/0011_index_0
+I: [OK]		././testcases/cache/0011_index_0
+I: [EXECUTING]	././testcases/chains/0001jumps_0
+I: [OK]		././testcases/chains/0001jumps_0
+I: [EXECUTING]	././testcases/chains/0002jumps_1
+I: [OK]		././testcases/chains/0002jumps_1
+I: [EXECUTING]	././testcases/chains/0003jump_loop_1
+I: [OK]		././testcases/chains/0003jump_loop_1
+I: [EXECUTING]	././testcases/chains/0004busy_1
+I: [OK]		././testcases/chains/0004busy_1
+I: [EXECUTING]	././testcases/chains/0005busy_map_1
+I: [OK]		././testcases/chains/0005busy_map_1
+I: [EXECUTING]	././testcases/chains/0006masquerade_0
+I: [OK]		././testcases/chains/0006masquerade_0
+I: [EXECUTING]	././testcases/chains/0007masquerade_1
+I: [OK]		././testcases/chains/0007masquerade_1
+I: [EXECUTING]	././testcases/chains/0008masquerade_jump_1
+I: [OK]		././testcases/chains/0008masquerade_jump_1
+W: [FAILED]	kmemleak detected 5510 memory leaks
+I: [EXECUTING]	././testcases/chains/0009masquerade_jump_1
+I: [OK]		././testcases/chains/0009masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0010endless_jump_loop_1
+I: [OK]		././testcases/chains/0010endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0011endless_jump_loop_1
+I: [OK]		././testcases/chains/0011endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0013rename_0
+I: [OK]		././testcases/chains/0013rename_0
+I: [EXECUTING]	././testcases/chains/0014rename_0
+I: [OK]		././testcases/chains/0014rename_0
+I: [EXECUTING]	././testcases/chains/0015check_jump_loop_1
+I: [OK]		././testcases/chains/0015check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0016delete_handle_0
+I: [OK]		././testcases/chains/0016delete_handle_0
+I: [EXECUTING]	././testcases/chains/0017masquerade_jump_1
+I: [OK]		././testcases/chains/0017masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0018check_jump_loop_1
+I: [OK]		././testcases/chains/0018check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0019masquerade_jump_1
+I: [OK]		././testcases/chains/0019masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0020depth_1
+I: [OK]		././testcases/chains/0020depth_1
+I: [EXECUTING]	././testcases/chains/0021prio_0
+W: [FAILED]	././testcases/chains/0021prio_0
+I: [EXECUTING]	././testcases/chains/0022prio_dummy_1
+I: [OK]		././testcases/chains/0022prio_dummy_1
+I: [EXECUTING]	././testcases/chains/0023prio_inet_srcnat_1
+I: [OK]		././testcases/chains/0023prio_inet_srcnat_1
+I: [EXECUTING]	././testcases/chains/0024prio_inet_dstnat_1
+I: [OK]		././testcases/chains/0024prio_inet_dstnat_1
+I: [EXECUTING]	././testcases/chains/0025prio_arp_1
+I: [OK]		././testcases/chains/0025prio_arp_1
+I: [EXECUTING]	././testcases/chains/0026prio_netdev_1
+I: [OK]		././testcases/chains/0026prio_netdev_1
+I: [EXECUTING]	././testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]		././testcases/chains/0027prio_bridge_dstnat_1
+I: [EXECUTING]	././testcases/chains/0028prio_bridge_out_1
+I: [OK]		././testcases/chains/0028prio_bridge_out_1
+I: [EXECUTING]	././testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]		././testcases/chains/0029prio_bridge_srcnat_1
+I: [EXECUTING]	././testcases/chains/0030create_0
+I: [OK]		././testcases/chains/0030create_0
+I: [EXECUTING]	././testcases/chains/0031priority_variable_0
+I: [OK]		././testcases/chains/0031priority_variable_0
+I: [EXECUTING]	././testcases/chains/0032priority_variable_0
+I: [OK]		././testcases/chains/0032priority_variable_0
+I: [EXECUTING]	././testcases/chains/0033priority_variable_1
+I: [OK]		././testcases/chains/0033priority_variable_1
+I: [EXECUTING]	././testcases/chains/0034priority_variable_1
+I: [OK]		././testcases/chains/0034priority_variable_1
+I: [EXECUTING]	././testcases/chains/0035policy_variable_0
+I: [OK]		././testcases/chains/0035policy_variable_0
+I: [EXECUTING]	././testcases/chains/0036policy_variable_0
+I: [OK]		././testcases/chains/0036policy_variable_0
+I: [EXECUTING]	././testcases/chains/0037policy_variable_1
+I: [OK]		././testcases/chains/0037policy_variable_1
+I: [EXECUTING]	././testcases/chains/0038policy_variable_1
+I: [OK]		././testcases/chains/0038policy_variable_1
+I: [EXECUTING]	././testcases/chains/0039negative_priority_0
+I: [OK]		././testcases/chains/0039negative_priority_0
+W: [FAILED]	kmemleak detected 0 memory leaks
+I: [EXECUTING]	././testcases/chains/0041chain_binding_0
+I: [OK]		././testcases/chains/0041chain_binding_0
+I: [EXECUTING]	././testcases/chains/0042chain_variable_0
+W: [FAILED]	././testcases/chains/0042chain_variable_0
+I: [EXECUTING]	././testcases/chains/0043chain_ingress_0
+I: [OK]		././testcases/chains/0043chain_ingress_0
+W: [FAILED]	kernel is tainted: 0  -> 512
+I: [EXECUTING]	././testcases/chains/0044chain_destroy_0
+W: [FAILED]	././testcases/chains/0044chain_destroy_0
+I: [EXECUTING]	././testcases/chains/netdev_chain_0
+W: [FAILED]	././testcases/chains/netdev_chain_0
+I: [EXECUTING]	././testcases/comments/comments_0
+I: [OK]		././testcases/comments/comments_0
+I: [EXECUTING]	././testcases/flowtable/0001flowtable_0
+I: [OK]		././testcases/flowtable/0001flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0002create_flowtable_0
+I: [OK]		././testcases/flowtable/0002create_flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0003add_after_flush_0
+I: [OK]		././testcases/flowtable/0003add_after_flush_0
+I: [EXECUTING]	././testcases/flowtable/0004delete_after_add_0
+I: [OK]		././testcases/flowtable/0004delete_after_add_0
+I: [EXECUTING]	././testcases/flowtable/0005delete_in_use_1
+I: [OK]		././testcases/flowtable/0005delete_in_use_1
+I: [EXECUTING]	././testcases/flowtable/0006segfault_0
+I: [OK]		././testcases/flowtable/0006segfault_0
+I: [EXECUTING]	././testcases/flowtable/0007prio_0
+I: [OK]		././testcases/flowtable/0007prio_0
+I: [EXECUTING]	././testcases/flowtable/0008prio_1
+I: [OK]		././testcases/flowtable/0008prio_1
+I: [EXECUTING]	././testcases/flowtable/0009deleteafterflush_0
+I: [OK]		././testcases/flowtable/0009deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0010delete_handle_0
+I: [OK]		././testcases/flowtable/0010delete_handle_0
+I: [EXECUTING]	././testcases/flowtable/0011deleteafterflush_0
+I: [OK]		././testcases/flowtable/0011deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0012flowtable_variable_0
+I: [OK]		././testcases/flowtable/0012flowtable_variable_0
+I: [EXECUTING]	././testcases/flowtable/0013addafterdelete_0
+I: [OK]		././testcases/flowtable/0013addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0014addafterdelete_0
+I: [OK]		././testcases/flowtable/0014addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0015destroy_0
+W: [FAILED]	././testcases/flowtable/0015destroy_0
+I: [EXECUTING]	././testcases/include/0001absolute_0
+I: [OK]		././testcases/include/0001absolute_0
+I: [EXECUTING]	././testcases/include/0002relative_0
+I: [OK]		././testcases/include/0002relative_0
+I: [EXECUTING]	././testcases/include/0003includepath_0
+I: [OK]		././testcases/include/0003includepath_0
+I: [EXECUTING]	././testcases/include/0004endlessloop_1
+I: [OK]		././testcases/include/0004endlessloop_1
+I: [EXECUTING]	././testcases/include/0005glob_empty_0
+I: [OK]		././testcases/include/0005glob_empty_0
+I: [EXECUTING]	././testcases/include/0006glob_single_0
+I: [OK]		././testcases/include/0006glob_single_0
+I: [EXECUTING]	././testcases/include/0007glob_double_0
+I: [OK]		././testcases/include/0007glob_double_0
+I: [EXECUTING]	././testcases/include/0008glob_nofile_wildcard_0
+I: [OK]		././testcases/include/0008glob_nofile_wildcard_0
+I: [EXECUTING]	././testcases/include/0009glob_nofile_1
+I: [OK]		././testcases/include/0009glob_nofile_1
+I: [EXECUTING]	././testcases/include/0010glob_broken_file_1
+I: [OK]		././testcases/include/0010glob_broken_file_1
+I: [EXECUTING]	././testcases/include/0011glob_dependency_0
+I: [OK]		././testcases/include/0011glob_dependency_0
+I: [EXECUTING]	././testcases/include/0012glob_dependency_1
+I: [OK]		././testcases/include/0012glob_dependency_1
+I: [EXECUTING]	././testcases/include/0013glob_dotfile_0
+I: [OK]		././testcases/include/0013glob_dotfile_0
+I: [EXECUTING]	././testcases/include/0013input_descriptors_included_files_0
+I: [OK]		././testcases/include/0013input_descriptors_included_files_0
+I: [EXECUTING]	././testcases/include/0014glob_directory_0
+I: [OK]		././testcases/include/0014glob_directory_0
+I: [EXECUTING]	././testcases/include/0015doubleincludepath_0
+I: [OK]		././testcases/include/0015doubleincludepath_0
+I: [EXECUTING]	././testcases/include/0016maxdepth_0
+I: [OK]		././testcases/include/0016maxdepth_0
+I: [EXECUTING]	././testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]		././testcases/include/0017glob_more_than_maxdepth_1
+I: [EXECUTING]	././testcases/include/0018include_error_0
+I: [OK]		././testcases/include/0018include_error_0
+I: [EXECUTING]	././testcases/include/0019include_error_0
+I: [OK]		././testcases/include/0019include_error_0
+I: [EXECUTING]	././testcases/include/0020include_chain_0
+I: [OK]		././testcases/include/0020include_chain_0
+I: [EXECUTING]	././testcases/json/0001set_statements_0
+I: [OK]		././testcases/json/0001set_statements_0
+I: [EXECUTING]	././testcases/json/0002table_map_0
+I: [OK]		././testcases/json/0002table_map_0
+I: [EXECUTING]	././testcases/json/0003json_schema_version_0
+I: [OK]		././testcases/json/0003json_schema_version_0
+I: [EXECUTING]	././testcases/json/0004json_schema_version_1
+I: [OK]		././testcases/json/0004json_schema_version_1
+I: [EXECUTING]	././testcases/json/0005secmark_objref_0
+I: [OK]		././testcases/json/0005secmark_objref_0
+I: [EXECUTING]	././testcases/json/0006obj_comment_0
+I: [OK]		././testcases/json/0006obj_comment_0
+I: [EXECUTING]	././testcases/json/netdev
+I: [OK]		././testcases/json/netdev
+I: [EXECUTING]	././testcases/listing/0001ruleset_0
+I: [OK]		././testcases/listing/0001ruleset_0
+I: [EXECUTING]	././testcases/listing/0002ruleset_0
+I: [OK]		././testcases/listing/0002ruleset_0
+I: [EXECUTING]	././testcases/listing/0003table_0
+I: [OK]		././testcases/listing/0003table_0
+I: [EXECUTING]	././testcases/listing/0004table_0
+I: [OK]		././testcases/listing/0004table_0
+I: [EXECUTING]	././testcases/listing/0005ruleset_ip_0
+I: [OK]		././testcases/listing/0005ruleset_ip_0
+I: [EXECUTING]	././testcases/listing/0006ruleset_ip6_0
+I: [OK]		././testcases/listing/0006ruleset_ip6_0
+I: [EXECUTING]	././testcases/listing/0007ruleset_inet_0
+I: [OK]		././testcases/listing/0007ruleset_inet_0
+I: [EXECUTING]	././testcases/listing/0008ruleset_arp_0
+I: [OK]		././testcases/listing/0008ruleset_arp_0
+I: [EXECUTING]	././testcases/listing/0009ruleset_bridge_0
+I: [OK]		././testcases/listing/0009ruleset_bridge_0
+I: [EXECUTING]	././testcases/listing/0010sets_0
+I: [OK]		././testcases/listing/0010sets_0
+I: [EXECUTING]	././testcases/listing/0011sets_0
+I: [OK]		././testcases/listing/0011sets_0
+I: [EXECUTING]	././testcases/listing/0012sets_0
+I: [OK]		././testcases/listing/0012sets_0
+I: [EXECUTING]	././testcases/listing/0013objects_0
+I: [OK]		././testcases/listing/0013objects_0
+I: [EXECUTING]	././testcases/listing/0014objects_0
+I: [OK]		././testcases/listing/0014objects_0
+I: [EXECUTING]	././testcases/listing/0015dynamic_0
+I: [OK]		././testcases/listing/0015dynamic_0
+I: [EXECUTING]	././testcases/listing/0016anonymous_0
+I: [OK]		././testcases/listing/0016anonymous_0
+I: [EXECUTING]	././testcases/listing/0017objects_0
+I: [OK]		././testcases/listing/0017objects_0
+I: [EXECUTING]	././testcases/listing/0018data_0
+I: [OK]		././testcases/listing/0018data_0
+I: [EXECUTING]	././testcases/listing/0019set_0
+I: [OK]		././testcases/listing/0019set_0
+I: [EXECUTING]	././testcases/listing/0020flowtable_0
+I: [OK]		././testcases/listing/0020flowtable_0
+I: [EXECUTING]	././testcases/listing/0021ruleset_json_terse_0
+I: [OK]		././testcases/listing/0021ruleset_json_terse_0
+I: [EXECUTING]	././testcases/listing/0022terse_0
+I: [OK]		././testcases/listing/0022terse_0
+I: [EXECUTING]	././testcases/maps/0003map_add_many_elements_0
+I: [OK]		././testcases/maps/0003map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0004interval_map_create_once_0
+I: [OK]		././testcases/maps/0004interval_map_create_once_0
+I: [EXECUTING]	././testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]		././testcases/maps/0005interval_map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0006interval_map_overlap_0
+I: [OK]		././testcases/maps/0006interval_map_overlap_0
+I: [EXECUTING]	././testcases/maps/0007named_ifname_dtype_0
+I: [OK]		././testcases/maps/0007named_ifname_dtype_0
+I: [EXECUTING]	././testcases/maps/0008interval_map_delete_0
+I: [OK]		././testcases/maps/0008interval_map_delete_0
+I: [EXECUTING]	././testcases/maps/0009vmap_0
+I: [OK]		././testcases/maps/0009vmap_0
+I: [EXECUTING]	././testcases/maps/0010concat_map_0
+I: [OK]		././testcases/maps/0010concat_map_0
+I: [EXECUTING]	././testcases/maps/0011vmap_0
+W: [FAILED]	././testcases/maps/0011vmap_0
+I: [EXECUTING]	././testcases/maps/0012map_0
+I: [OK]		././testcases/maps/0012map_0
+I: [EXECUTING]	././testcases/maps/0013map_0
+I: [OK]		././testcases/maps/0013map_0
+I: [EXECUTING]	././testcases/maps/0014destroy_0
+W: [FAILED]	././testcases/maps/0014destroy_0
+I: [EXECUTING]	././testcases/maps/0016map_leak_0
+I: [OK]		././testcases/maps/0016map_leak_0
+I: [EXECUTING]	././testcases/maps/0017_map_variable_0
+W: [FAILED]	././testcases/maps/0017_map_variable_0
+I: [EXECUTING]	././testcases/maps/0018map_leak_timeout_0
+I: [OK]		././testcases/maps/0018map_leak_timeout_0
+I: [EXECUTING]	././testcases/maps/anon_objmap_concat
+I: [OK]		././testcases/maps/anon_objmap_concat
+I: [EXECUTING]	././testcases/maps/anonymous_snat_map_0
+I: [OK]		././testcases/maps/anonymous_snat_map_0
+I: [EXECUTING]	././testcases/maps/different_map_types_1
+I: [OK]		././testcases/maps/different_map_types_1
+I: [EXECUTING]	././testcases/maps/map_catchall_double_deactivate
+W: [FAILED]	././testcases/maps/map_catchall_double_deactivate
+I: [EXECUTING]	././testcases/maps/map_with_flags_0
+I: [OK]		././testcases/maps/map_with_flags_0
+I: [EXECUTING]	././testcases/maps/named_snat_map_0
+I: [OK]		././testcases/maps/named_snat_map_0
+I: [EXECUTING]	././testcases/maps/nat_addr_port
+I: [OK]		././testcases/maps/nat_addr_port
+I: [EXECUTING]	././testcases/maps/typeof_integer_0
+W: [FAILED]	././testcases/maps/typeof_integer_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_0
+I: [OK]		././testcases/maps/typeof_maps_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_add_delete
+W: [FAILED]	././testcases/maps/typeof_maps_add_delete
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat
+I: [OK]		././testcases/maps/typeof_maps_concat
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat_update_0
+I: [OK]		././testcases/maps/typeof_maps_concat_update_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_update_0
+I: [OK]		././testcases/maps/typeof_maps_update_0
+I: [EXECUTING]	././testcases/maps/typeof_raw_0
+W: [FAILED]	././testcases/maps/typeof_raw_0
+I: [EXECUTING]	././testcases/maps/vmap_timeout
+W: [FAILED]	././testcases/maps/vmap_timeout
+I: [EXECUTING]	././testcases/netns/0001nft-f_0
+I: [OK]		././testcases/netns/0001nft-f_0
+I: [EXECUTING]	././testcases/netns/0002loosecommands_0
+I: [OK]		././testcases/netns/0002loosecommands_0
+I: [EXECUTING]	././testcases/netns/0003many_0
+I: [OK]		././testcases/netns/0003many_0
+I: [EXECUTING]	././testcases/nft-f/0001define_slash_0
+I: [OK]		././testcases/nft-f/0001define_slash_0
+I: [EXECUTING]	././testcases/nft-f/0002rollback_rule_0
+I: [OK]		././testcases/nft-f/0002rollback_rule_0
+I: [EXECUTING]	././testcases/nft-f/0003rollback_jump_0
+I: [OK]		././testcases/nft-f/0003rollback_jump_0
+I: [EXECUTING]	././testcases/nft-f/0004rollback_set_0
+I: [OK]		././testcases/nft-f/0004rollback_set_0
+I: [EXECUTING]	././testcases/nft-f/0005rollback_map_0
+I: [OK]		././testcases/nft-f/0005rollback_map_0
+I: [EXECUTING]	././testcases/nft-f/0006action_object_0
+I: [OK]		././testcases/nft-f/0006action_object_0
+I: [EXECUTING]	././testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]		././testcases/nft-f/0007action_object_set_segfault_1
+I: [EXECUTING]	././testcases/nft-f/0008split_tables_0
+I: [OK]		././testcases/nft-f/0008split_tables_0
+I: [EXECUTING]	././testcases/nft-f/0009variable_0
+I: [OK]		././testcases/nft-f/0009variable_0
+I: [EXECUTING]	././testcases/nft-f/0010variable_0
+I: [OK]		././testcases/nft-f/0010variable_0
+I: [EXECUTING]	././testcases/nft-f/0011manydefines_0
+I: [OK]		././testcases/nft-f/0011manydefines_0
+I: [EXECUTING]	././testcases/nft-f/0012different_defines_0
+I: [OK]		././testcases/nft-f/0012different_defines_0
+I: [EXECUTING]	././testcases/nft-f/0013defines_1
+I: [OK]		././testcases/nft-f/0013defines_1
+I: [EXECUTING]	././testcases/nft-f/0014defines_1
+I: [OK]		././testcases/nft-f/0014defines_1
+I: [EXECUTING]	././testcases/nft-f/0015defines_1
+I: [OK]		././testcases/nft-f/0015defines_1
+I: [EXECUTING]	././testcases/nft-f/0016redefines_1
+I: [OK]		././testcases/nft-f/0016redefines_1
+I: [EXECUTING]	././testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]		././testcases/nft-f/0017ct_timeout_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]		././testcases/nft-f/0018ct_expectation_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018jump_variable_0
+I: [OK]		././testcases/nft-f/0018jump_variable_0
+I: [EXECUTING]	././testcases/nft-f/0019jump_variable_1
+I: [OK]		././testcases/nft-f/0019jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0020jump_variable_1
+I: [OK]		././testcases/nft-f/0020jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0021list_ruleset_0
+I: [OK]		././testcases/nft-f/0021list_ruleset_0
+I: [EXECUTING]	././testcases/nft-f/0022variables_0
+I: [OK]		././testcases/nft-f/0022variables_0
+I: [EXECUTING]	././testcases/nft-f/0023check_1
+I: [OK]		././testcases/nft-f/0023check_1
+I: [EXECUTING]	././testcases/nft-f/0024priority_0
+I: [OK]		././testcases/nft-f/0024priority_0
+I: [EXECUTING]	././testcases/nft-f/0025empty_dynset_0
+W: [DUMP FAIL]	././testcases/nft-f/0025empty_dynset_0
+I: [EXECUTING]	././testcases/nft-f/0026listing_0
+I: [OK]		././testcases/nft-f/0026listing_0
+I: [EXECUTING]	././testcases/nft-f/0027split_chains_0
+I: [OK]		././testcases/nft-f/0027split_chains_0
+I: [EXECUTING]	././testcases/nft-f/0028variable_cmdline_0
+I: [OK]		././testcases/nft-f/0028variable_cmdline_0
+I: [EXECUTING]	././testcases/nft-f/0029split_file_0
+I: [OK]		././testcases/nft-f/0029split_file_0
+I: [EXECUTING]	././testcases/nft-f/0030variable_reuse_0
+I: [OK]		././testcases/nft-f/0030variable_reuse_0
+I: [EXECUTING]	././testcases/nft-f/0031vmap_string_0
+I: [OK]		././testcases/nft-f/0031vmap_string_0
+I: [EXECUTING]	././testcases/nft-f/0032pknock_0
+I: [OK]		././testcases/nft-f/0032pknock_0
+I: [EXECUTING]	././testcases/nft-i/0001define_0
+I: [OK]		././testcases/nft-i/0001define_0
+I: [EXECUTING]	././testcases/optimizations/dependency_kill
+I: [OK]		././testcases/optimizations/dependency_kill
+I: [EXECUTING]	././testcases/optimizations/merge_nat
+I: [OK]		././testcases/optimizations/merge_nat
+I: [EXECUTING]	././testcases/optimizations/merge_reject
+I: [OK]		././testcases/optimizations/merge_reject
+I: [EXECUTING]	././testcases/optimizations/merge_stmts
+I: [OK]		././testcases/optimizations/merge_stmts
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat
+I: [OK]		././testcases/optimizations/merge_stmts_concat
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_concat_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_vmap_raw
+I: [OK]		././testcases/optimizations/merge_vmap_raw
+I: [EXECUTING]	././testcases/optimizations/merge_vmaps
+I: [OK]		././testcases/optimizations/merge_vmaps
+I: [EXECUTING]	././testcases/optimizations/not_mergeable
+I: [OK]		././testcases/optimizations/not_mergeable
+I: [EXECUTING]	././testcases/optimizations/ruleset
+I: [OK]		././testcases/optimizations/ruleset
+I: [EXECUTING]	././testcases/optimizations/single_anon_set
+I: [OK]		././testcases/optimizations/single_anon_set
+I: [EXECUTING]	././testcases/optimizations/skip_merge
+I: [OK]		././testcases/optimizations/skip_merge
+I: [EXECUTING]	././testcases/optimizations/skip_non_eq
+I: [OK]		././testcases/optimizations/skip_non_eq
+I: [EXECUTING]	././testcases/optimizations/skip_unsupported
+I: [OK]		././testcases/optimizations/skip_unsupported
+I: [EXECUTING]	././testcases/optimizations/variables
+I: [OK]		././testcases/optimizations/variables
+I: [EXECUTING]	././testcases/optionals/comments_0
+I: [OK]		././testcases/optionals/comments_0
+I: [EXECUTING]	././testcases/optionals/comments_chain_0
+I: [OK]		././testcases/optionals/comments_chain_0
+I: [EXECUTING]	././testcases/optionals/comments_handles_0
+I: [OK]		././testcases/optionals/comments_handles_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_0
+I: [OK]		././testcases/optionals/comments_objects_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_dup_0
+I: [OK]		././testcases/optionals/comments_objects_dup_0
+I: [EXECUTING]	././testcases/optionals/comments_table_0
+I: [OK]		././testcases/optionals/comments_table_0
+I: [EXECUTING]	././testcases/optionals/delete_object_handles_0
+I: [OK]		././testcases/optionals/delete_object_handles_0
+I: [EXECUTING]	././testcases/optionals/handles_0
+I: [OK]		././testcases/optionals/handles_0
+I: [EXECUTING]	././testcases/optionals/handles_1
+I: [OK]		././testcases/optionals/handles_1
+I: [EXECUTING]	././testcases/optionals/log_prefix_0
+I: [OK]		././testcases/optionals/log_prefix_0
+I: [EXECUTING]	././testcases/optionals/update_object_handles_0
+I: [OK]		././testcases/optionals/update_object_handles_0
+I: [EXECUTING]	././testcases/owner/0001-flowtable-uaf
+W: [FAILED]	././testcases/owner/0001-flowtable-uaf
+I: [EXECUTING]	././testcases/parsing/describe
+I: [OK]		././testcases/parsing/describe
+I: [EXECUTING]	././testcases/parsing/large_rule_pipe
+I: [OK]		././testcases/parsing/large_rule_pipe
+I: [EXECUTING]	././testcases/parsing/log
+I: [OK]		././testcases/parsing/log
+I: [EXECUTING]	././testcases/parsing/octal
+I: [OK]		././testcases/parsing/octal
+I: [EXECUTING]	././testcases/rule_management/0001addinsertposition_0
+I: [OK]		././testcases/rule_management/0001addinsertposition_0
+I: [EXECUTING]	././testcases/rule_management/0002addinsertlocation_1
+I: [OK]		././testcases/rule_management/0002addinsertlocation_1
+I: [EXECUTING]	././testcases/rule_management/0003insert_0
+I: [OK]		././testcases/rule_management/0003insert_0
+I: [EXECUTING]	././testcases/rule_management/0004replace_0
+I: [OK]		././testcases/rule_management/0004replace_0
+I: [EXECUTING]	././testcases/rule_management/0005replace_1
+I: [OK]		././testcases/rule_management/0005replace_1
+I: [EXECUTING]	././testcases/rule_management/0006replace_1
+I: [OK]		././testcases/rule_management/0006replace_1
+I: [EXECUTING]	././testcases/rule_management/0007delete_0
+I: [OK]		././testcases/rule_management/0007delete_0
+I: [EXECUTING]	././testcases/rule_management/0008delete_1
+I: [OK]		././testcases/rule_management/0008delete_1
+I: [EXECUTING]	././testcases/rule_management/0009delete_1
+I: [OK]		././testcases/rule_management/0009delete_1
+I: [EXECUTING]	././testcases/rule_management/0010replace_0
+I: [OK]		././testcases/rule_management/0010replace_0
+I: [EXECUTING]	././testcases/rule_management/0011reset_0
+W: [FAILED]	././testcases/rule_management/0011reset_0
+I: [EXECUTING]	././testcases/rule_management/0012destroy_0
+W: [FAILED]	././testcases/rule_management/0012destroy_0
+I: [EXECUTING]	././testcases/sets/0001named_interval_0
+I: [OK]		././testcases/sets/0001named_interval_0
+I: [EXECUTING]	././testcases/sets/0002named_interval_automerging_0
+I: [OK]		././testcases/sets/0002named_interval_automerging_0
+I: [EXECUTING]	././testcases/sets/0003named_interval_missing_flag_0
+I: [OK]		././testcases/sets/0003named_interval_missing_flag_0
+I: [EXECUTING]	././testcases/sets/0004named_interval_shadow_0
+I: [OK]		././testcases/sets/0004named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0005named_interval_shadow_0
+I: [OK]		././testcases/sets/0005named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0006create_set_0
+I: [OK]		././testcases/sets/0006create_set_0
+I: [EXECUTING]	././testcases/sets/0007create_element_0
+I: [OK]		././testcases/sets/0007create_element_0
+I: [EXECUTING]	././testcases/sets/0008comments_interval_0
+I: [OK]		././testcases/sets/0008comments_interval_0
+I: [EXECUTING]	././testcases/sets/0008create_verdict_map_0
+I: [OK]		././testcases/sets/0008create_verdict_map_0
+I: [EXECUTING]	././testcases/sets/0009comments_timeout_0
+I: [OK]		././testcases/sets/0009comments_timeout_0
+I: [EXECUTING]	././testcases/sets/0010comments_0
+I: [OK]		././testcases/sets/0010comments_0
+I: [EXECUTING]	././testcases/sets/0011add_many_elements_0
+I: [OK]		././testcases/sets/0011add_many_elements_0
+I: [EXECUTING]	././testcases/sets/0012add_delete_many_elements_0
+I: [OK]		././testcases/sets/0012add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0013add_delete_many_elements_0
+I: [OK]		././testcases/sets/0013add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]		././testcases/sets/0014malformed_set_is_not_defined_0
+I: [EXECUTING]	././testcases/sets/0015rulesetflush_0
+I: [OK]		././testcases/sets/0015rulesetflush_0
+I: [EXECUTING]	././testcases/sets/0016element_leak_0
+I: [OK]		././testcases/sets/0016element_leak_0
+I: [EXECUTING]	././testcases/sets/0017add_after_flush_0
+I: [OK]		././testcases/sets/0017add_after_flush_0
+I: [EXECUTING]	././testcases/sets/0018set_check_size_1
+I: [OK]		././testcases/sets/0018set_check_size_1
+I: [EXECUTING]	././testcases/sets/0019set_check_size_0
+I: [OK]		././testcases/sets/0019set_check_size_0
+I: [EXECUTING]	././testcases/sets/0020comments_0
+I: [OK]		././testcases/sets/0020comments_0
+I: [EXECUTING]	././testcases/sets/0021nesting_0
+I: [OK]		././testcases/sets/0021nesting_0
+I: [EXECUTING]	././testcases/sets/0022type_selective_flush_0
+I: [OK]		././testcases/sets/0022type_selective_flush_0
+I: [EXECUTING]	././testcases/sets/0023incomplete_add_set_command_0
+I: [OK]		././testcases/sets/0023incomplete_add_set_command_0
+I: [EXECUTING]	././testcases/sets/0024named_objects_0
+I: [OK]		././testcases/sets/0024named_objects_0
+I: [EXECUTING]	././testcases/sets/0025anonymous_set_0
+I: [OK]		././testcases/sets/0025anonymous_set_0
+I: [EXECUTING]	././testcases/sets/0026named_limit_0
+I: [OK]		././testcases/sets/0026named_limit_0
+I: [EXECUTING]	././testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]		././testcases/sets/0027ipv6_maps_ipv4_0
+I: [EXECUTING]	././testcases/sets/0028autoselect_0
+I: [OK]		././testcases/sets/0028autoselect_0
+I: [EXECUTING]	././testcases/sets/0028delete_handle_0
+I: [OK]		././testcases/sets/0028delete_handle_0
+I: [EXECUTING]	././testcases/sets/0029named_ifname_dtype_0
+I: [OK]		././testcases/sets/0029named_ifname_dtype_0
+I: [EXECUTING]	././testcases/sets/0030add_many_elements_interval_0
+I: [OK]		././testcases/sets/0030add_many_elements_interval_0
+I: [EXECUTING]	././testcases/sets/0031set_timeout_size_0
+I: [OK]		././testcases/sets/0031set_timeout_size_0
+I: [EXECUTING]	././testcases/sets/0032restore_set_simple_0
+I: [OK]		././testcases/sets/0032restore_set_simple_0
+I: [EXECUTING]	././testcases/sets/0033add_set_simple_flat_0
+I: [OK]		././testcases/sets/0033add_set_simple_flat_0
+I: [EXECUTING]	././testcases/sets/0034get_element_0
+I: [OK]		././testcases/sets/0034get_element_0
+I: [EXECUTING]	././testcases/sets/0035add_set_elements_flat_0
+I: [OK]		././testcases/sets/0035add_set_elements_flat_0
+I: [EXECUTING]	././testcases/sets/0036add_set_element_expiration_0
+I: [OK]		././testcases/sets/0036add_set_element_expiration_0
+I: [EXECUTING]	././testcases/sets/0037_set_with_inet_service_0
+I: [OK]		././testcases/sets/0037_set_with_inet_service_0
+I: [EXECUTING]	././testcases/sets/0038meter_list_0
+I: [OK]		././testcases/sets/0038meter_list_0
+I: [EXECUTING]	././testcases/sets/0039delete_interval_0
+I: [OK]		././testcases/sets/0039delete_interval_0
+I: [EXECUTING]	././testcases/sets/0040get_host_endian_elements_0
+I: [OK]		././testcases/sets/0040get_host_endian_elements_0
+I: [EXECUTING]	././testcases/sets/0041interval_0
+I: [OK]		././testcases/sets/0041interval_0
+I: [EXECUTING]	././testcases/sets/0042update_set_0
+I: [OK]		././testcases/sets/0042update_set_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_0
+I: [OK]		././testcases/sets/0043concatenated_ranges_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_1
+I: [OK]		././testcases/sets/0043concatenated_ranges_1
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_0
+I: [OK]		././testcases/sets/0044interval_overlap_0
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_1
+I: [OK]		././testcases/sets/0044interval_overlap_1
+I: [EXECUTING]	././testcases/sets/0045concat_ipv4_service
+I: [OK]		././testcases/sets/0045concat_ipv4_service
+I: [EXECUTING]	././testcases/sets/0046netmap_0
+I: [OK]		././testcases/sets/0046netmap_0
+I: [EXECUTING]	././testcases/sets/0047nat_0
+I: [OK]		././testcases/sets/0047nat_0
+I: [EXECUTING]	././testcases/sets/0048set_counters_0
+I: [OK]		././testcases/sets/0048set_counters_0
+I: [EXECUTING]	././testcases/sets/0049set_define_0
+I: [OK]		././testcases/sets/0049set_define_0
+I: [EXECUTING]	././testcases/sets/0050set_define_1
+I: [OK]		././testcases/sets/0050set_define_1
+I: [EXECUTING]	././testcases/sets/0051set_interval_counter_0
+I: [OK]		././testcases/sets/0051set_interval_counter_0
+I: [EXECUTING]	././testcases/sets/0052overlap_0
+I: [OK]		././testcases/sets/0052overlap_0
+I: [EXECUTING]	././testcases/sets/0053echo_0
+I: [OK]		././testcases/sets/0053echo_0
+I: [EXECUTING]	././testcases/sets/0054comments_set_0
+I: [OK]		././testcases/sets/0054comments_set_0
+I: [EXECUTING]	././testcases/sets/0055tcpflags_0
+I: [OK]		././testcases/sets/0055tcpflags_0
+I: [EXECUTING]	././testcases/sets/0056dynamic_limit_0
+I: [OK]		././testcases/sets/0056dynamic_limit_0
+I: [EXECUTING]	././testcases/sets/0057set_create_fails_0
+I: [OK]		././testcases/sets/0057set_create_fails_0
+I: [EXECUTING]	././testcases/sets/0058_setupdate_timeout_0
+I: [OK]		././testcases/sets/0058_setupdate_timeout_0
+I: [EXECUTING]	././testcases/sets/0059set_update_multistmt_0
+W: [FAILED]	././testcases/sets/0059set_update_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_0
+W: [FAILED]	././testcases/sets/0060set_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_1
+W: [FAILED]	././testcases/sets/0060set_multistmt_1
+I: [EXECUTING]	././testcases/sets/0061anonymous_automerge_0
+I: [OK]		././testcases/sets/0061anonymous_automerge_0
+I: [EXECUTING]	././testcases/sets/0062set_connlimit_0
+I: [OK]		././testcases/sets/0062set_connlimit_0
+I: [EXECUTING]	././testcases/sets/0063set_catchall_0
+W: [FAILED]	././testcases/sets/0063set_catchall_0
+I: [EXECUTING]	././testcases/sets/0064map_catchall_0
+W: [FAILED]	././testcases/sets/0064map_catchall_0
+I: [EXECUTING]	././testcases/sets/0065_icmp_postprocessing
+I: [OK]		././testcases/sets/0065_icmp_postprocessing
+I: [EXECUTING]	././testcases/sets/0067nat_concat_interval_0
+I: [OK]		././testcases/sets/0067nat_concat_interval_0
+I: [EXECUTING]	././testcases/sets/0068interval_stack_overflow_0
+I: [OK]		././testcases/sets/0068interval_stack_overflow_0
+I: [EXECUTING]	././testcases/sets/0069interval_merge_0
+I: [OK]		././testcases/sets/0069interval_merge_0
+I: [EXECUTING]	././testcases/sets/0070stacked_l2_headers
+I: [OK]		././testcases/sets/0070stacked_l2_headers
+I: [EXECUTING]	././testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]		././testcases/sets/0071unclosed_prefix_interval_0
+I: [EXECUTING]	././testcases/sets/0072destroy_0
+W: [FAILED]	././testcases/sets/0072destroy_0
+I: [EXECUTING]	././testcases/sets/automerge_0
+I: [OK]		././testcases/sets/automerge_0
+I: [EXECUTING]	././testcases/sets/collapse_elem_0
+I: [OK]		././testcases/sets/collapse_elem_0
+I: [EXECUTING]	././testcases/sets/concat_interval_0
+I: [OK]		././testcases/sets/concat_interval_0
+I: [EXECUTING]	././testcases/sets/dynset_missing
+I: [OK]		././testcases/sets/dynset_missing
+I: [EXECUTING]	././testcases/sets/errors_0
+I: [OK]		././testcases/sets/errors_0
+I: [EXECUTING]	././testcases/sets/exact_overlap_0
+I: [OK]		././testcases/sets/exact_overlap_0
+I: [EXECUTING]	././testcases/sets/inner_0
+W: [FAILED]	././testcases/sets/inner_0
+I: [EXECUTING]	././testcases/sets/reset_command_0
+W: [FAILED]	././testcases/sets/reset_command_0
+I: [EXECUTING]	././testcases/sets/set_eval_0
+I: [OK]		././testcases/sets/set_eval_0
+I: [EXECUTING]	././testcases/sets/sets_with_ifnames
+I: [OK]		././testcases/sets/sets_with_ifnames
+I: [EXECUTING]	././testcases/sets/typeof_raw_0
+W: [FAILED]	././testcases/sets/typeof_raw_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_0
+W: [FAILED]	././testcases/sets/typeof_sets_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_1
+I: [OK]		././testcases/sets/typeof_sets_1
+I: [EXECUTING]	././testcases/sets/typeof_sets_concat
+I: [OK]		././testcases/sets/typeof_sets_concat
+I: [EXECUTING]	././testcases/sets/type_set_symbol
+I: [OK]		././testcases/sets/type_set_symbol
+I: [EXECUTING]	././testcases/transactions/0001table_0
+I: [OK]		././testcases/transactions/0001table_0
+I: [EXECUTING]	././testcases/transactions/0002table_0
+I: [OK]		././testcases/transactions/0002table_0
+I: [EXECUTING]	././testcases/transactions/0003table_0
+I: [OK]		././testcases/transactions/0003table_0
+I: [EXECUTING]	././testcases/transactions/0010chain_0
+I: [OK]		././testcases/transactions/0010chain_0
+I: [EXECUTING]	././testcases/transactions/0011chain_0
+I: [OK]		././testcases/transactions/0011chain_0
+I: [EXECUTING]	././testcases/transactions/0012chain_0
+I: [OK]		././testcases/transactions/0012chain_0
+I: [EXECUTING]	././testcases/transactions/0013chain_0
+I: [OK]		././testcases/transactions/0013chain_0
+I: [EXECUTING]	././testcases/transactions/0014chain_1
+I: [OK]		././testcases/transactions/0014chain_1
+I: [EXECUTING]	././testcases/transactions/0015chain_0
+I: [OK]		././testcases/transactions/0015chain_0
+I: [EXECUTING]	././testcases/transactions/0020rule_0
+I: [OK]		././testcases/transactions/0020rule_0
+I: [EXECUTING]	././testcases/transactions/0021rule_0
+I: [OK]		././testcases/transactions/0021rule_0
+I: [EXECUTING]	././testcases/transactions/0022rule_1
+I: [OK]		././testcases/transactions/0022rule_1
+I: [EXECUTING]	././testcases/transactions/0023rule_1
+I: [OK]		././testcases/transactions/0023rule_1
+I: [EXECUTING]	././testcases/transactions/0024rule_0
+I: [OK]		././testcases/transactions/0024rule_0
+I: [EXECUTING]	././testcases/transactions/0025rule_0
+I: [OK]		././testcases/transactions/0025rule_0
+I: [EXECUTING]	././testcases/transactions/0030set_0
+I: [OK]		././testcases/transactions/0030set_0
+I: [EXECUTING]	././testcases/transactions/0031set_0
+I: [OK]		././testcases/transactions/0031set_0
+I: [EXECUTING]	././testcases/transactions/0032set_0
+I: [OK]		././testcases/transactions/0032set_0
+I: [EXECUTING]	././testcases/transactions/0033set_0
+I: [OK]		././testcases/transactions/0033set_0
+I: [EXECUTING]	././testcases/transactions/0034set_0
+I: [OK]		././testcases/transactions/0034set_0
+I: [EXECUTING]	././testcases/transactions/0035set_0
+I: [OK]		././testcases/transactions/0035set_0
+I: [EXECUTING]	././testcases/transactions/0036set_1
+I: [OK]		././testcases/transactions/0036set_1
+I: [EXECUTING]	././testcases/transactions/0037set_0
+I: [OK]		././testcases/transactions/0037set_0
+I: [EXECUTING]	././testcases/transactions/0038set_0
+I: [OK]		././testcases/transactions/0038set_0
+I: [EXECUTING]	././testcases/transactions/0039set_0
+I: [OK]		././testcases/transactions/0039set_0
+I: [EXECUTING]	././testcases/transactions/0040set_0
+I: [OK]		././testcases/transactions/0040set_0
+I: [EXECUTING]	././testcases/transactions/0041nat_restore_0
+I: [OK]		././testcases/transactions/0041nat_restore_0
+W: [FAILED]	kmemleak detected 1 memory leaks
+I: [EXECUTING]	././testcases/transactions/0042_stateful_expr_0
+I: [OK]		././testcases/transactions/0042_stateful_expr_0
+I: [EXECUTING]	././testcases/transactions/0043set_1
+I: [OK]		././testcases/transactions/0043set_1
+I: [EXECUTING]	././testcases/transactions/0044rule_0
+I: [OK]		././testcases/transactions/0044rule_0
+I: [EXECUTING]	././testcases/transactions/0045anon-unbind_0
+I: [OK]		././testcases/transactions/0045anon-unbind_0
+I: [EXECUTING]	././testcases/transactions/0046set_0
+I: [OK]		././testcases/transactions/0046set_0
+I: [EXECUTING]	././testcases/transactions/0047set_0
+I: [OK]		././testcases/transactions/0047set_0
+I: [EXECUTING]	././testcases/transactions/0048helpers_0
+I: [OK]		././testcases/transactions/0048helpers_0
+I: [EXECUTING]	././testcases/transactions/0049huge_0
+I: [OK]		././testcases/transactions/0049huge_0
+I: [EXECUTING]	././testcases/transactions/0050rule_1
+I: [OK]		././testcases/transactions/0050rule_1
+I: [EXECUTING]	././testcases/transactions/0051map_0
+I: [OK]		././testcases/transactions/0051map_0
+I: [EXECUTING]	././testcases/transactions/30s-stress
+I: [OK]		././testcases/transactions/30s-stress
+I: [EXECUTING]	././testcases/transactions/anon_chain_loop
+I: [OK]		././testcases/transactions/anon_chain_loop
+I: [EXECUTING]	././testcases/transactions/bad_expression
+I: [OK]		././testcases/transactions/bad_expression
+
+I: results: [OK] 346 [FAILED] 27 [TOTAL] 373
diff --git a/tests/shell/stable-log/log-5.15 b/tests/shell/stable-log/log-5.15
new file mode 100644
index 0000000..9ec3491
--- /dev/null
+++ b/tests/shell/stable-log/log-5.15
@@ -0,0 +1,751 @@
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_0
+I: [OK]		././testcases/bitwise/0040mark_binop_0
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_1
+I: [OK]		././testcases/bitwise/0040mark_binop_1
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_2
+I: [OK]		././testcases/bitwise/0040mark_binop_2
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_3
+I: [OK]		././testcases/bitwise/0040mark_binop_3
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_4
+I: [OK]		././testcases/bitwise/0040mark_binop_4
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_5
+I: [OK]		././testcases/bitwise/0040mark_binop_5
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_6
+I: [OK]		././testcases/bitwise/0040mark_binop_6
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_7
+I: [OK]		././testcases/bitwise/0040mark_binop_7
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_8
+I: [OK]		././testcases/bitwise/0040mark_binop_8
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_9
+I: [OK]		././testcases/bitwise/0040mark_binop_9
+I: [EXECUTING]	././testcases/bogons/assert_failures
+I: [OK]		././testcases/bogons/assert_failures
+I: [EXECUTING]	././testcases/cache/0001_cache_handling_0
+I: [OK]		././testcases/cache/0001_cache_handling_0
+I: [EXECUTING]	././testcases/cache/0002_interval_0
+I: [OK]		././testcases/cache/0002_interval_0
+I: [EXECUTING]	././testcases/cache/0003_cache_update_0
+I: [OK]		././testcases/cache/0003_cache_update_0
+I: [EXECUTING]	././testcases/cache/0004_cache_update_0
+I: [OK]		././testcases/cache/0004_cache_update_0
+I: [EXECUTING]	././testcases/cache/0005_cache_chain_flush
+I: [OK]		././testcases/cache/0005_cache_chain_flush
+I: [EXECUTING]	././testcases/cache/0006_cache_table_flush
+I: [OK]		././testcases/cache/0006_cache_table_flush
+I: [EXECUTING]	././testcases/cache/0007_echo_cache_init_0
+I: [OK]		././testcases/cache/0007_echo_cache_init_0
+I: [EXECUTING]	././testcases/cache/0008_delete_by_handle_0
+I: [OK]		././testcases/cache/0008_delete_by_handle_0
+I: [EXECUTING]	././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]		././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [EXECUTING]	././testcases/cache/0010_implicit_chain_0
+I: [OK]		././testcases/cache/0010_implicit_chain_0
+I: [EXECUTING]	././testcases/cache/0011_index_0
+I: [OK]		././testcases/cache/0011_index_0
+I: [EXECUTING]	././testcases/chains/0001jumps_0
+I: [OK]		././testcases/chains/0001jumps_0
+I: [EXECUTING]	././testcases/chains/0002jumps_1
+I: [OK]		././testcases/chains/0002jumps_1
+I: [EXECUTING]	././testcases/chains/0003jump_loop_1
+I: [OK]		././testcases/chains/0003jump_loop_1
+I: [EXECUTING]	././testcases/chains/0004busy_1
+I: [OK]		././testcases/chains/0004busy_1
+I: [EXECUTING]	././testcases/chains/0005busy_map_1
+I: [OK]		././testcases/chains/0005busy_map_1
+I: [EXECUTING]	././testcases/chains/0006masquerade_0
+I: [OK]		././testcases/chains/0006masquerade_0
+I: [EXECUTING]	././testcases/chains/0007masquerade_1
+I: [OK]		././testcases/chains/0007masquerade_1
+I: [EXECUTING]	././testcases/chains/0008masquerade_jump_1
+I: [OK]		././testcases/chains/0008masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0009masquerade_jump_1
+I: [OK]		././testcases/chains/0009masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0010endless_jump_loop_1
+I: [OK]		././testcases/chains/0010endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0011endless_jump_loop_1
+I: [OK]		././testcases/chains/0011endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0013rename_0
+I: [OK]		././testcases/chains/0013rename_0
+I: [EXECUTING]	././testcases/chains/0014rename_0
+I: [OK]		././testcases/chains/0014rename_0
+I: [EXECUTING]	././testcases/chains/0015check_jump_loop_1
+I: [OK]		././testcases/chains/0015check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0016delete_handle_0
+I: [OK]		././testcases/chains/0016delete_handle_0
+I: [EXECUTING]	././testcases/chains/0017masquerade_jump_1
+I: [OK]		././testcases/chains/0017masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0018check_jump_loop_1
+I: [OK]		././testcases/chains/0018check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0019masquerade_jump_1
+I: [OK]		././testcases/chains/0019masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0020depth_1
+I: [OK]		././testcases/chains/0020depth_1
+I: [EXECUTING]	././testcases/chains/0021prio_0
+W: [FAILED]	././testcases/chains/0021prio_0
+I: [EXECUTING]	././testcases/chains/0022prio_dummy_1
+I: [OK]		././testcases/chains/0022prio_dummy_1
+I: [EXECUTING]	././testcases/chains/0023prio_inet_srcnat_1
+I: [OK]		././testcases/chains/0023prio_inet_srcnat_1
+I: [EXECUTING]	././testcases/chains/0024prio_inet_dstnat_1
+I: [OK]		././testcases/chains/0024prio_inet_dstnat_1
+I: [EXECUTING]	././testcases/chains/0025prio_arp_1
+I: [OK]		././testcases/chains/0025prio_arp_1
+I: [EXECUTING]	././testcases/chains/0026prio_netdev_1
+I: [OK]		././testcases/chains/0026prio_netdev_1
+I: [EXECUTING]	././testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]		././testcases/chains/0027prio_bridge_dstnat_1
+I: [EXECUTING]	././testcases/chains/0028prio_bridge_out_1
+I: [OK]		././testcases/chains/0028prio_bridge_out_1
+I: [EXECUTING]	././testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]		././testcases/chains/0029prio_bridge_srcnat_1
+I: [EXECUTING]	././testcases/chains/0030create_0
+I: [OK]		././testcases/chains/0030create_0
+I: [EXECUTING]	././testcases/chains/0031priority_variable_0
+I: [OK]		././testcases/chains/0031priority_variable_0
+I: [EXECUTING]	././testcases/chains/0032priority_variable_0
+I: [OK]		././testcases/chains/0032priority_variable_0
+I: [EXECUTING]	././testcases/chains/0033priority_variable_1
+I: [OK]		././testcases/chains/0033priority_variable_1
+I: [EXECUTING]	././testcases/chains/0034priority_variable_1
+I: [OK]		././testcases/chains/0034priority_variable_1
+I: [EXECUTING]	././testcases/chains/0035policy_variable_0
+I: [OK]		././testcases/chains/0035policy_variable_0
+I: [EXECUTING]	././testcases/chains/0036policy_variable_0
+I: [OK]		././testcases/chains/0036policy_variable_0
+I: [EXECUTING]	././testcases/chains/0037policy_variable_1
+I: [OK]		././testcases/chains/0037policy_variable_1
+I: [EXECUTING]	././testcases/chains/0038policy_variable_1
+I: [OK]		././testcases/chains/0038policy_variable_1
+I: [EXECUTING]	././testcases/chains/0039negative_priority_0
+I: [OK]		././testcases/chains/0039negative_priority_0
+I: [EXECUTING]	././testcases/chains/0041chain_binding_0
+I: [OK]		././testcases/chains/0041chain_binding_0
+I: [EXECUTING]	././testcases/chains/0042chain_variable_0
+W: [FAILED]	././testcases/chains/0042chain_variable_0
+I: [EXECUTING]	././testcases/chains/0043chain_ingress_0
+I: [OK]		././testcases/chains/0043chain_ingress_0
+I: [EXECUTING]	././testcases/chains/0044chain_destroy_0
+W: [FAILED]	././testcases/chains/0044chain_destroy_0
+I: [EXECUTING]	././testcases/chains/netdev_chain_0
+W: [FAILED]	././testcases/chains/netdev_chain_0
+I: [EXECUTING]	././testcases/comments/comments_0
+I: [OK]		././testcases/comments/comments_0
+I: [EXECUTING]	././testcases/flowtable/0001flowtable_0
+I: [OK]		././testcases/flowtable/0001flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0002create_flowtable_0
+I: [OK]		././testcases/flowtable/0002create_flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0003add_after_flush_0
+I: [OK]		././testcases/flowtable/0003add_after_flush_0
+I: [EXECUTING]	././testcases/flowtable/0004delete_after_add_0
+I: [OK]		././testcases/flowtable/0004delete_after_add_0
+I: [EXECUTING]	././testcases/flowtable/0005delete_in_use_1
+I: [OK]		././testcases/flowtable/0005delete_in_use_1
+I: [EXECUTING]	././testcases/flowtable/0006segfault_0
+I: [OK]		././testcases/flowtable/0006segfault_0
+I: [EXECUTING]	././testcases/flowtable/0007prio_0
+I: [OK]		././testcases/flowtable/0007prio_0
+I: [EXECUTING]	././testcases/flowtable/0008prio_1
+I: [OK]		././testcases/flowtable/0008prio_1
+I: [EXECUTING]	././testcases/flowtable/0009deleteafterflush_0
+I: [OK]		././testcases/flowtable/0009deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0010delete_handle_0
+I: [OK]		././testcases/flowtable/0010delete_handle_0
+I: [EXECUTING]	././testcases/flowtable/0011deleteafterflush_0
+I: [OK]		././testcases/flowtable/0011deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0012flowtable_variable_0
+I: [OK]		././testcases/flowtable/0012flowtable_variable_0
+I: [EXECUTING]	././testcases/flowtable/0013addafterdelete_0
+I: [OK]		././testcases/flowtable/0013addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0014addafterdelete_0
+I: [OK]		././testcases/flowtable/0014addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0015destroy_0
+W: [FAILED]	././testcases/flowtable/0015destroy_0
+I: [EXECUTING]	././testcases/include/0001absolute_0
+I: [OK]		././testcases/include/0001absolute_0
+I: [EXECUTING]	././testcases/include/0002relative_0
+I: [OK]		././testcases/include/0002relative_0
+I: [EXECUTING]	././testcases/include/0003includepath_0
+I: [OK]		././testcases/include/0003includepath_0
+I: [EXECUTING]	././testcases/include/0004endlessloop_1
+I: [OK]		././testcases/include/0004endlessloop_1
+I: [EXECUTING]	././testcases/include/0005glob_empty_0
+I: [OK]		././testcases/include/0005glob_empty_0
+I: [EXECUTING]	././testcases/include/0006glob_single_0
+I: [OK]		././testcases/include/0006glob_single_0
+I: [EXECUTING]	././testcases/include/0007glob_double_0
+I: [OK]		././testcases/include/0007glob_double_0
+I: [EXECUTING]	././testcases/include/0008glob_nofile_wildcard_0
+I: [OK]		././testcases/include/0008glob_nofile_wildcard_0
+I: [EXECUTING]	././testcases/include/0009glob_nofile_1
+I: [OK]		././testcases/include/0009glob_nofile_1
+I: [EXECUTING]	././testcases/include/0010glob_broken_file_1
+I: [OK]		././testcases/include/0010glob_broken_file_1
+I: [EXECUTING]	././testcases/include/0011glob_dependency_0
+I: [OK]		././testcases/include/0011glob_dependency_0
+I: [EXECUTING]	././testcases/include/0012glob_dependency_1
+I: [OK]		././testcases/include/0012glob_dependency_1
+I: [EXECUTING]	././testcases/include/0013glob_dotfile_0
+I: [OK]		././testcases/include/0013glob_dotfile_0
+I: [EXECUTING]	././testcases/include/0013input_descriptors_included_files_0
+I: [OK]		././testcases/include/0013input_descriptors_included_files_0
+I: [EXECUTING]	././testcases/include/0014glob_directory_0
+I: [OK]		././testcases/include/0014glob_directory_0
+I: [EXECUTING]	././testcases/include/0015doubleincludepath_0
+I: [OK]		././testcases/include/0015doubleincludepath_0
+I: [EXECUTING]	././testcases/include/0016maxdepth_0
+I: [OK]		././testcases/include/0016maxdepth_0
+I: [EXECUTING]	././testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]		././testcases/include/0017glob_more_than_maxdepth_1
+I: [EXECUTING]	././testcases/include/0018include_error_0
+I: [OK]		././testcases/include/0018include_error_0
+I: [EXECUTING]	././testcases/include/0019include_error_0
+I: [OK]		././testcases/include/0019include_error_0
+I: [EXECUTING]	././testcases/include/0020include_chain_0
+I: [OK]		././testcases/include/0020include_chain_0
+I: [EXECUTING]	././testcases/json/0001set_statements_0
+I: [OK]		././testcases/json/0001set_statements_0
+I: [EXECUTING]	././testcases/json/0002table_map_0
+I: [OK]		././testcases/json/0002table_map_0
+I: [EXECUTING]	././testcases/json/0003json_schema_version_0
+I: [OK]		././testcases/json/0003json_schema_version_0
+I: [EXECUTING]	././testcases/json/0004json_schema_version_1
+I: [OK]		././testcases/json/0004json_schema_version_1
+I: [EXECUTING]	././testcases/json/0005secmark_objref_0
+I: [OK]		././testcases/json/0005secmark_objref_0
+I: [EXECUTING]	././testcases/json/0006obj_comment_0
+I: [OK]		././testcases/json/0006obj_comment_0
+I: [EXECUTING]	././testcases/json/netdev
+I: [OK]		././testcases/json/netdev
+I: [EXECUTING]	././testcases/listing/0001ruleset_0
+I: [OK]		././testcases/listing/0001ruleset_0
+I: [EXECUTING]	././testcases/listing/0002ruleset_0
+I: [OK]		././testcases/listing/0002ruleset_0
+I: [EXECUTING]	././testcases/listing/0003table_0
+I: [OK]		././testcases/listing/0003table_0
+I: [EXECUTING]	././testcases/listing/0004table_0
+I: [OK]		././testcases/listing/0004table_0
+I: [EXECUTING]	././testcases/listing/0005ruleset_ip_0
+I: [OK]		././testcases/listing/0005ruleset_ip_0
+I: [EXECUTING]	././testcases/listing/0006ruleset_ip6_0
+I: [OK]		././testcases/listing/0006ruleset_ip6_0
+I: [EXECUTING]	././testcases/listing/0007ruleset_inet_0
+I: [OK]		././testcases/listing/0007ruleset_inet_0
+I: [EXECUTING]	././testcases/listing/0008ruleset_arp_0
+I: [OK]		././testcases/listing/0008ruleset_arp_0
+I: [EXECUTING]	././testcases/listing/0009ruleset_bridge_0
+I: [OK]		././testcases/listing/0009ruleset_bridge_0
+I: [EXECUTING]	././testcases/listing/0010sets_0
+I: [OK]		././testcases/listing/0010sets_0
+I: [EXECUTING]	././testcases/listing/0011sets_0
+I: [OK]		././testcases/listing/0011sets_0
+I: [EXECUTING]	././testcases/listing/0012sets_0
+I: [OK]		././testcases/listing/0012sets_0
+I: [EXECUTING]	././testcases/listing/0013objects_0
+I: [OK]		././testcases/listing/0013objects_0
+I: [EXECUTING]	././testcases/listing/0014objects_0
+I: [OK]		././testcases/listing/0014objects_0
+I: [EXECUTING]	././testcases/listing/0015dynamic_0
+I: [OK]		././testcases/listing/0015dynamic_0
+I: [EXECUTING]	././testcases/listing/0016anonymous_0
+I: [OK]		././testcases/listing/0016anonymous_0
+I: [EXECUTING]	././testcases/listing/0017objects_0
+I: [OK]		././testcases/listing/0017objects_0
+I: [EXECUTING]	././testcases/listing/0018data_0
+I: [OK]		././testcases/listing/0018data_0
+I: [EXECUTING]	././testcases/listing/0019set_0
+I: [OK]		././testcases/listing/0019set_0
+I: [EXECUTING]	././testcases/listing/0020flowtable_0
+I: [OK]		././testcases/listing/0020flowtable_0
+I: [EXECUTING]	././testcases/listing/0021ruleset_json_terse_0
+I: [OK]		././testcases/listing/0021ruleset_json_terse_0
+I: [EXECUTING]	././testcases/listing/0022terse_0
+I: [OK]		././testcases/listing/0022terse_0
+I: [EXECUTING]	././testcases/maps/0003map_add_many_elements_0
+I: [OK]		././testcases/maps/0003map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0004interval_map_create_once_0
+I: [OK]		././testcases/maps/0004interval_map_create_once_0
+I: [EXECUTING]	././testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]		././testcases/maps/0005interval_map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0006interval_map_overlap_0
+I: [OK]		././testcases/maps/0006interval_map_overlap_0
+I: [EXECUTING]	././testcases/maps/0007named_ifname_dtype_0
+I: [OK]		././testcases/maps/0007named_ifname_dtype_0
+I: [EXECUTING]	././testcases/maps/0008interval_map_delete_0
+I: [OK]		././testcases/maps/0008interval_map_delete_0
+I: [EXECUTING]	././testcases/maps/0009vmap_0
+I: [OK]		././testcases/maps/0009vmap_0
+I: [EXECUTING]	././testcases/maps/0010concat_map_0
+I: [OK]		././testcases/maps/0010concat_map_0
+I: [EXECUTING]	././testcases/maps/0011vmap_0
+I: [OK]		././testcases/maps/0011vmap_0
+I: [EXECUTING]	././testcases/maps/0012map_0
+I: [OK]		././testcases/maps/0012map_0
+I: [EXECUTING]	././testcases/maps/0013map_0
+I: [OK]		././testcases/maps/0013map_0
+I: [EXECUTING]	././testcases/maps/0014destroy_0
+W: [FAILED]	././testcases/maps/0014destroy_0
+I: [EXECUTING]	././testcases/maps/0016map_leak_0
+I: [OK]		././testcases/maps/0016map_leak_0
+I: [EXECUTING]	././testcases/maps/0017_map_variable_0
+I: [OK]		././testcases/maps/0017_map_variable_0
+I: [EXECUTING]	././testcases/maps/0018map_leak_timeout_0
+I: [OK]		././testcases/maps/0018map_leak_timeout_0
+I: [EXECUTING]	././testcases/maps/anon_objmap_concat
+I: [OK]		././testcases/maps/anon_objmap_concat
+I: [EXECUTING]	././testcases/maps/anonymous_snat_map_0
+I: [OK]		././testcases/maps/anonymous_snat_map_0
+I: [EXECUTING]	././testcases/maps/different_map_types_1
+I: [OK]		././testcases/maps/different_map_types_1
+I: [EXECUTING]	././testcases/maps/map_catchall_double_deactivate
+I: [OK]		././testcases/maps/map_catchall_double_deactivate
+I: [EXECUTING]	././testcases/maps/map_with_flags_0
+I: [OK]		././testcases/maps/map_with_flags_0
+I: [EXECUTING]	././testcases/maps/named_snat_map_0
+I: [OK]		././testcases/maps/named_snat_map_0
+I: [EXECUTING]	././testcases/maps/nat_addr_port
+I: [OK]		././testcases/maps/nat_addr_port
+I: [EXECUTING]	././testcases/maps/typeof_integer_0
+I: [OK]		././testcases/maps/typeof_integer_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_0
+I: [OK]		././testcases/maps/typeof_maps_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_add_delete
+W: [FAILED]	././testcases/maps/typeof_maps_add_delete
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat
+I: [OK]		././testcases/maps/typeof_maps_concat
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat_update_0
+I: [OK]		././testcases/maps/typeof_maps_concat_update_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_update_0
+I: [OK]		././testcases/maps/typeof_maps_update_0
+I: [EXECUTING]	././testcases/maps/typeof_raw_0
+I: [OK]		././testcases/maps/typeof_raw_0
+I: [EXECUTING]	././testcases/maps/vmap_timeout
+I: [OK]		././testcases/maps/vmap_timeout
+I: [EXECUTING]	././testcases/netns/0001nft-f_0
+I: [OK]		././testcases/netns/0001nft-f_0
+I: [EXECUTING]	././testcases/netns/0002loosecommands_0
+I: [OK]		././testcases/netns/0002loosecommands_0
+I: [EXECUTING]	././testcases/netns/0003many_0
+I: [OK]		././testcases/netns/0003many_0
+I: [EXECUTING]	././testcases/nft-f/0001define_slash_0
+I: [OK]		././testcases/nft-f/0001define_slash_0
+I: [EXECUTING]	././testcases/nft-f/0002rollback_rule_0
+I: [OK]		././testcases/nft-f/0002rollback_rule_0
+I: [EXECUTING]	././testcases/nft-f/0003rollback_jump_0
+I: [OK]		././testcases/nft-f/0003rollback_jump_0
+I: [EXECUTING]	././testcases/nft-f/0004rollback_set_0
+I: [OK]		././testcases/nft-f/0004rollback_set_0
+I: [EXECUTING]	././testcases/nft-f/0005rollback_map_0
+I: [OK]		././testcases/nft-f/0005rollback_map_0
+I: [EXECUTING]	././testcases/nft-f/0006action_object_0
+I: [OK]		././testcases/nft-f/0006action_object_0
+I: [EXECUTING]	././testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]		././testcases/nft-f/0007action_object_set_segfault_1
+I: [EXECUTING]	././testcases/nft-f/0008split_tables_0
+I: [OK]		././testcases/nft-f/0008split_tables_0
+I: [EXECUTING]	././testcases/nft-f/0009variable_0
+I: [OK]		././testcases/nft-f/0009variable_0
+I: [EXECUTING]	././testcases/nft-f/0010variable_0
+I: [OK]		././testcases/nft-f/0010variable_0
+I: [EXECUTING]	././testcases/nft-f/0011manydefines_0
+I: [OK]		././testcases/nft-f/0011manydefines_0
+I: [EXECUTING]	././testcases/nft-f/0012different_defines_0
+I: [OK]		././testcases/nft-f/0012different_defines_0
+I: [EXECUTING]	././testcases/nft-f/0013defines_1
+I: [OK]		././testcases/nft-f/0013defines_1
+I: [EXECUTING]	././testcases/nft-f/0014defines_1
+I: [OK]		././testcases/nft-f/0014defines_1
+I: [EXECUTING]	././testcases/nft-f/0015defines_1
+I: [OK]		././testcases/nft-f/0015defines_1
+I: [EXECUTING]	././testcases/nft-f/0016redefines_1
+I: [OK]		././testcases/nft-f/0016redefines_1
+I: [EXECUTING]	././testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]		././testcases/nft-f/0017ct_timeout_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]		././testcases/nft-f/0018ct_expectation_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018jump_variable_0
+I: [OK]		././testcases/nft-f/0018jump_variable_0
+I: [EXECUTING]	././testcases/nft-f/0019jump_variable_1
+I: [OK]		././testcases/nft-f/0019jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0020jump_variable_1
+I: [OK]		././testcases/nft-f/0020jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0021list_ruleset_0
+I: [OK]		././testcases/nft-f/0021list_ruleset_0
+I: [EXECUTING]	././testcases/nft-f/0022variables_0
+I: [OK]		././testcases/nft-f/0022variables_0
+I: [EXECUTING]	././testcases/nft-f/0023check_1
+I: [OK]		././testcases/nft-f/0023check_1
+I: [EXECUTING]	././testcases/nft-f/0024priority_0
+I: [OK]		././testcases/nft-f/0024priority_0
+I: [EXECUTING]	././testcases/nft-f/0025empty_dynset_0
+I: [OK]		././testcases/nft-f/0025empty_dynset_0
+I: [EXECUTING]	././testcases/nft-f/0026listing_0
+I: [OK]		././testcases/nft-f/0026listing_0
+I: [EXECUTING]	././testcases/nft-f/0027split_chains_0
+I: [OK]		././testcases/nft-f/0027split_chains_0
+I: [EXECUTING]	././testcases/nft-f/0028variable_cmdline_0
+I: [OK]		././testcases/nft-f/0028variable_cmdline_0
+I: [EXECUTING]	././testcases/nft-f/0029split_file_0
+I: [OK]		././testcases/nft-f/0029split_file_0
+I: [EXECUTING]	././testcases/nft-f/0030variable_reuse_0
+I: [OK]		././testcases/nft-f/0030variable_reuse_0
+I: [EXECUTING]	././testcases/nft-f/0031vmap_string_0
+I: [OK]		././testcases/nft-f/0031vmap_string_0
+I: [EXECUTING]	././testcases/nft-f/0032pknock_0
+I: [OK]		././testcases/nft-f/0032pknock_0
+I: [EXECUTING]	././testcases/nft-i/0001define_0
+I: [OK]		././testcases/nft-i/0001define_0
+I: [EXECUTING]	././testcases/optimizations/dependency_kill
+I: [OK]		././testcases/optimizations/dependency_kill
+I: [EXECUTING]	././testcases/optimizations/merge_nat
+I: [OK]		././testcases/optimizations/merge_nat
+I: [EXECUTING]	././testcases/optimizations/merge_reject
+I: [OK]		././testcases/optimizations/merge_reject
+I: [EXECUTING]	././testcases/optimizations/merge_stmts
+I: [OK]		././testcases/optimizations/merge_stmts
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat
+I: [OK]		././testcases/optimizations/merge_stmts_concat
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_concat_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_vmap_raw
+I: [OK]		././testcases/optimizations/merge_vmap_raw
+I: [EXECUTING]	././testcases/optimizations/merge_vmaps
+I: [OK]		././testcases/optimizations/merge_vmaps
+I: [EXECUTING]	././testcases/optimizations/not_mergeable
+I: [OK]		././testcases/optimizations/not_mergeable
+I: [EXECUTING]	././testcases/optimizations/ruleset
+I: [OK]		././testcases/optimizations/ruleset
+I: [EXECUTING]	././testcases/optimizations/single_anon_set
+I: [OK]		././testcases/optimizations/single_anon_set
+I: [EXECUTING]	././testcases/optimizations/skip_merge
+I: [OK]		././testcases/optimizations/skip_merge
+I: [EXECUTING]	././testcases/optimizations/skip_non_eq
+I: [OK]		././testcases/optimizations/skip_non_eq
+I: [EXECUTING]	././testcases/optimizations/skip_unsupported
+I: [OK]		././testcases/optimizations/skip_unsupported
+I: [EXECUTING]	././testcases/optimizations/variables
+I: [OK]		././testcases/optimizations/variables
+I: [EXECUTING]	././testcases/optionals/comments_0
+I: [OK]		././testcases/optionals/comments_0
+I: [EXECUTING]	././testcases/optionals/comments_chain_0
+I: [OK]		././testcases/optionals/comments_chain_0
+I: [EXECUTING]	././testcases/optionals/comments_handles_0
+I: [OK]		././testcases/optionals/comments_handles_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_0
+I: [OK]		././testcases/optionals/comments_objects_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_dup_0
+I: [OK]		././testcases/optionals/comments_objects_dup_0
+I: [EXECUTING]	././testcases/optionals/comments_table_0
+I: [OK]		././testcases/optionals/comments_table_0
+I: [EXECUTING]	././testcases/optionals/delete_object_handles_0
+I: [OK]		././testcases/optionals/delete_object_handles_0
+I: [EXECUTING]	././testcases/optionals/handles_0
+I: [OK]		././testcases/optionals/handles_0
+I: [EXECUTING]	././testcases/optionals/handles_1
+I: [OK]		././testcases/optionals/handles_1
+I: [EXECUTING]	././testcases/optionals/log_prefix_0
+I: [OK]		././testcases/optionals/log_prefix_0
+I: [EXECUTING]	././testcases/optionals/update_object_handles_0
+I: [OK]		././testcases/optionals/update_object_handles_0
+I: [EXECUTING]	././testcases/owner/0001-flowtable-uaf
+I: [OK]		././testcases/owner/0001-flowtable-uaf
+I: [EXECUTING]	././testcases/parsing/describe
+I: [OK]		././testcases/parsing/describe
+I: [EXECUTING]	././testcases/parsing/large_rule_pipe
+I: [OK]		././testcases/parsing/large_rule_pipe
+I: [EXECUTING]	././testcases/parsing/log
+I: [OK]		././testcases/parsing/log
+I: [EXECUTING]	././testcases/parsing/octal
+I: [OK]		././testcases/parsing/octal
+I: [EXECUTING]	././testcases/rule_management/0001addinsertposition_0
+I: [OK]		././testcases/rule_management/0001addinsertposition_0
+I: [EXECUTING]	././testcases/rule_management/0002addinsertlocation_1
+I: [OK]		././testcases/rule_management/0002addinsertlocation_1
+I: [EXECUTING]	././testcases/rule_management/0003insert_0
+I: [OK]		././testcases/rule_management/0003insert_0
+I: [EXECUTING]	././testcases/rule_management/0004replace_0
+I: [OK]		././testcases/rule_management/0004replace_0
+I: [EXECUTING]	././testcases/rule_management/0005replace_1
+I: [OK]		././testcases/rule_management/0005replace_1
+I: [EXECUTING]	././testcases/rule_management/0006replace_1
+I: [OK]		././testcases/rule_management/0006replace_1
+I: [EXECUTING]	././testcases/rule_management/0007delete_0
+I: [OK]		././testcases/rule_management/0007delete_0
+I: [EXECUTING]	././testcases/rule_management/0008delete_1
+I: [OK]		././testcases/rule_management/0008delete_1
+I: [EXECUTING]	././testcases/rule_management/0009delete_1
+I: [OK]		././testcases/rule_management/0009delete_1
+I: [EXECUTING]	././testcases/rule_management/0010replace_0
+I: [OK]		././testcases/rule_management/0010replace_0
+I: [EXECUTING]	././testcases/rule_management/0011reset_0
+W: [FAILED]	././testcases/rule_management/0011reset_0
+I: [EXECUTING]	././testcases/rule_management/0012destroy_0
+W: [FAILED]	././testcases/rule_management/0012destroy_0
+I: [EXECUTING]	././testcases/sets/0001named_interval_0
+I: [OK]		././testcases/sets/0001named_interval_0
+I: [EXECUTING]	././testcases/sets/0002named_interval_automerging_0
+I: [OK]		././testcases/sets/0002named_interval_automerging_0
+I: [EXECUTING]	././testcases/sets/0003named_interval_missing_flag_0
+I: [OK]		././testcases/sets/0003named_interval_missing_flag_0
+I: [EXECUTING]	././testcases/sets/0004named_interval_shadow_0
+I: [OK]		././testcases/sets/0004named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0005named_interval_shadow_0
+I: [OK]		././testcases/sets/0005named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0006create_set_0
+I: [OK]		././testcases/sets/0006create_set_0
+I: [EXECUTING]	././testcases/sets/0007create_element_0
+I: [OK]		././testcases/sets/0007create_element_0
+I: [EXECUTING]	././testcases/sets/0008comments_interval_0
+I: [OK]		././testcases/sets/0008comments_interval_0
+I: [EXECUTING]	././testcases/sets/0008create_verdict_map_0
+I: [OK]		././testcases/sets/0008create_verdict_map_0
+I: [EXECUTING]	././testcases/sets/0009comments_timeout_0
+I: [OK]		././testcases/sets/0009comments_timeout_0
+I: [EXECUTING]	././testcases/sets/0010comments_0
+I: [OK]		././testcases/sets/0010comments_0
+I: [EXECUTING]	././testcases/sets/0011add_many_elements_0
+I: [OK]		././testcases/sets/0011add_many_elements_0
+I: [EXECUTING]	././testcases/sets/0012add_delete_many_elements_0
+I: [OK]		././testcases/sets/0012add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0013add_delete_many_elements_0
+I: [OK]		././testcases/sets/0013add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]		././testcases/sets/0014malformed_set_is_not_defined_0
+I: [EXECUTING]	././testcases/sets/0015rulesetflush_0
+I: [OK]		././testcases/sets/0015rulesetflush_0
+I: [EXECUTING]	././testcases/sets/0016element_leak_0
+I: [OK]		././testcases/sets/0016element_leak_0
+I: [EXECUTING]	././testcases/sets/0017add_after_flush_0
+I: [OK]		././testcases/sets/0017add_after_flush_0
+I: [EXECUTING]	././testcases/sets/0018set_check_size_1
+I: [OK]		././testcases/sets/0018set_check_size_1
+I: [EXECUTING]	././testcases/sets/0019set_check_size_0
+I: [OK]		././testcases/sets/0019set_check_size_0
+I: [EXECUTING]	././testcases/sets/0020comments_0
+I: [OK]		././testcases/sets/0020comments_0
+I: [EXECUTING]	././testcases/sets/0021nesting_0
+I: [OK]		././testcases/sets/0021nesting_0
+I: [EXECUTING]	././testcases/sets/0022type_selective_flush_0
+I: [OK]		././testcases/sets/0022type_selective_flush_0
+I: [EXECUTING]	././testcases/sets/0023incomplete_add_set_command_0
+I: [OK]		././testcases/sets/0023incomplete_add_set_command_0
+I: [EXECUTING]	././testcases/sets/0024named_objects_0
+I: [OK]		././testcases/sets/0024named_objects_0
+I: [EXECUTING]	././testcases/sets/0025anonymous_set_0
+I: [OK]		././testcases/sets/0025anonymous_set_0
+I: [EXECUTING]	././testcases/sets/0026named_limit_0
+I: [OK]		././testcases/sets/0026named_limit_0
+I: [EXECUTING]	././testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]		././testcases/sets/0027ipv6_maps_ipv4_0
+I: [EXECUTING]	././testcases/sets/0028autoselect_0
+I: [OK]		././testcases/sets/0028autoselect_0
+I: [EXECUTING]	././testcases/sets/0028delete_handle_0
+I: [OK]		././testcases/sets/0028delete_handle_0
+I: [EXECUTING]	././testcases/sets/0029named_ifname_dtype_0
+I: [OK]		././testcases/sets/0029named_ifname_dtype_0
+I: [EXECUTING]	././testcases/sets/0030add_many_elements_interval_0
+I: [OK]		././testcases/sets/0030add_many_elements_interval_0
+I: [EXECUTING]	././testcases/sets/0031set_timeout_size_0
+I: [OK]		././testcases/sets/0031set_timeout_size_0
+I: [EXECUTING]	././testcases/sets/0032restore_set_simple_0
+I: [OK]		././testcases/sets/0032restore_set_simple_0
+I: [EXECUTING]	././testcases/sets/0033add_set_simple_flat_0
+I: [OK]		././testcases/sets/0033add_set_simple_flat_0
+I: [EXECUTING]	././testcases/sets/0034get_element_0
+I: [OK]		././testcases/sets/0034get_element_0
+I: [EXECUTING]	././testcases/sets/0035add_set_elements_flat_0
+I: [OK]		././testcases/sets/0035add_set_elements_flat_0
+I: [EXECUTING]	././testcases/sets/0036add_set_element_expiration_0
+I: [OK]		././testcases/sets/0036add_set_element_expiration_0
+I: [EXECUTING]	././testcases/sets/0037_set_with_inet_service_0
+I: [OK]		././testcases/sets/0037_set_with_inet_service_0
+I: [EXECUTING]	././testcases/sets/0038meter_list_0
+I: [OK]		././testcases/sets/0038meter_list_0
+I: [EXECUTING]	././testcases/sets/0039delete_interval_0
+I: [OK]		././testcases/sets/0039delete_interval_0
+I: [EXECUTING]	././testcases/sets/0040get_host_endian_elements_0
+I: [OK]		././testcases/sets/0040get_host_endian_elements_0
+I: [EXECUTING]	././testcases/sets/0041interval_0
+I: [OK]		././testcases/sets/0041interval_0
+I: [EXECUTING]	././testcases/sets/0042update_set_0
+I: [OK]		././testcases/sets/0042update_set_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_0
+I: [OK]		././testcases/sets/0043concatenated_ranges_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_1
+I: [OK]		././testcases/sets/0043concatenated_ranges_1
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_0
+I: [OK]		././testcases/sets/0044interval_overlap_0
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_1
+I: [OK]		././testcases/sets/0044interval_overlap_1
+I: [EXECUTING]	././testcases/sets/0045concat_ipv4_service
+I: [OK]		././testcases/sets/0045concat_ipv4_service
+I: [EXECUTING]	././testcases/sets/0046netmap_0
+I: [OK]		././testcases/sets/0046netmap_0
+I: [EXECUTING]	././testcases/sets/0047nat_0
+I: [OK]		././testcases/sets/0047nat_0
+I: [EXECUTING]	././testcases/sets/0048set_counters_0
+I: [OK]		././testcases/sets/0048set_counters_0
+I: [EXECUTING]	././testcases/sets/0049set_define_0
+I: [OK]		././testcases/sets/0049set_define_0
+I: [EXECUTING]	././testcases/sets/0050set_define_1
+I: [OK]		././testcases/sets/0050set_define_1
+I: [EXECUTING]	././testcases/sets/0051set_interval_counter_0
+I: [OK]		././testcases/sets/0051set_interval_counter_0
+I: [EXECUTING]	././testcases/sets/0052overlap_0
+I: [OK]		././testcases/sets/0052overlap_0
+I: [EXECUTING]	././testcases/sets/0053echo_0
+I: [OK]		././testcases/sets/0053echo_0
+I: [EXECUTING]	././testcases/sets/0054comments_set_0
+I: [OK]		././testcases/sets/0054comments_set_0
+I: [EXECUTING]	././testcases/sets/0055tcpflags_0
+I: [OK]		././testcases/sets/0055tcpflags_0
+I: [EXECUTING]	././testcases/sets/0056dynamic_limit_0
+I: [OK]		././testcases/sets/0056dynamic_limit_0
+I: [EXECUTING]	././testcases/sets/0057set_create_fails_0
+I: [OK]		././testcases/sets/0057set_create_fails_0
+I: [EXECUTING]	././testcases/sets/0058_setupdate_timeout_0
+I: [OK]		././testcases/sets/0058_setupdate_timeout_0
+I: [EXECUTING]	././testcases/sets/0059set_update_multistmt_0
+I: [OK]		././testcases/sets/0059set_update_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_0
+I: [OK]		././testcases/sets/0060set_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_1
+I: [OK]		././testcases/sets/0060set_multistmt_1
+I: [EXECUTING]	././testcases/sets/0061anonymous_automerge_0
+I: [OK]		././testcases/sets/0061anonymous_automerge_0
+I: [EXECUTING]	././testcases/sets/0062set_connlimit_0
+I: [OK]		././testcases/sets/0062set_connlimit_0
+I: [EXECUTING]	././testcases/sets/0063set_catchall_0
+I: [OK]		././testcases/sets/0063set_catchall_0
+I: [EXECUTING]	././testcases/sets/0064map_catchall_0
+I: [OK]		././testcases/sets/0064map_catchall_0
+I: [EXECUTING]	././testcases/sets/0065_icmp_postprocessing
+I: [OK]		././testcases/sets/0065_icmp_postprocessing
+I: [EXECUTING]	././testcases/sets/0067nat_concat_interval_0
+I: [OK]		././testcases/sets/0067nat_concat_interval_0
+I: [EXECUTING]	././testcases/sets/0068interval_stack_overflow_0
+I: [OK]		././testcases/sets/0068interval_stack_overflow_0
+I: [EXECUTING]	././testcases/sets/0069interval_merge_0
+I: [OK]		././testcases/sets/0069interval_merge_0
+I: [EXECUTING]	././testcases/sets/0070stacked_l2_headers
+I: [OK]		././testcases/sets/0070stacked_l2_headers
+I: [EXECUTING]	././testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]		././testcases/sets/0071unclosed_prefix_interval_0
+I: [EXECUTING]	././testcases/sets/0072destroy_0
+W: [FAILED]	././testcases/sets/0072destroy_0
+I: [EXECUTING]	././testcases/sets/automerge_0
+I: [OK]		././testcases/sets/automerge_0
+I: [EXECUTING]	././testcases/sets/collapse_elem_0
+I: [OK]		././testcases/sets/collapse_elem_0
+I: [EXECUTING]	././testcases/sets/concat_interval_0
+I: [OK]		././testcases/sets/concat_interval_0
+I: [EXECUTING]	././testcases/sets/dynset_missing
+I: [OK]		././testcases/sets/dynset_missing
+I: [EXECUTING]	././testcases/sets/errors_0
+I: [OK]		././testcases/sets/errors_0
+I: [EXECUTING]	././testcases/sets/exact_overlap_0
+I: [OK]		././testcases/sets/exact_overlap_0
+I: [EXECUTING]	././testcases/sets/inner_0
+W: [FAILED]	././testcases/sets/inner_0
+I: [EXECUTING]	././testcases/sets/reset_command_0
+W: [FAILED]	././testcases/sets/reset_command_0
+I: [EXECUTING]	././testcases/sets/set_eval_0
+I: [OK]		././testcases/sets/set_eval_0
+I: [EXECUTING]	././testcases/sets/sets_with_ifnames
+I: [OK]		././testcases/sets/sets_with_ifnames
+I: [EXECUTING]	././testcases/sets/typeof_raw_0
+I: [OK]		././testcases/sets/typeof_raw_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_0
+I: [OK]		././testcases/sets/typeof_sets_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_1
+I: [OK]		././testcases/sets/typeof_sets_1
+I: [EXECUTING]	././testcases/sets/typeof_sets_concat
+I: [OK]		././testcases/sets/typeof_sets_concat
+I: [EXECUTING]	././testcases/sets/type_set_symbol
+I: [OK]		././testcases/sets/type_set_symbol
+I: [EXECUTING]	././testcases/transactions/0001table_0
+I: [OK]		././testcases/transactions/0001table_0
+I: [EXECUTING]	././testcases/transactions/0002table_0
+I: [OK]		././testcases/transactions/0002table_0
+I: [EXECUTING]	././testcases/transactions/0003table_0
+I: [OK]		././testcases/transactions/0003table_0
+I: [EXECUTING]	././testcases/transactions/0010chain_0
+I: [OK]		././testcases/transactions/0010chain_0
+I: [EXECUTING]	././testcases/transactions/0011chain_0
+I: [OK]		././testcases/transactions/0011chain_0
+I: [EXECUTING]	././testcases/transactions/0012chain_0
+I: [OK]		././testcases/transactions/0012chain_0
+I: [EXECUTING]	././testcases/transactions/0013chain_0
+I: [OK]		././testcases/transactions/0013chain_0
+I: [EXECUTING]	././testcases/transactions/0014chain_1
+I: [OK]		././testcases/transactions/0014chain_1
+I: [EXECUTING]	././testcases/transactions/0015chain_0
+I: [OK]		././testcases/transactions/0015chain_0
+I: [EXECUTING]	././testcases/transactions/0020rule_0
+I: [OK]		././testcases/transactions/0020rule_0
+I: [EXECUTING]	././testcases/transactions/0021rule_0
+I: [OK]		././testcases/transactions/0021rule_0
+I: [EXECUTING]	././testcases/transactions/0022rule_1
+I: [OK]		././testcases/transactions/0022rule_1
+I: [EXECUTING]	././testcases/transactions/0023rule_1
+I: [OK]		././testcases/transactions/0023rule_1
+I: [EXECUTING]	././testcases/transactions/0024rule_0
+I: [OK]		././testcases/transactions/0024rule_0
+I: [EXECUTING]	././testcases/transactions/0025rule_0
+I: [OK]		././testcases/transactions/0025rule_0
+I: [EXECUTING]	././testcases/transactions/0030set_0
+I: [OK]		././testcases/transactions/0030set_0
+I: [EXECUTING]	././testcases/transactions/0031set_0
+I: [OK]		././testcases/transactions/0031set_0
+I: [EXECUTING]	././testcases/transactions/0032set_0
+I: [OK]		././testcases/transactions/0032set_0
+I: [EXECUTING]	././testcases/transactions/0033set_0
+I: [OK]		././testcases/transactions/0033set_0
+I: [EXECUTING]	././testcases/transactions/0034set_0
+I: [OK]		././testcases/transactions/0034set_0
+I: [EXECUTING]	././testcases/transactions/0035set_0
+I: [OK]		././testcases/transactions/0035set_0
+I: [EXECUTING]	././testcases/transactions/0036set_1
+I: [OK]		././testcases/transactions/0036set_1
+I: [EXECUTING]	././testcases/transactions/0037set_0
+I: [OK]		././testcases/transactions/0037set_0
+I: [EXECUTING]	././testcases/transactions/0038set_0
+I: [OK]		././testcases/transactions/0038set_0
+I: [EXECUTING]	././testcases/transactions/0039set_0
+I: [OK]		././testcases/transactions/0039set_0
+I: [EXECUTING]	././testcases/transactions/0040set_0
+I: [OK]		././testcases/transactions/0040set_0
+I: [EXECUTING]	././testcases/transactions/0041nat_restore_0
+I: [OK]		././testcases/transactions/0041nat_restore_0
+I: [EXECUTING]	././testcases/transactions/0042_stateful_expr_0
+I: [OK]		././testcases/transactions/0042_stateful_expr_0
+I: [EXECUTING]	././testcases/transactions/0043set_1
+I: [OK]		././testcases/transactions/0043set_1
+I: [EXECUTING]	././testcases/transactions/0044rule_0
+I: [OK]		././testcases/transactions/0044rule_0
+I: [EXECUTING]	././testcases/transactions/0045anon-unbind_0
+I: [OK]		././testcases/transactions/0045anon-unbind_0
+I: [EXECUTING]	././testcases/transactions/0046set_0
+I: [OK]		././testcases/transactions/0046set_0
+I: [EXECUTING]	././testcases/transactions/0047set_0
+I: [OK]		././testcases/transactions/0047set_0
+I: [EXECUTING]	././testcases/transactions/0048helpers_0
+I: [OK]		././testcases/transactions/0048helpers_0
+I: [EXECUTING]	././testcases/transactions/0049huge_0
+I: [OK]		././testcases/transactions/0049huge_0
+I: [EXECUTING]	././testcases/transactions/0050rule_1
+I: [OK]		././testcases/transactions/0050rule_1
+I: [EXECUTING]	././testcases/transactions/0051map_0
+I: [OK]		././testcases/transactions/0051map_0
+I: [EXECUTING]	././testcases/transactions/30s-stress
+I: [OK]		././testcases/transactions/30s-stress
+I: [EXECUTING]	././testcases/transactions/anon_chain_loop
+I: [OK]		././testcases/transactions/anon_chain_loop
+I: [EXECUTING]	././testcases/transactions/bad_expression
+I: [OK]		././testcases/transactions/bad_expression
+
+W: [FAILED]	kmemleak detected 2966 memory leaks
+I: results: [OK] 361 [FAILED] 12 [TOTAL] 373
diff --git a/tests/shell/stable-log/log-5.4 b/tests/shell/stable-log/log-5.4
new file mode 100644
index 0000000..588866b
--- /dev/null
+++ b/tests/shell/stable-log/log-5.4
@@ -0,0 +1,751 @@
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_0
+W: [FAILED]	././testcases/bitwise/0040mark_binop_0
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_1
+W: [FAILED]	././testcases/bitwise/0040mark_binop_1
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_2
+W: [FAILED]	././testcases/bitwise/0040mark_binop_2
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_3
+W: [FAILED]	././testcases/bitwise/0040mark_binop_3
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_4
+W: [FAILED]	././testcases/bitwise/0040mark_binop_4
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_5
+W: [FAILED]	././testcases/bitwise/0040mark_binop_5
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_6
+W: [FAILED]	././testcases/bitwise/0040mark_binop_6
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_7
+W: [FAILED]	././testcases/bitwise/0040mark_binop_7
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_8
+W: [FAILED]	././testcases/bitwise/0040mark_binop_8
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_9
+W: [FAILED]	././testcases/bitwise/0040mark_binop_9
+I: [EXECUTING]	././testcases/bogons/assert_failures
+I: [OK]		././testcases/bogons/assert_failures
+I: [EXECUTING]	././testcases/cache/0001_cache_handling_0
+I: [OK]		././testcases/cache/0001_cache_handling_0
+I: [EXECUTING]	././testcases/cache/0002_interval_0
+I: [OK]		././testcases/cache/0002_interval_0
+I: [EXECUTING]	././testcases/cache/0003_cache_update_0
+I: [OK]		././testcases/cache/0003_cache_update_0
+I: [EXECUTING]	././testcases/cache/0004_cache_update_0
+I: [OK]		././testcases/cache/0004_cache_update_0
+I: [EXECUTING]	././testcases/cache/0005_cache_chain_flush
+I: [OK]		././testcases/cache/0005_cache_chain_flush
+I: [EXECUTING]	././testcases/cache/0006_cache_table_flush
+I: [OK]		././testcases/cache/0006_cache_table_flush
+I: [EXECUTING]	././testcases/cache/0007_echo_cache_init_0
+I: [OK]		././testcases/cache/0007_echo_cache_init_0
+I: [EXECUTING]	././testcases/cache/0008_delete_by_handle_0
+W: [FAILED]	././testcases/cache/0008_delete_by_handle_0
+I: [EXECUTING]	././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]		././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [EXECUTING]	././testcases/cache/0010_implicit_chain_0
+W: [FAILED]	././testcases/cache/0010_implicit_chain_0
+I: [EXECUTING]	././testcases/cache/0011_index_0
+I: [OK]		././testcases/cache/0011_index_0
+I: [EXECUTING]	././testcases/chains/0001jumps_0
+I: [OK]		././testcases/chains/0001jumps_0
+I: [EXECUTING]	././testcases/chains/0002jumps_1
+I: [OK]		././testcases/chains/0002jumps_1
+I: [EXECUTING]	././testcases/chains/0003jump_loop_1
+I: [OK]		././testcases/chains/0003jump_loop_1
+I: [EXECUTING]	././testcases/chains/0004busy_1
+I: [OK]		././testcases/chains/0004busy_1
+I: [EXECUTING]	././testcases/chains/0005busy_map_1
+I: [OK]		././testcases/chains/0005busy_map_1
+I: [EXECUTING]	././testcases/chains/0006masquerade_0
+I: [OK]		././testcases/chains/0006masquerade_0
+I: [EXECUTING]	././testcases/chains/0007masquerade_1
+I: [OK]		././testcases/chains/0007masquerade_1
+I: [EXECUTING]	././testcases/chains/0008masquerade_jump_1
+I: [OK]		././testcases/chains/0008masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0009masquerade_jump_1
+I: [OK]		././testcases/chains/0009masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0010endless_jump_loop_1
+I: [OK]		././testcases/chains/0010endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0011endless_jump_loop_1
+I: [OK]		././testcases/chains/0011endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0013rename_0
+I: [OK]		././testcases/chains/0013rename_0
+I: [EXECUTING]	././testcases/chains/0014rename_0
+I: [OK]		././testcases/chains/0014rename_0
+I: [EXECUTING]	././testcases/chains/0015check_jump_loop_1
+I: [OK]		././testcases/chains/0015check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0016delete_handle_0
+I: [OK]		././testcases/chains/0016delete_handle_0
+I: [EXECUTING]	././testcases/chains/0017masquerade_jump_1
+I: [OK]		././testcases/chains/0017masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0018check_jump_loop_1
+I: [OK]		././testcases/chains/0018check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0019masquerade_jump_1
+I: [OK]		././testcases/chains/0019masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0020depth_1
+I: [OK]		././testcases/chains/0020depth_1
+I: [EXECUTING]	././testcases/chains/0021prio_0
+W: [FAILED]	././testcases/chains/0021prio_0
+I: [EXECUTING]	././testcases/chains/0022prio_dummy_1
+I: [OK]		././testcases/chains/0022prio_dummy_1
+I: [EXECUTING]	././testcases/chains/0023prio_inet_srcnat_1
+I: [OK]		././testcases/chains/0023prio_inet_srcnat_1
+I: [EXECUTING]	././testcases/chains/0024prio_inet_dstnat_1
+I: [OK]		././testcases/chains/0024prio_inet_dstnat_1
+I: [EXECUTING]	././testcases/chains/0025prio_arp_1
+I: [OK]		././testcases/chains/0025prio_arp_1
+I: [EXECUTING]	././testcases/chains/0026prio_netdev_1
+I: [OK]		././testcases/chains/0026prio_netdev_1
+I: [EXECUTING]	././testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]		././testcases/chains/0027prio_bridge_dstnat_1
+I: [EXECUTING]	././testcases/chains/0028prio_bridge_out_1
+I: [OK]		././testcases/chains/0028prio_bridge_out_1
+I: [EXECUTING]	././testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]		././testcases/chains/0029prio_bridge_srcnat_1
+I: [EXECUTING]	././testcases/chains/0030create_0
+I: [OK]		././testcases/chains/0030create_0
+I: [EXECUTING]	././testcases/chains/0031priority_variable_0
+I: [OK]		././testcases/chains/0031priority_variable_0
+I: [EXECUTING]	././testcases/chains/0032priority_variable_0
+I: [OK]		././testcases/chains/0032priority_variable_0
+I: [EXECUTING]	././testcases/chains/0033priority_variable_1
+I: [OK]		././testcases/chains/0033priority_variable_1
+I: [EXECUTING]	././testcases/chains/0034priority_variable_1
+I: [OK]		././testcases/chains/0034priority_variable_1
+I: [EXECUTING]	././testcases/chains/0035policy_variable_0
+I: [OK]		././testcases/chains/0035policy_variable_0
+I: [EXECUTING]	././testcases/chains/0036policy_variable_0
+I: [OK]		././testcases/chains/0036policy_variable_0
+I: [EXECUTING]	././testcases/chains/0037policy_variable_1
+I: [OK]		././testcases/chains/0037policy_variable_1
+I: [EXECUTING]	././testcases/chains/0038policy_variable_1
+I: [OK]		././testcases/chains/0038policy_variable_1
+I: [EXECUTING]	././testcases/chains/0039negative_priority_0
+I: [OK]		././testcases/chains/0039negative_priority_0
+I: [EXECUTING]	././testcases/chains/0041chain_binding_0
+W: [FAILED]	././testcases/chains/0041chain_binding_0
+I: [EXECUTING]	././testcases/chains/0042chain_variable_0
+W: [FAILED]	././testcases/chains/0042chain_variable_0
+I: [EXECUTING]	././testcases/chains/0043chain_ingress_0
+W: [FAILED]	././testcases/chains/0043chain_ingress_0
+W: [FAILED]	kernel is tainted: 0  -> 512
+I: [EXECUTING]	././testcases/chains/0044chain_destroy_0
+W: [FAILED]	././testcases/chains/0044chain_destroy_0
+I: [EXECUTING]	././testcases/chains/netdev_chain_0
+W: [FAILED]	././testcases/chains/netdev_chain_0
+I: [EXECUTING]	././testcases/comments/comments_0
+I: [OK]		././testcases/comments/comments_0
+I: [EXECUTING]	././testcases/flowtable/0001flowtable_0
+I: [OK]		././testcases/flowtable/0001flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0002create_flowtable_0
+I: [OK]		././testcases/flowtable/0002create_flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0003add_after_flush_0
+I: [OK]		././testcases/flowtable/0003add_after_flush_0
+I: [EXECUTING]	././testcases/flowtable/0004delete_after_add_0
+I: [OK]		././testcases/flowtable/0004delete_after_add_0
+I: [EXECUTING]	././testcases/flowtable/0005delete_in_use_1
+I: [OK]		././testcases/flowtable/0005delete_in_use_1
+I: [EXECUTING]	././testcases/flowtable/0006segfault_0
+I: [OK]		././testcases/flowtable/0006segfault_0
+I: [EXECUTING]	././testcases/flowtable/0007prio_0
+I: [OK]		././testcases/flowtable/0007prio_0
+I: [EXECUTING]	././testcases/flowtable/0008prio_1
+I: [OK]		././testcases/flowtable/0008prio_1
+I: [EXECUTING]	././testcases/flowtable/0009deleteafterflush_0
+I: [OK]		././testcases/flowtable/0009deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0010delete_handle_0
+I: [OK]		././testcases/flowtable/0010delete_handle_0
+I: [EXECUTING]	././testcases/flowtable/0011deleteafterflush_0
+I: [OK]		././testcases/flowtable/0011deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0012flowtable_variable_0
+W: [DUMP FAIL]	././testcases/flowtable/0012flowtable_variable_0
+I: [EXECUTING]	././testcases/flowtable/0013addafterdelete_0
+W: [FAILED]	././testcases/flowtable/0013addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0014addafterdelete_0
+W: [FAILED]	././testcases/flowtable/0014addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0015destroy_0
+W: [FAILED]	././testcases/flowtable/0015destroy_0
+I: [EXECUTING]	././testcases/include/0001absolute_0
+I: [OK]		././testcases/include/0001absolute_0
+I: [EXECUTING]	././testcases/include/0002relative_0
+I: [OK]		././testcases/include/0002relative_0
+I: [EXECUTING]	././testcases/include/0003includepath_0
+I: [OK]		././testcases/include/0003includepath_0
+I: [EXECUTING]	././testcases/include/0004endlessloop_1
+I: [OK]		././testcases/include/0004endlessloop_1
+I: [EXECUTING]	././testcases/include/0005glob_empty_0
+I: [OK]		././testcases/include/0005glob_empty_0
+I: [EXECUTING]	././testcases/include/0006glob_single_0
+I: [OK]		././testcases/include/0006glob_single_0
+I: [EXECUTING]	././testcases/include/0007glob_double_0
+I: [OK]		././testcases/include/0007glob_double_0
+I: [EXECUTING]	././testcases/include/0008glob_nofile_wildcard_0
+I: [OK]		././testcases/include/0008glob_nofile_wildcard_0
+I: [EXECUTING]	././testcases/include/0009glob_nofile_1
+I: [OK]		././testcases/include/0009glob_nofile_1
+I: [EXECUTING]	././testcases/include/0010glob_broken_file_1
+I: [OK]		././testcases/include/0010glob_broken_file_1
+I: [EXECUTING]	././testcases/include/0011glob_dependency_0
+I: [OK]		././testcases/include/0011glob_dependency_0
+I: [EXECUTING]	././testcases/include/0012glob_dependency_1
+I: [OK]		././testcases/include/0012glob_dependency_1
+I: [EXECUTING]	././testcases/include/0013glob_dotfile_0
+I: [OK]		././testcases/include/0013glob_dotfile_0
+I: [EXECUTING]	././testcases/include/0013input_descriptors_included_files_0
+I: [OK]		././testcases/include/0013input_descriptors_included_files_0
+I: [EXECUTING]	././testcases/include/0014glob_directory_0
+I: [OK]		././testcases/include/0014glob_directory_0
+I: [EXECUTING]	././testcases/include/0015doubleincludepath_0
+I: [OK]		././testcases/include/0015doubleincludepath_0
+I: [EXECUTING]	././testcases/include/0016maxdepth_0
+I: [OK]		././testcases/include/0016maxdepth_0
+I: [EXECUTING]	././testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]		././testcases/include/0017glob_more_than_maxdepth_1
+I: [EXECUTING]	././testcases/include/0018include_error_0
+I: [OK]		././testcases/include/0018include_error_0
+I: [EXECUTING]	././testcases/include/0019include_error_0
+I: [OK]		././testcases/include/0019include_error_0
+I: [EXECUTING]	././testcases/include/0020include_chain_0
+I: [OK]		././testcases/include/0020include_chain_0
+I: [EXECUTING]	././testcases/json/0001set_statements_0
+I: [OK]		././testcases/json/0001set_statements_0
+I: [EXECUTING]	././testcases/json/0002table_map_0
+W: [DUMP FAIL]	././testcases/json/0002table_map_0
+I: [EXECUTING]	././testcases/json/0003json_schema_version_0
+I: [OK]		././testcases/json/0003json_schema_version_0
+I: [EXECUTING]	././testcases/json/0004json_schema_version_1
+I: [OK]		././testcases/json/0004json_schema_version_1
+I: [EXECUTING]	././testcases/json/0005secmark_objref_0
+I: [OK]		././testcases/json/0005secmark_objref_0
+I: [EXECUTING]	././testcases/json/0006obj_comment_0
+W: [DUMP FAIL]	././testcases/json/0006obj_comment_0
+I: [EXECUTING]	././testcases/json/netdev
+I: [OK]		././testcases/json/netdev
+I: [EXECUTING]	././testcases/listing/0001ruleset_0
+I: [OK]		././testcases/listing/0001ruleset_0
+I: [EXECUTING]	././testcases/listing/0002ruleset_0
+I: [OK]		././testcases/listing/0002ruleset_0
+I: [EXECUTING]	././testcases/listing/0003table_0
+I: [OK]		././testcases/listing/0003table_0
+I: [EXECUTING]	././testcases/listing/0004table_0
+I: [OK]		././testcases/listing/0004table_0
+I: [EXECUTING]	././testcases/listing/0005ruleset_ip_0
+I: [OK]		././testcases/listing/0005ruleset_ip_0
+I: [EXECUTING]	././testcases/listing/0006ruleset_ip6_0
+I: [OK]		././testcases/listing/0006ruleset_ip6_0
+I: [EXECUTING]	././testcases/listing/0007ruleset_inet_0
+I: [OK]		././testcases/listing/0007ruleset_inet_0
+I: [EXECUTING]	././testcases/listing/0008ruleset_arp_0
+I: [OK]		././testcases/listing/0008ruleset_arp_0
+I: [EXECUTING]	././testcases/listing/0009ruleset_bridge_0
+I: [OK]		././testcases/listing/0009ruleset_bridge_0
+I: [EXECUTING]	././testcases/listing/0010sets_0
+I: [OK]		././testcases/listing/0010sets_0
+I: [EXECUTING]	././testcases/listing/0011sets_0
+I: [OK]		././testcases/listing/0011sets_0
+I: [EXECUTING]	././testcases/listing/0012sets_0
+I: [OK]		././testcases/listing/0012sets_0
+I: [EXECUTING]	././testcases/listing/0013objects_0
+I: [OK]		././testcases/listing/0013objects_0
+I: [EXECUTING]	././testcases/listing/0014objects_0
+I: [OK]		././testcases/listing/0014objects_0
+I: [EXECUTING]	././testcases/listing/0015dynamic_0
+I: [OK]		././testcases/listing/0015dynamic_0
+I: [EXECUTING]	././testcases/listing/0016anonymous_0
+I: [OK]		././testcases/listing/0016anonymous_0
+I: [EXECUTING]	././testcases/listing/0017objects_0
+I: [OK]		././testcases/listing/0017objects_0
+I: [EXECUTING]	././testcases/listing/0018data_0
+I: [OK]		././testcases/listing/0018data_0
+I: [EXECUTING]	././testcases/listing/0019set_0
+I: [OK]		././testcases/listing/0019set_0
+I: [EXECUTING]	././testcases/listing/0020flowtable_0
+I: [OK]		././testcases/listing/0020flowtable_0
+I: [EXECUTING]	././testcases/listing/0021ruleset_json_terse_0
+I: [OK]		././testcases/listing/0021ruleset_json_terse_0
+I: [EXECUTING]	././testcases/listing/0022terse_0
+I: [OK]		././testcases/listing/0022terse_0
+I: [EXECUTING]	././testcases/maps/0003map_add_many_elements_0
+I: [OK]		././testcases/maps/0003map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0004interval_map_create_once_0
+I: [OK]		././testcases/maps/0004interval_map_create_once_0
+I: [EXECUTING]	././testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]		././testcases/maps/0005interval_map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0006interval_map_overlap_0
+I: [OK]		././testcases/maps/0006interval_map_overlap_0
+I: [EXECUTING]	././testcases/maps/0007named_ifname_dtype_0
+I: [OK]		././testcases/maps/0007named_ifname_dtype_0
+I: [EXECUTING]	././testcases/maps/0008interval_map_delete_0
+I: [OK]		././testcases/maps/0008interval_map_delete_0
+I: [EXECUTING]	././testcases/maps/0009vmap_0
+W: [DUMP FAIL]	././testcases/maps/0009vmap_0
+I: [EXECUTING]	././testcases/maps/0010concat_map_0
+I: [OK]		././testcases/maps/0010concat_map_0
+I: [EXECUTING]	././testcases/maps/0011vmap_0
+W: [FAILED]	././testcases/maps/0011vmap_0
+I: [EXECUTING]	././testcases/maps/0012map_0
+W: [FAILED]	././testcases/maps/0012map_0
+I: [EXECUTING]	././testcases/maps/0013map_0
+W: [FAILED]	././testcases/maps/0013map_0
+I: [EXECUTING]	././testcases/maps/0014destroy_0
+W: [FAILED]	././testcases/maps/0014destroy_0
+I: [EXECUTING]	././testcases/maps/0016map_leak_0
+I: [OK]		././testcases/maps/0016map_leak_0
+I: [EXECUTING]	././testcases/maps/0017_map_variable_0
+W: [FAILED]	././testcases/maps/0017_map_variable_0
+I: [EXECUTING]	././testcases/maps/0018map_leak_timeout_0
+I: [OK]		././testcases/maps/0018map_leak_timeout_0
+I: [EXECUTING]	././testcases/maps/anon_objmap_concat
+W: [FAILED]	././testcases/maps/anon_objmap_concat
+I: [EXECUTING]	././testcases/maps/anonymous_snat_map_0
+I: [OK]		././testcases/maps/anonymous_snat_map_0
+I: [EXECUTING]	././testcases/maps/different_map_types_1
+I: [OK]		././testcases/maps/different_map_types_1
+I: [EXECUTING]	././testcases/maps/map_catchall_double_deactivate
+W: [FAILED]	././testcases/maps/map_catchall_double_deactivate
+I: [EXECUTING]	././testcases/maps/map_with_flags_0
+I: [OK]		././testcases/maps/map_with_flags_0
+I: [EXECUTING]	././testcases/maps/named_snat_map_0
+I: [OK]		././testcases/maps/named_snat_map_0
+I: [EXECUTING]	././testcases/maps/nat_addr_port
+I: [OK]		././testcases/maps/nat_addr_port
+I: [EXECUTING]	././testcases/maps/typeof_integer_0
+W: [FAILED]	././testcases/maps/typeof_integer_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_0
+I: [OK]		././testcases/maps/typeof_maps_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_add_delete
+W: [FAILED]	././testcases/maps/typeof_maps_add_delete
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat
+I: [OK]		././testcases/maps/typeof_maps_concat
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat_update_0
+I: [OK]		././testcases/maps/typeof_maps_concat_update_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_update_0
+I: [OK]		././testcases/maps/typeof_maps_update_0
+I: [EXECUTING]	././testcases/maps/typeof_raw_0
+W: [FAILED]	././testcases/maps/typeof_raw_0
+I: [EXECUTING]	././testcases/maps/vmap_timeout
+I: [OK]		././testcases/maps/vmap_timeout
+I: [EXECUTING]	././testcases/netns/0001nft-f_0
+I: [OK]		././testcases/netns/0001nft-f_0
+I: [EXECUTING]	././testcases/netns/0002loosecommands_0
+I: [OK]		././testcases/netns/0002loosecommands_0
+I: [EXECUTING]	././testcases/netns/0003many_0
+I: [OK]		././testcases/netns/0003many_0
+I: [EXECUTING]	././testcases/nft-f/0001define_slash_0
+I: [OK]		././testcases/nft-f/0001define_slash_0
+I: [EXECUTING]	././testcases/nft-f/0002rollback_rule_0
+I: [OK]		././testcases/nft-f/0002rollback_rule_0
+I: [EXECUTING]	././testcases/nft-f/0003rollback_jump_0
+I: [OK]		././testcases/nft-f/0003rollback_jump_0
+I: [EXECUTING]	././testcases/nft-f/0004rollback_set_0
+I: [OK]		././testcases/nft-f/0004rollback_set_0
+I: [EXECUTING]	././testcases/nft-f/0005rollback_map_0
+I: [OK]		././testcases/nft-f/0005rollback_map_0
+I: [EXECUTING]	././testcases/nft-f/0006action_object_0
+I: [OK]		././testcases/nft-f/0006action_object_0
+I: [EXECUTING]	././testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]		././testcases/nft-f/0007action_object_set_segfault_1
+I: [EXECUTING]	././testcases/nft-f/0008split_tables_0
+I: [OK]		././testcases/nft-f/0008split_tables_0
+I: [EXECUTING]	././testcases/nft-f/0009variable_0
+I: [OK]		././testcases/nft-f/0009variable_0
+I: [EXECUTING]	././testcases/nft-f/0010variable_0
+I: [OK]		././testcases/nft-f/0010variable_0
+I: [EXECUTING]	././testcases/nft-f/0011manydefines_0
+I: [OK]		././testcases/nft-f/0011manydefines_0
+I: [EXECUTING]	././testcases/nft-f/0012different_defines_0
+I: [OK]		././testcases/nft-f/0012different_defines_0
+I: [EXECUTING]	././testcases/nft-f/0013defines_1
+I: [OK]		././testcases/nft-f/0013defines_1
+I: [EXECUTING]	././testcases/nft-f/0014defines_1
+I: [OK]		././testcases/nft-f/0014defines_1
+I: [EXECUTING]	././testcases/nft-f/0015defines_1
+I: [OK]		././testcases/nft-f/0015defines_1
+I: [EXECUTING]	././testcases/nft-f/0016redefines_1
+I: [OK]		././testcases/nft-f/0016redefines_1
+I: [EXECUTING]	././testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]		././testcases/nft-f/0017ct_timeout_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]		././testcases/nft-f/0018ct_expectation_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018jump_variable_0
+I: [OK]		././testcases/nft-f/0018jump_variable_0
+I: [EXECUTING]	././testcases/nft-f/0019jump_variable_1
+I: [OK]		././testcases/nft-f/0019jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0020jump_variable_1
+I: [OK]		././testcases/nft-f/0020jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0021list_ruleset_0
+I: [OK]		././testcases/nft-f/0021list_ruleset_0
+I: [EXECUTING]	././testcases/nft-f/0022variables_0
+I: [OK]		././testcases/nft-f/0022variables_0
+I: [EXECUTING]	././testcases/nft-f/0023check_1
+I: [OK]		././testcases/nft-f/0023check_1
+I: [EXECUTING]	././testcases/nft-f/0024priority_0
+I: [OK]		././testcases/nft-f/0024priority_0
+I: [EXECUTING]	././testcases/nft-f/0025empty_dynset_0
+W: [DUMP FAIL]	././testcases/nft-f/0025empty_dynset_0
+I: [EXECUTING]	././testcases/nft-f/0026listing_0
+I: [OK]		././testcases/nft-f/0026listing_0
+I: [EXECUTING]	././testcases/nft-f/0027split_chains_0
+I: [OK]		././testcases/nft-f/0027split_chains_0
+I: [EXECUTING]	././testcases/nft-f/0028variable_cmdline_0
+I: [OK]		././testcases/nft-f/0028variable_cmdline_0
+I: [EXECUTING]	././testcases/nft-f/0029split_file_0
+I: [OK]		././testcases/nft-f/0029split_file_0
+I: [EXECUTING]	././testcases/nft-f/0030variable_reuse_0
+I: [OK]		././testcases/nft-f/0030variable_reuse_0
+I: [EXECUTING]	././testcases/nft-f/0031vmap_string_0
+I: [OK]		././testcases/nft-f/0031vmap_string_0
+I: [EXECUTING]	././testcases/nft-f/0032pknock_0
+I: [OK]		././testcases/nft-f/0032pknock_0
+I: [EXECUTING]	././testcases/nft-i/0001define_0
+I: [OK]		././testcases/nft-i/0001define_0
+I: [EXECUTING]	././testcases/optimizations/dependency_kill
+I: [OK]		././testcases/optimizations/dependency_kill
+I: [EXECUTING]	././testcases/optimizations/merge_nat
+W: [FAILED]	././testcases/optimizations/merge_nat
+I: [EXECUTING]	././testcases/optimizations/merge_reject
+I: [OK]		././testcases/optimizations/merge_reject
+I: [EXECUTING]	././testcases/optimizations/merge_stmts
+I: [OK]		././testcases/optimizations/merge_stmts
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat
+W: [FAILED]	././testcases/optimizations/merge_stmts_concat
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_concat_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_vmap
+W: [DUMP FAIL]	././testcases/optimizations/merge_stmts_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_vmap_raw
+W: [FAILED]	././testcases/optimizations/merge_vmap_raw
+I: [EXECUTING]	././testcases/optimizations/merge_vmaps
+I: [OK]		././testcases/optimizations/merge_vmaps
+I: [EXECUTING]	././testcases/optimizations/not_mergeable
+I: [OK]		././testcases/optimizations/not_mergeable
+I: [EXECUTING]	././testcases/optimizations/ruleset
+W: [FAILED]	././testcases/optimizations/ruleset
+I: [EXECUTING]	././testcases/optimizations/single_anon_set
+W: [FAILED]	././testcases/optimizations/single_anon_set
+I: [EXECUTING]	././testcases/optimizations/skip_merge
+I: [OK]		././testcases/optimizations/skip_merge
+I: [EXECUTING]	././testcases/optimizations/skip_non_eq
+I: [OK]		././testcases/optimizations/skip_non_eq
+I: [EXECUTING]	././testcases/optimizations/skip_unsupported
+I: [OK]		././testcases/optimizations/skip_unsupported
+I: [EXECUTING]	././testcases/optimizations/variables
+I: [OK]		././testcases/optimizations/variables
+I: [EXECUTING]	././testcases/optionals/comments_0
+I: [OK]		././testcases/optionals/comments_0
+I: [EXECUTING]	././testcases/optionals/comments_chain_0
+W: [DUMP FAIL]	././testcases/optionals/comments_chain_0
+I: [EXECUTING]	././testcases/optionals/comments_handles_0
+I: [OK]		././testcases/optionals/comments_handles_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_0
+W: [DUMP FAIL]	././testcases/optionals/comments_objects_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_dup_0
+I: [OK]		././testcases/optionals/comments_objects_dup_0
+I: [EXECUTING]	././testcases/optionals/comments_table_0
+W: [DUMP FAIL]	././testcases/optionals/comments_table_0
+I: [EXECUTING]	././testcases/optionals/delete_object_handles_0
+I: [OK]		././testcases/optionals/delete_object_handles_0
+I: [EXECUTING]	././testcases/optionals/handles_0
+I: [OK]		././testcases/optionals/handles_0
+I: [EXECUTING]	././testcases/optionals/handles_1
+I: [OK]		././testcases/optionals/handles_1
+I: [EXECUTING]	././testcases/optionals/log_prefix_0
+I: [OK]		././testcases/optionals/log_prefix_0
+I: [EXECUTING]	././testcases/optionals/update_object_handles_0
+I: [OK]		././testcases/optionals/update_object_handles_0
+I: [EXECUTING]	././testcases/owner/0001-flowtable-uaf
+W: [FAILED]	././testcases/owner/0001-flowtable-uaf
+I: [EXECUTING]	././testcases/parsing/describe
+I: [OK]		././testcases/parsing/describe
+I: [EXECUTING]	././testcases/parsing/large_rule_pipe
+I: [OK]		././testcases/parsing/large_rule_pipe
+I: [EXECUTING]	././testcases/parsing/log
+I: [OK]		././testcases/parsing/log
+I: [EXECUTING]	././testcases/parsing/octal
+I: [OK]		././testcases/parsing/octal
+I: [EXECUTING]	././testcases/rule_management/0001addinsertposition_0
+I: [OK]		././testcases/rule_management/0001addinsertposition_0
+I: [EXECUTING]	././testcases/rule_management/0002addinsertlocation_1
+I: [OK]		././testcases/rule_management/0002addinsertlocation_1
+I: [EXECUTING]	././testcases/rule_management/0003insert_0
+I: [OK]		././testcases/rule_management/0003insert_0
+I: [EXECUTING]	././testcases/rule_management/0004replace_0
+I: [OK]		././testcases/rule_management/0004replace_0
+I: [EXECUTING]	././testcases/rule_management/0005replace_1
+I: [OK]		././testcases/rule_management/0005replace_1
+I: [EXECUTING]	././testcases/rule_management/0006replace_1
+I: [OK]		././testcases/rule_management/0006replace_1
+I: [EXECUTING]	././testcases/rule_management/0007delete_0
+I: [OK]		././testcases/rule_management/0007delete_0
+I: [EXECUTING]	././testcases/rule_management/0008delete_1
+I: [OK]		././testcases/rule_management/0008delete_1
+I: [EXECUTING]	././testcases/rule_management/0009delete_1
+I: [OK]		././testcases/rule_management/0009delete_1
+I: [EXECUTING]	././testcases/rule_management/0010replace_0
+I: [OK]		././testcases/rule_management/0010replace_0
+I: [EXECUTING]	././testcases/rule_management/0011reset_0
+W: [FAILED]	././testcases/rule_management/0011reset_0
+I: [EXECUTING]	././testcases/rule_management/0012destroy_0
+W: [FAILED]	././testcases/rule_management/0012destroy_0
+I: [EXECUTING]	././testcases/sets/0001named_interval_0
+I: [OK]		././testcases/sets/0001named_interval_0
+I: [EXECUTING]	././testcases/sets/0002named_interval_automerging_0
+I: [OK]		././testcases/sets/0002named_interval_automerging_0
+I: [EXECUTING]	././testcases/sets/0003named_interval_missing_flag_0
+I: [OK]		././testcases/sets/0003named_interval_missing_flag_0
+I: [EXECUTING]	././testcases/sets/0004named_interval_shadow_0
+I: [OK]		././testcases/sets/0004named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0005named_interval_shadow_0
+I: [OK]		././testcases/sets/0005named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0006create_set_0
+I: [OK]		././testcases/sets/0006create_set_0
+I: [EXECUTING]	././testcases/sets/0007create_element_0
+I: [OK]		././testcases/sets/0007create_element_0
+I: [EXECUTING]	././testcases/sets/0008comments_interval_0
+I: [OK]		././testcases/sets/0008comments_interval_0
+I: [EXECUTING]	././testcases/sets/0008create_verdict_map_0
+I: [OK]		././testcases/sets/0008create_verdict_map_0
+I: [EXECUTING]	././testcases/sets/0009comments_timeout_0
+I: [OK]		././testcases/sets/0009comments_timeout_0
+I: [EXECUTING]	././testcases/sets/0010comments_0
+I: [OK]		././testcases/sets/0010comments_0
+I: [EXECUTING]	././testcases/sets/0011add_many_elements_0
+I: [OK]		././testcases/sets/0011add_many_elements_0
+I: [EXECUTING]	././testcases/sets/0012add_delete_many_elements_0
+I: [OK]		././testcases/sets/0012add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0013add_delete_many_elements_0
+I: [OK]		././testcases/sets/0013add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]		././testcases/sets/0014malformed_set_is_not_defined_0
+I: [EXECUTING]	././testcases/sets/0015rulesetflush_0
+I: [OK]		././testcases/sets/0015rulesetflush_0
+I: [EXECUTING]	././testcases/sets/0016element_leak_0
+I: [OK]		././testcases/sets/0016element_leak_0
+I: [EXECUTING]	././testcases/sets/0017add_after_flush_0
+I: [OK]		././testcases/sets/0017add_after_flush_0
+I: [EXECUTING]	././testcases/sets/0018set_check_size_1
+I: [OK]		././testcases/sets/0018set_check_size_1
+I: [EXECUTING]	././testcases/sets/0019set_check_size_0
+I: [OK]		././testcases/sets/0019set_check_size_0
+I: [EXECUTING]	././testcases/sets/0020comments_0
+I: [OK]		././testcases/sets/0020comments_0
+I: [EXECUTING]	././testcases/sets/0021nesting_0
+I: [OK]		././testcases/sets/0021nesting_0
+I: [EXECUTING]	././testcases/sets/0022type_selective_flush_0
+I: [OK]		././testcases/sets/0022type_selective_flush_0
+I: [EXECUTING]	././testcases/sets/0023incomplete_add_set_command_0
+I: [OK]		././testcases/sets/0023incomplete_add_set_command_0
+I: [EXECUTING]	././testcases/sets/0024named_objects_0
+I: [OK]		././testcases/sets/0024named_objects_0
+I: [EXECUTING]	././testcases/sets/0025anonymous_set_0
+I: [OK]		././testcases/sets/0025anonymous_set_0
+I: [EXECUTING]	././testcases/sets/0026named_limit_0
+I: [OK]		././testcases/sets/0026named_limit_0
+I: [EXECUTING]	././testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]		././testcases/sets/0027ipv6_maps_ipv4_0
+I: [EXECUTING]	././testcases/sets/0028autoselect_0
+I: [OK]		././testcases/sets/0028autoselect_0
+I: [EXECUTING]	././testcases/sets/0028delete_handle_0
+I: [OK]		././testcases/sets/0028delete_handle_0
+I: [EXECUTING]	././testcases/sets/0029named_ifname_dtype_0
+I: [OK]		././testcases/sets/0029named_ifname_dtype_0
+I: [EXECUTING]	././testcases/sets/0030add_many_elements_interval_0
+I: [OK]		././testcases/sets/0030add_many_elements_interval_0
+I: [EXECUTING]	././testcases/sets/0031set_timeout_size_0
+I: [OK]		././testcases/sets/0031set_timeout_size_0
+I: [EXECUTING]	././testcases/sets/0032restore_set_simple_0
+I: [OK]		././testcases/sets/0032restore_set_simple_0
+I: [EXECUTING]	././testcases/sets/0033add_set_simple_flat_0
+I: [OK]		././testcases/sets/0033add_set_simple_flat_0
+I: [EXECUTING]	././testcases/sets/0034get_element_0
+W: [FAILED]	././testcases/sets/0034get_element_0
+I: [EXECUTING]	././testcases/sets/0035add_set_elements_flat_0
+I: [OK]		././testcases/sets/0035add_set_elements_flat_0
+I: [EXECUTING]	././testcases/sets/0036add_set_element_expiration_0
+W: [FAILED]	././testcases/sets/0036add_set_element_expiration_0
+I: [EXECUTING]	././testcases/sets/0037_set_with_inet_service_0
+I: [OK]		././testcases/sets/0037_set_with_inet_service_0
+I: [EXECUTING]	././testcases/sets/0038meter_list_0
+I: [OK]		././testcases/sets/0038meter_list_0
+I: [EXECUTING]	././testcases/sets/0039delete_interval_0
+I: [OK]		././testcases/sets/0039delete_interval_0
+I: [EXECUTING]	././testcases/sets/0040get_host_endian_elements_0
+I: [OK]		././testcases/sets/0040get_host_endian_elements_0
+I: [EXECUTING]	././testcases/sets/0041interval_0
+I: [OK]		././testcases/sets/0041interval_0
+I: [EXECUTING]	././testcases/sets/0042update_set_0
+I: [OK]		././testcases/sets/0042update_set_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_0
+W: [FAILED]	././testcases/sets/0043concatenated_ranges_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_1
+W: [FAILED]	././testcases/sets/0043concatenated_ranges_1
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_0
+W: [FAILED]	././testcases/sets/0044interval_overlap_0
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_1
+I: [OK]		././testcases/sets/0044interval_overlap_1
+I: [EXECUTING]	././testcases/sets/0045concat_ipv4_service
+I: [OK]		././testcases/sets/0045concat_ipv4_service
+I: [EXECUTING]	././testcases/sets/0046netmap_0
+W: [FAILED]	././testcases/sets/0046netmap_0
+I: [EXECUTING]	././testcases/sets/0047nat_0
+W: [FAILED]	././testcases/sets/0047nat_0
+I: [EXECUTING]	././testcases/sets/0048set_counters_0
+W: [DUMP FAIL]	././testcases/sets/0048set_counters_0
+I: [EXECUTING]	././testcases/sets/0049set_define_0
+I: [OK]		././testcases/sets/0049set_define_0
+I: [EXECUTING]	././testcases/sets/0050set_define_1
+I: [OK]		././testcases/sets/0050set_define_1
+I: [EXECUTING]	././testcases/sets/0051set_interval_counter_0
+W: [DUMP FAIL]	././testcases/sets/0051set_interval_counter_0
+I: [EXECUTING]	././testcases/sets/0052overlap_0
+I: [OK]		././testcases/sets/0052overlap_0
+I: [EXECUTING]	././testcases/sets/0053echo_0
+I: [OK]		././testcases/sets/0053echo_0
+I: [EXECUTING]	././testcases/sets/0054comments_set_0
+I: [OK]		././testcases/sets/0054comments_set_0
+I: [EXECUTING]	././testcases/sets/0055tcpflags_0
+I: [OK]		././testcases/sets/0055tcpflags_0
+I: [EXECUTING]	././testcases/sets/0056dynamic_limit_0
+I: [OK]		././testcases/sets/0056dynamic_limit_0
+I: [EXECUTING]	././testcases/sets/0057set_create_fails_0
+I: [OK]		././testcases/sets/0057set_create_fails_0
+I: [EXECUTING]	././testcases/sets/0058_setupdate_timeout_0
+I: [OK]		././testcases/sets/0058_setupdate_timeout_0
+I: [EXECUTING]	././testcases/sets/0059set_update_multistmt_0
+W: [FAILED]	././testcases/sets/0059set_update_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_0
+W: [FAILED]	././testcases/sets/0060set_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_1
+W: [FAILED]	././testcases/sets/0060set_multistmt_1
+I: [EXECUTING]	././testcases/sets/0061anonymous_automerge_0
+I: [OK]		././testcases/sets/0061anonymous_automerge_0
+I: [EXECUTING]	././testcases/sets/0062set_connlimit_0
+I: [OK]		././testcases/sets/0062set_connlimit_0
+I: [EXECUTING]	././testcases/sets/0063set_catchall_0
+W: [FAILED]	././testcases/sets/0063set_catchall_0
+I: [EXECUTING]	././testcases/sets/0064map_catchall_0
+W: [FAILED]	././testcases/sets/0064map_catchall_0
+I: [EXECUTING]	././testcases/sets/0065_icmp_postprocessing
+I: [OK]		././testcases/sets/0065_icmp_postprocessing
+I: [EXECUTING]	././testcases/sets/0067nat_concat_interval_0
+W: [FAILED]	././testcases/sets/0067nat_concat_interval_0
+I: [EXECUTING]	././testcases/sets/0068interval_stack_overflow_0
+I: [OK]		././testcases/sets/0068interval_stack_overflow_0
+I: [EXECUTING]	././testcases/sets/0069interval_merge_0
+I: [OK]		././testcases/sets/0069interval_merge_0
+I: [EXECUTING]	././testcases/sets/0070stacked_l2_headers
+I: [OK]		././testcases/sets/0070stacked_l2_headers
+I: [EXECUTING]	././testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]		././testcases/sets/0071unclosed_prefix_interval_0
+I: [EXECUTING]	././testcases/sets/0072destroy_0
+W: [FAILED]	././testcases/sets/0072destroy_0
+I: [EXECUTING]	././testcases/sets/automerge_0
+I: [OK]		././testcases/sets/automerge_0
+I: [EXECUTING]	././testcases/sets/collapse_elem_0
+I: [OK]		././testcases/sets/collapse_elem_0
+I: [EXECUTING]	././testcases/sets/concat_interval_0
+W: [FAILED]	././testcases/sets/concat_interval_0
+I: [EXECUTING]	././testcases/sets/dynset_missing
+I: [OK]		././testcases/sets/dynset_missing
+I: [EXECUTING]	././testcases/sets/errors_0
+I: [OK]		././testcases/sets/errors_0
+I: [EXECUTING]	././testcases/sets/exact_overlap_0
+I: [OK]		././testcases/sets/exact_overlap_0
+I: [EXECUTING]	././testcases/sets/inner_0
+W: [FAILED]	././testcases/sets/inner_0
+I: [EXECUTING]	././testcases/sets/reset_command_0
+W: [FAILED]	././testcases/sets/reset_command_0
+I: [EXECUTING]	././testcases/sets/set_eval_0
+I: [OK]		././testcases/sets/set_eval_0
+I: [EXECUTING]	././testcases/sets/sets_with_ifnames
+W: [FAILED]	././testcases/sets/sets_with_ifnames
+I: [EXECUTING]	././testcases/sets/typeof_raw_0
+W: [FAILED]	././testcases/sets/typeof_raw_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_0
+W: [FAILED]	././testcases/sets/typeof_sets_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_1
+I: [OK]		././testcases/sets/typeof_sets_1
+I: [EXECUTING]	././testcases/sets/typeof_sets_concat
+I: [OK]		././testcases/sets/typeof_sets_concat
+I: [EXECUTING]	././testcases/sets/type_set_symbol
+I: [OK]		././testcases/sets/type_set_symbol
+I: [EXECUTING]	././testcases/transactions/0001table_0
+I: [OK]		././testcases/transactions/0001table_0
+I: [EXECUTING]	././testcases/transactions/0002table_0
+I: [OK]		././testcases/transactions/0002table_0
+I: [EXECUTING]	././testcases/transactions/0003table_0
+I: [OK]		././testcases/transactions/0003table_0
+I: [EXECUTING]	././testcases/transactions/0010chain_0
+I: [OK]		././testcases/transactions/0010chain_0
+I: [EXECUTING]	././testcases/transactions/0011chain_0
+I: [OK]		././testcases/transactions/0011chain_0
+I: [EXECUTING]	././testcases/transactions/0012chain_0
+I: [OK]		././testcases/transactions/0012chain_0
+I: [EXECUTING]	././testcases/transactions/0013chain_0
+I: [OK]		././testcases/transactions/0013chain_0
+I: [EXECUTING]	././testcases/transactions/0014chain_1
+I: [OK]		././testcases/transactions/0014chain_1
+I: [EXECUTING]	././testcases/transactions/0015chain_0
+I: [OK]		././testcases/transactions/0015chain_0
+I: [EXECUTING]	././testcases/transactions/0020rule_0
+I: [OK]		././testcases/transactions/0020rule_0
+I: [EXECUTING]	././testcases/transactions/0021rule_0
+I: [OK]		././testcases/transactions/0021rule_0
+I: [EXECUTING]	././testcases/transactions/0022rule_1
+I: [OK]		././testcases/transactions/0022rule_1
+I: [EXECUTING]	././testcases/transactions/0023rule_1
+I: [OK]		././testcases/transactions/0023rule_1
+I: [EXECUTING]	././testcases/transactions/0024rule_0
+I: [OK]		././testcases/transactions/0024rule_0
+I: [EXECUTING]	././testcases/transactions/0025rule_0
+I: [OK]		././testcases/transactions/0025rule_0
+I: [EXECUTING]	././testcases/transactions/0030set_0
+I: [OK]		././testcases/transactions/0030set_0
+I: [EXECUTING]	././testcases/transactions/0031set_0
+I: [OK]		././testcases/transactions/0031set_0
+I: [EXECUTING]	././testcases/transactions/0032set_0
+I: [OK]		././testcases/transactions/0032set_0
+I: [EXECUTING]	././testcases/transactions/0033set_0
+I: [OK]		././testcases/transactions/0033set_0
+I: [EXECUTING]	././testcases/transactions/0034set_0
+I: [OK]		././testcases/transactions/0034set_0
+I: [EXECUTING]	././testcases/transactions/0035set_0
+I: [OK]		././testcases/transactions/0035set_0
+I: [EXECUTING]	././testcases/transactions/0036set_1
+I: [OK]		././testcases/transactions/0036set_1
+I: [EXECUTING]	././testcases/transactions/0037set_0
+I: [OK]		././testcases/transactions/0037set_0
+I: [EXECUTING]	././testcases/transactions/0038set_0
+I: [OK]		././testcases/transactions/0038set_0
+I: [EXECUTING]	././testcases/transactions/0039set_0
+I: [OK]		././testcases/transactions/0039set_0
+I: [EXECUTING]	././testcases/transactions/0040set_0
+I: [OK]		././testcases/transactions/0040set_0
+I: [EXECUTING]	././testcases/transactions/0041nat_restore_0
+I: [OK]		././testcases/transactions/0041nat_restore_0
+I: [EXECUTING]	././testcases/transactions/0042_stateful_expr_0
+I: [OK]		././testcases/transactions/0042_stateful_expr_0
+I: [EXECUTING]	././testcases/transactions/0043set_1
+I: [OK]		././testcases/transactions/0043set_1
+I: [EXECUTING]	././testcases/transactions/0044rule_0
+I: [OK]		././testcases/transactions/0044rule_0
+I: [EXECUTING]	././testcases/transactions/0045anon-unbind_0
+I: [OK]		././testcases/transactions/0045anon-unbind_0
+I: [EXECUTING]	././testcases/transactions/0046set_0
+I: [OK]		././testcases/transactions/0046set_0
+I: [EXECUTING]	././testcases/transactions/0047set_0
+I: [OK]		././testcases/transactions/0047set_0
+I: [EXECUTING]	././testcases/transactions/0048helpers_0
+I: [OK]		././testcases/transactions/0048helpers_0
+I: [EXECUTING]	././testcases/transactions/0049huge_0
+I: [OK]		././testcases/transactions/0049huge_0
+I: [EXECUTING]	././testcases/transactions/0050rule_1
+I: [OK]		././testcases/transactions/0050rule_1
+I: [EXECUTING]	././testcases/transactions/0051map_0
+I: [OK]		././testcases/transactions/0051map_0
+I: [EXECUTING]	././testcases/transactions/30s-stress
+W: [FAILED]	././testcases/transactions/30s-stress
+I: [EXECUTING]	././testcases/transactions/anon_chain_loop
+I: [OK]		././testcases/transactions/anon_chain_loop
+I: [EXECUTING]	././testcases/transactions/bad_expression
+I: [OK]		././testcases/transactions/bad_expression
+
+I: results: [OK] 302 [FAILED] 71 [TOTAL] 373
diff --git a/tests/shell/stable-log/log-6.1 b/tests/shell/stable-log/log-6.1
new file mode 100644
index 0000000..feb84d9
--- /dev/null
+++ b/tests/shell/stable-log/log-6.1
@@ -0,0 +1,751 @@
+I: using nft command: ./../../src/nft
+
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_0
+I: [OK]		././testcases/bitwise/0040mark_binop_0
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_1
+I: [OK]		././testcases/bitwise/0040mark_binop_1
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_2
+I: [OK]		././testcases/bitwise/0040mark_binop_2
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_3
+I: [OK]		././testcases/bitwise/0040mark_binop_3
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_4
+I: [OK]		././testcases/bitwise/0040mark_binop_4
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_5
+I: [OK]		././testcases/bitwise/0040mark_binop_5
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_6
+I: [OK]		././testcases/bitwise/0040mark_binop_6
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_7
+I: [OK]		././testcases/bitwise/0040mark_binop_7
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_8
+I: [OK]		././testcases/bitwise/0040mark_binop_8
+I: [EXECUTING]	././testcases/bitwise/0040mark_binop_9
+I: [OK]		././testcases/bitwise/0040mark_binop_9
+I: [EXECUTING]	././testcases/bogons/assert_failures
+I: [OK]		././testcases/bogons/assert_failures
+I: [EXECUTING]	././testcases/cache/0001_cache_handling_0
+I: [OK]		././testcases/cache/0001_cache_handling_0
+I: [EXECUTING]	././testcases/cache/0002_interval_0
+I: [OK]		././testcases/cache/0002_interval_0
+I: [EXECUTING]	././testcases/cache/0003_cache_update_0
+I: [OK]		././testcases/cache/0003_cache_update_0
+I: [EXECUTING]	././testcases/cache/0004_cache_update_0
+I: [OK]		././testcases/cache/0004_cache_update_0
+I: [EXECUTING]	././testcases/cache/0005_cache_chain_flush
+I: [OK]		././testcases/cache/0005_cache_chain_flush
+I: [EXECUTING]	././testcases/cache/0006_cache_table_flush
+I: [OK]		././testcases/cache/0006_cache_table_flush
+I: [EXECUTING]	././testcases/cache/0007_echo_cache_init_0
+I: [OK]		././testcases/cache/0007_echo_cache_init_0
+I: [EXECUTING]	././testcases/cache/0008_delete_by_handle_0
+I: [OK]		././testcases/cache/0008_delete_by_handle_0
+I: [EXECUTING]	././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [OK]		././testcases/cache/0009_delete_by_handle_incorrect_0
+I: [EXECUTING]	././testcases/cache/0010_implicit_chain_0
+I: [OK]		././testcases/cache/0010_implicit_chain_0
+I: [EXECUTING]	././testcases/cache/0011_index_0
+I: [OK]		././testcases/cache/0011_index_0
+I: [EXECUTING]	././testcases/chains/0001jumps_0
+I: [OK]		././testcases/chains/0001jumps_0
+I: [EXECUTING]	././testcases/chains/0002jumps_1
+I: [OK]		././testcases/chains/0002jumps_1
+I: [EXECUTING]	././testcases/chains/0003jump_loop_1
+I: [OK]		././testcases/chains/0003jump_loop_1
+I: [EXECUTING]	././testcases/chains/0004busy_1
+I: [OK]		././testcases/chains/0004busy_1
+I: [EXECUTING]	././testcases/chains/0005busy_map_1
+I: [OK]		././testcases/chains/0005busy_map_1
+I: [EXECUTING]	././testcases/chains/0006masquerade_0
+I: [OK]		././testcases/chains/0006masquerade_0
+I: [EXECUTING]	././testcases/chains/0007masquerade_1
+I: [OK]		././testcases/chains/0007masquerade_1
+I: [EXECUTING]	././testcases/chains/0008masquerade_jump_1
+I: [OK]		././testcases/chains/0008masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0009masquerade_jump_1
+I: [OK]		././testcases/chains/0009masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0010endless_jump_loop_1
+I: [OK]		././testcases/chains/0010endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0011endless_jump_loop_1
+I: [OK]		././testcases/chains/0011endless_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0013rename_0
+I: [OK]		././testcases/chains/0013rename_0
+I: [EXECUTING]	././testcases/chains/0014rename_0
+I: [OK]		././testcases/chains/0014rename_0
+I: [EXECUTING]	././testcases/chains/0015check_jump_loop_1
+I: [OK]		././testcases/chains/0015check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0016delete_handle_0
+I: [OK]		././testcases/chains/0016delete_handle_0
+I: [EXECUTING]	././testcases/chains/0017masquerade_jump_1
+I: [OK]		././testcases/chains/0017masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0018check_jump_loop_1
+I: [OK]		././testcases/chains/0018check_jump_loop_1
+I: [EXECUTING]	././testcases/chains/0019masquerade_jump_1
+I: [OK]		././testcases/chains/0019masquerade_jump_1
+I: [EXECUTING]	././testcases/chains/0020depth_1
+I: [OK]		././testcases/chains/0020depth_1
+I: [EXECUTING]	././testcases/chains/0021prio_0
+I: [OK]		././testcases/chains/0021prio_0
+I: [EXECUTING]	././testcases/chains/0022prio_dummy_1
+I: [OK]		././testcases/chains/0022prio_dummy_1
+I: [EXECUTING]	././testcases/chains/0023prio_inet_srcnat_1
+I: [OK]		././testcases/chains/0023prio_inet_srcnat_1
+I: [EXECUTING]	././testcases/chains/0024prio_inet_dstnat_1
+I: [OK]		././testcases/chains/0024prio_inet_dstnat_1
+I: [EXECUTING]	././testcases/chains/0025prio_arp_1
+I: [OK]		././testcases/chains/0025prio_arp_1
+I: [EXECUTING]	././testcases/chains/0026prio_netdev_1
+I: [OK]		././testcases/chains/0026prio_netdev_1
+I: [EXECUTING]	././testcases/chains/0027prio_bridge_dstnat_1
+I: [OK]		././testcases/chains/0027prio_bridge_dstnat_1
+I: [EXECUTING]	././testcases/chains/0028prio_bridge_out_1
+I: [OK]		././testcases/chains/0028prio_bridge_out_1
+I: [EXECUTING]	././testcases/chains/0029prio_bridge_srcnat_1
+I: [OK]		././testcases/chains/0029prio_bridge_srcnat_1
+I: [EXECUTING]	././testcases/chains/0030create_0
+I: [OK]		././testcases/chains/0030create_0
+I: [EXECUTING]	././testcases/chains/0031priority_variable_0
+I: [OK]		././testcases/chains/0031priority_variable_0
+I: [EXECUTING]	././testcases/chains/0032priority_variable_0
+I: [OK]		././testcases/chains/0032priority_variable_0
+I: [EXECUTING]	././testcases/chains/0033priority_variable_1
+I: [OK]		././testcases/chains/0033priority_variable_1
+I: [EXECUTING]	././testcases/chains/0034priority_variable_1
+I: [OK]		././testcases/chains/0034priority_variable_1
+I: [EXECUTING]	././testcases/chains/0035policy_variable_0
+I: [OK]		././testcases/chains/0035policy_variable_0
+I: [EXECUTING]	././testcases/chains/0036policy_variable_0
+I: [OK]		././testcases/chains/0036policy_variable_0
+I: [EXECUTING]	././testcases/chains/0037policy_variable_1
+I: [OK]		././testcases/chains/0037policy_variable_1
+I: [EXECUTING]	././testcases/chains/0038policy_variable_1
+I: [OK]		././testcases/chains/0038policy_variable_1
+I: [EXECUTING]	././testcases/chains/0039negative_priority_0
+I: [OK]		././testcases/chains/0039negative_priority_0
+I: [EXECUTING]	././testcases/chains/0041chain_binding_0
+I: [OK]		././testcases/chains/0041chain_binding_0
+I: [EXECUTING]	././testcases/chains/0042chain_variable_0
+I: [OK]		././testcases/chains/0042chain_variable_0
+I: [EXECUTING]	././testcases/chains/0043chain_ingress_0
+I: [OK]		././testcases/chains/0043chain_ingress_0
+I: [EXECUTING]	././testcases/chains/0044chain_destroy_0
+W: [FAILED]	././testcases/chains/0044chain_destroy_0
+I: [EXECUTING]	././testcases/chains/netdev_chain_0
+W: [FAILED]	././testcases/chains/netdev_chain_0
+I: [EXECUTING]	././testcases/comments/comments_0
+I: [OK]		././testcases/comments/comments_0
+I: [EXECUTING]	././testcases/flowtable/0001flowtable_0
+I: [OK]		././testcases/flowtable/0001flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0002create_flowtable_0
+I: [OK]		././testcases/flowtable/0002create_flowtable_0
+I: [EXECUTING]	././testcases/flowtable/0003add_after_flush_0
+I: [OK]		././testcases/flowtable/0003add_after_flush_0
+I: [EXECUTING]	././testcases/flowtable/0004delete_after_add_0
+I: [OK]		././testcases/flowtable/0004delete_after_add_0
+I: [EXECUTING]	././testcases/flowtable/0005delete_in_use_1
+I: [OK]		././testcases/flowtable/0005delete_in_use_1
+I: [EXECUTING]	././testcases/flowtable/0006segfault_0
+I: [OK]		././testcases/flowtable/0006segfault_0
+I: [EXECUTING]	././testcases/flowtable/0007prio_0
+I: [OK]		././testcases/flowtable/0007prio_0
+I: [EXECUTING]	././testcases/flowtable/0008prio_1
+I: [OK]		././testcases/flowtable/0008prio_1
+I: [EXECUTING]	././testcases/flowtable/0009deleteafterflush_0
+I: [OK]		././testcases/flowtable/0009deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0010delete_handle_0
+I: [OK]		././testcases/flowtable/0010delete_handle_0
+I: [EXECUTING]	././testcases/flowtable/0011deleteafterflush_0
+I: [OK]		././testcases/flowtable/0011deleteafterflush_0
+I: [EXECUTING]	././testcases/flowtable/0012flowtable_variable_0
+I: [OK]		././testcases/flowtable/0012flowtable_variable_0
+I: [EXECUTING]	././testcases/flowtable/0013addafterdelete_0
+I: [OK]		././testcases/flowtable/0013addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0014addafterdelete_0
+I: [OK]		././testcases/flowtable/0014addafterdelete_0
+I: [EXECUTING]	././testcases/flowtable/0015destroy_0
+W: [FAILED]	././testcases/flowtable/0015destroy_0
+I: [EXECUTING]	././testcases/include/0001absolute_0
+I: [OK]		././testcases/include/0001absolute_0
+I: [EXECUTING]	././testcases/include/0002relative_0
+I: [OK]		././testcases/include/0002relative_0
+I: [EXECUTING]	././testcases/include/0003includepath_0
+I: [OK]		././testcases/include/0003includepath_0
+I: [EXECUTING]	././testcases/include/0004endlessloop_1
+I: [OK]		././testcases/include/0004endlessloop_1
+I: [EXECUTING]	././testcases/include/0005glob_empty_0
+I: [OK]		././testcases/include/0005glob_empty_0
+I: [EXECUTING]	././testcases/include/0006glob_single_0
+I: [OK]		././testcases/include/0006glob_single_0
+I: [EXECUTING]	././testcases/include/0007glob_double_0
+I: [OK]		././testcases/include/0007glob_double_0
+I: [EXECUTING]	././testcases/include/0008glob_nofile_wildcard_0
+I: [OK]		././testcases/include/0008glob_nofile_wildcard_0
+I: [EXECUTING]	././testcases/include/0009glob_nofile_1
+I: [OK]		././testcases/include/0009glob_nofile_1
+I: [EXECUTING]	././testcases/include/0010glob_broken_file_1
+I: [OK]		././testcases/include/0010glob_broken_file_1
+I: [EXECUTING]	././testcases/include/0011glob_dependency_0
+I: [OK]		././testcases/include/0011glob_dependency_0
+I: [EXECUTING]	././testcases/include/0012glob_dependency_1
+I: [OK]		././testcases/include/0012glob_dependency_1
+I: [EXECUTING]	././testcases/include/0013glob_dotfile_0
+I: [OK]		././testcases/include/0013glob_dotfile_0
+I: [EXECUTING]	././testcases/include/0013input_descriptors_included_files_0
+I: [OK]		././testcases/include/0013input_descriptors_included_files_0
+I: [EXECUTING]	././testcases/include/0014glob_directory_0
+I: [OK]		././testcases/include/0014glob_directory_0
+I: [EXECUTING]	././testcases/include/0015doubleincludepath_0
+I: [OK]		././testcases/include/0015doubleincludepath_0
+I: [EXECUTING]	././testcases/include/0016maxdepth_0
+I: [OK]		././testcases/include/0016maxdepth_0
+I: [EXECUTING]	././testcases/include/0017glob_more_than_maxdepth_1
+I: [OK]		././testcases/include/0017glob_more_than_maxdepth_1
+I: [EXECUTING]	././testcases/include/0018include_error_0
+I: [OK]		././testcases/include/0018include_error_0
+I: [EXECUTING]	././testcases/include/0019include_error_0
+I: [OK]		././testcases/include/0019include_error_0
+I: [EXECUTING]	././testcases/include/0020include_chain_0
+I: [OK]		././testcases/include/0020include_chain_0
+I: [EXECUTING]	././testcases/json/0001set_statements_0
+I: [OK]		././testcases/json/0001set_statements_0
+I: [EXECUTING]	././testcases/json/0002table_map_0
+I: [OK]		././testcases/json/0002table_map_0
+I: [EXECUTING]	././testcases/json/0003json_schema_version_0
+I: [OK]		././testcases/json/0003json_schema_version_0
+I: [EXECUTING]	././testcases/json/0004json_schema_version_1
+I: [OK]		././testcases/json/0004json_schema_version_1
+I: [EXECUTING]	././testcases/json/0005secmark_objref_0
+I: [OK]		././testcases/json/0005secmark_objref_0
+I: [EXECUTING]	././testcases/json/0006obj_comment_0
+I: [OK]		././testcases/json/0006obj_comment_0
+I: [EXECUTING]	././testcases/json/netdev
+I: [OK]		././testcases/json/netdev
+I: [EXECUTING]	././testcases/listing/0001ruleset_0
+I: [OK]		././testcases/listing/0001ruleset_0
+I: [EXECUTING]	././testcases/listing/0002ruleset_0
+I: [OK]		././testcases/listing/0002ruleset_0
+I: [EXECUTING]	././testcases/listing/0003table_0
+I: [OK]		././testcases/listing/0003table_0
+I: [EXECUTING]	././testcases/listing/0004table_0
+I: [OK]		././testcases/listing/0004table_0
+I: [EXECUTING]	././testcases/listing/0005ruleset_ip_0
+I: [OK]		././testcases/listing/0005ruleset_ip_0
+I: [EXECUTING]	././testcases/listing/0006ruleset_ip6_0
+I: [OK]		././testcases/listing/0006ruleset_ip6_0
+I: [EXECUTING]	././testcases/listing/0007ruleset_inet_0
+I: [OK]		././testcases/listing/0007ruleset_inet_0
+I: [EXECUTING]	././testcases/listing/0008ruleset_arp_0
+I: [OK]		././testcases/listing/0008ruleset_arp_0
+I: [EXECUTING]	././testcases/listing/0009ruleset_bridge_0
+I: [OK]		././testcases/listing/0009ruleset_bridge_0
+I: [EXECUTING]	././testcases/listing/0010sets_0
+I: [OK]		././testcases/listing/0010sets_0
+I: [EXECUTING]	././testcases/listing/0011sets_0
+I: [OK]		././testcases/listing/0011sets_0
+I: [EXECUTING]	././testcases/listing/0012sets_0
+I: [OK]		././testcases/listing/0012sets_0
+I: [EXECUTING]	././testcases/listing/0013objects_0
+I: [OK]		././testcases/listing/0013objects_0
+I: [EXECUTING]	././testcases/listing/0014objects_0
+I: [OK]		././testcases/listing/0014objects_0
+I: [EXECUTING]	././testcases/listing/0015dynamic_0
+I: [OK]		././testcases/listing/0015dynamic_0
+I: [EXECUTING]	././testcases/listing/0016anonymous_0
+I: [OK]		././testcases/listing/0016anonymous_0
+I: [EXECUTING]	././testcases/listing/0017objects_0
+I: [OK]		././testcases/listing/0017objects_0
+I: [EXECUTING]	././testcases/listing/0018data_0
+I: [OK]		././testcases/listing/0018data_0
+I: [EXECUTING]	././testcases/listing/0019set_0
+I: [OK]		././testcases/listing/0019set_0
+I: [EXECUTING]	././testcases/listing/0020flowtable_0
+I: [OK]		././testcases/listing/0020flowtable_0
+I: [EXECUTING]	././testcases/listing/0021ruleset_json_terse_0
+I: [OK]		././testcases/listing/0021ruleset_json_terse_0
+I: [EXECUTING]	././testcases/listing/0022terse_0
+I: [OK]		././testcases/listing/0022terse_0
+I: [EXECUTING]	././testcases/maps/0003map_add_many_elements_0
+I: [OK]		././testcases/maps/0003map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0004interval_map_create_once_0
+I: [OK]		././testcases/maps/0004interval_map_create_once_0
+I: [EXECUTING]	././testcases/maps/0005interval_map_add_many_elements_0
+I: [OK]		././testcases/maps/0005interval_map_add_many_elements_0
+I: [EXECUTING]	././testcases/maps/0006interval_map_overlap_0
+I: [OK]		././testcases/maps/0006interval_map_overlap_0
+I: [EXECUTING]	././testcases/maps/0007named_ifname_dtype_0
+I: [OK]		././testcases/maps/0007named_ifname_dtype_0
+I: [EXECUTING]	././testcases/maps/0008interval_map_delete_0
+I: [OK]		././testcases/maps/0008interval_map_delete_0
+I: [EXECUTING]	././testcases/maps/0009vmap_0
+I: [OK]		././testcases/maps/0009vmap_0
+I: [EXECUTING]	././testcases/maps/0010concat_map_0
+I: [OK]		././testcases/maps/0010concat_map_0
+I: [EXECUTING]	././testcases/maps/0011vmap_0
+I: [OK]		././testcases/maps/0011vmap_0
+I: [EXECUTING]	././testcases/maps/0012map_0
+I: [OK]		././testcases/maps/0012map_0
+I: [EXECUTING]	././testcases/maps/0013map_0
+I: [OK]		././testcases/maps/0013map_0
+I: [EXECUTING]	././testcases/maps/0014destroy_0
+W: [FAILED]	././testcases/maps/0014destroy_0
+I: [EXECUTING]	././testcases/maps/0016map_leak_0
+I: [OK]		././testcases/maps/0016map_leak_0
+I: [EXECUTING]	././testcases/maps/0017_map_variable_0
+I: [OK]		././testcases/maps/0017_map_variable_0
+I: [EXECUTING]	././testcases/maps/0018map_leak_timeout_0
+I: [OK]		././testcases/maps/0018map_leak_timeout_0
+I: [EXECUTING]	././testcases/maps/anon_objmap_concat
+I: [OK]		././testcases/maps/anon_objmap_concat
+I: [EXECUTING]	././testcases/maps/anonymous_snat_map_0
+I: [OK]		././testcases/maps/anonymous_snat_map_0
+I: [EXECUTING]	././testcases/maps/different_map_types_1
+I: [OK]		././testcases/maps/different_map_types_1
+I: [EXECUTING]	././testcases/maps/map_catchall_double_deactivate
+I: [OK]		././testcases/maps/map_catchall_double_deactivate
+I: [EXECUTING]	././testcases/maps/map_with_flags_0
+I: [OK]		././testcases/maps/map_with_flags_0
+I: [EXECUTING]	././testcases/maps/named_snat_map_0
+I: [OK]		././testcases/maps/named_snat_map_0
+I: [EXECUTING]	././testcases/maps/nat_addr_port
+I: [OK]		././testcases/maps/nat_addr_port
+I: [EXECUTING]	././testcases/maps/typeof_integer_0
+I: [OK]		././testcases/maps/typeof_integer_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_0
+I: [OK]		././testcases/maps/typeof_maps_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_add_delete
+W: [FAILED]	././testcases/maps/typeof_maps_add_delete
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat
+I: [OK]		././testcases/maps/typeof_maps_concat
+I: [EXECUTING]	././testcases/maps/typeof_maps_concat_update_0
+I: [OK]		././testcases/maps/typeof_maps_concat_update_0
+I: [EXECUTING]	././testcases/maps/typeof_maps_update_0
+I: [OK]		././testcases/maps/typeof_maps_update_0
+I: [EXECUTING]	././testcases/maps/typeof_raw_0
+I: [OK]		././testcases/maps/typeof_raw_0
+I: [EXECUTING]	././testcases/maps/vmap_timeout
+I: [OK]		././testcases/maps/vmap_timeout
+I: [EXECUTING]	././testcases/netns/0001nft-f_0
+I: [OK]		././testcases/netns/0001nft-f_0
+I: [EXECUTING]	././testcases/netns/0002loosecommands_0
+I: [OK]		././testcases/netns/0002loosecommands_0
+I: [EXECUTING]	././testcases/netns/0003many_0
+I: [OK]		././testcases/netns/0003many_0
+I: [EXECUTING]	././testcases/nft-f/0001define_slash_0
+I: [OK]		././testcases/nft-f/0001define_slash_0
+I: [EXECUTING]	././testcases/nft-f/0002rollback_rule_0
+I: [OK]		././testcases/nft-f/0002rollback_rule_0
+I: [EXECUTING]	././testcases/nft-f/0003rollback_jump_0
+I: [OK]		././testcases/nft-f/0003rollback_jump_0
+I: [EXECUTING]	././testcases/nft-f/0004rollback_set_0
+I: [OK]		././testcases/nft-f/0004rollback_set_0
+I: [EXECUTING]	././testcases/nft-f/0005rollback_map_0
+I: [OK]		././testcases/nft-f/0005rollback_map_0
+I: [EXECUTING]	././testcases/nft-f/0006action_object_0
+I: [OK]		././testcases/nft-f/0006action_object_0
+I: [EXECUTING]	././testcases/nft-f/0007action_object_set_segfault_1
+I: [OK]		././testcases/nft-f/0007action_object_set_segfault_1
+I: [EXECUTING]	././testcases/nft-f/0008split_tables_0
+I: [OK]		././testcases/nft-f/0008split_tables_0
+I: [EXECUTING]	././testcases/nft-f/0009variable_0
+I: [OK]		././testcases/nft-f/0009variable_0
+I: [EXECUTING]	././testcases/nft-f/0010variable_0
+I: [OK]		././testcases/nft-f/0010variable_0
+I: [EXECUTING]	././testcases/nft-f/0011manydefines_0
+I: [OK]		././testcases/nft-f/0011manydefines_0
+I: [EXECUTING]	././testcases/nft-f/0012different_defines_0
+I: [OK]		././testcases/nft-f/0012different_defines_0
+I: [EXECUTING]	././testcases/nft-f/0013defines_1
+I: [OK]		././testcases/nft-f/0013defines_1
+I: [EXECUTING]	././testcases/nft-f/0014defines_1
+I: [OK]		././testcases/nft-f/0014defines_1
+I: [EXECUTING]	././testcases/nft-f/0015defines_1
+I: [OK]		././testcases/nft-f/0015defines_1
+I: [EXECUTING]	././testcases/nft-f/0016redefines_1
+I: [OK]		././testcases/nft-f/0016redefines_1
+I: [EXECUTING]	././testcases/nft-f/0017ct_timeout_obj_0
+I: [OK]		././testcases/nft-f/0017ct_timeout_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018ct_expectation_obj_0
+I: [OK]		././testcases/nft-f/0018ct_expectation_obj_0
+I: [EXECUTING]	././testcases/nft-f/0018jump_variable_0
+I: [OK]		././testcases/nft-f/0018jump_variable_0
+I: [EXECUTING]	././testcases/nft-f/0019jump_variable_1
+I: [OK]		././testcases/nft-f/0019jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0020jump_variable_1
+I: [OK]		././testcases/nft-f/0020jump_variable_1
+I: [EXECUTING]	././testcases/nft-f/0021list_ruleset_0
+I: [OK]		././testcases/nft-f/0021list_ruleset_0
+I: [EXECUTING]	././testcases/nft-f/0022variables_0
+I: [OK]		././testcases/nft-f/0022variables_0
+I: [EXECUTING]	././testcases/nft-f/0023check_1
+I: [OK]		././testcases/nft-f/0023check_1
+I: [EXECUTING]	././testcases/nft-f/0024priority_0
+I: [OK]		././testcases/nft-f/0024priority_0
+I: [EXECUTING]	././testcases/nft-f/0025empty_dynset_0
+I: [OK]		././testcases/nft-f/0025empty_dynset_0
+I: [EXECUTING]	././testcases/nft-f/0026listing_0
+I: [OK]		././testcases/nft-f/0026listing_0
+I: [EXECUTING]	././testcases/nft-f/0027split_chains_0
+I: [OK]		././testcases/nft-f/0027split_chains_0
+I: [EXECUTING]	././testcases/nft-f/0028variable_cmdline_0
+I: [OK]		././testcases/nft-f/0028variable_cmdline_0
+I: [EXECUTING]	././testcases/nft-f/0029split_file_0
+I: [OK]		././testcases/nft-f/0029split_file_0
+I: [EXECUTING]	././testcases/nft-f/0030variable_reuse_0
+I: [OK]		././testcases/nft-f/0030variable_reuse_0
+I: [EXECUTING]	././testcases/nft-f/0031vmap_string_0
+I: [OK]		././testcases/nft-f/0031vmap_string_0
+I: [EXECUTING]	././testcases/nft-f/0032pknock_0
+I: [OK]		././testcases/nft-f/0032pknock_0
+I: [EXECUTING]	././testcases/nft-i/0001define_0
+I: [OK]		././testcases/nft-i/0001define_0
+I: [EXECUTING]	././testcases/optimizations/dependency_kill
+I: [OK]		././testcases/optimizations/dependency_kill
+I: [EXECUTING]	././testcases/optimizations/merge_nat
+I: [OK]		././testcases/optimizations/merge_nat
+I: [EXECUTING]	././testcases/optimizations/merge_reject
+I: [OK]		././testcases/optimizations/merge_reject
+I: [EXECUTING]	././testcases/optimizations/merge_stmts
+I: [OK]		././testcases/optimizations/merge_stmts
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat
+I: [OK]		././testcases/optimizations/merge_stmts_concat
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_concat_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_concat_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_stmts_vmap
+I: [OK]		././testcases/optimizations/merge_stmts_vmap
+I: [EXECUTING]	././testcases/optimizations/merge_vmap_raw
+I: [OK]		././testcases/optimizations/merge_vmap_raw
+I: [EXECUTING]	././testcases/optimizations/merge_vmaps
+I: [OK]		././testcases/optimizations/merge_vmaps
+I: [EXECUTING]	././testcases/optimizations/not_mergeable
+I: [OK]		././testcases/optimizations/not_mergeable
+I: [EXECUTING]	././testcases/optimizations/ruleset
+I: [OK]		././testcases/optimizations/ruleset
+I: [EXECUTING]	././testcases/optimizations/single_anon_set
+I: [OK]		././testcases/optimizations/single_anon_set
+I: [EXECUTING]	././testcases/optimizations/skip_merge
+I: [OK]		././testcases/optimizations/skip_merge
+I: [EXECUTING]	././testcases/optimizations/skip_non_eq
+I: [OK]		././testcases/optimizations/skip_non_eq
+I: [EXECUTING]	././testcases/optimizations/skip_unsupported
+I: [OK]		././testcases/optimizations/skip_unsupported
+I: [EXECUTING]	././testcases/optimizations/variables
+I: [OK]		././testcases/optimizations/variables
+I: [EXECUTING]	././testcases/optionals/comments_0
+I: [OK]		././testcases/optionals/comments_0
+I: [EXECUTING]	././testcases/optionals/comments_chain_0
+I: [OK]		././testcases/optionals/comments_chain_0
+I: [EXECUTING]	././testcases/optionals/comments_handles_0
+I: [OK]		././testcases/optionals/comments_handles_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_0
+I: [OK]		././testcases/optionals/comments_objects_0
+I: [EXECUTING]	././testcases/optionals/comments_objects_dup_0
+I: [OK]		././testcases/optionals/comments_objects_dup_0
+I: [EXECUTING]	././testcases/optionals/comments_table_0
+I: [OK]		././testcases/optionals/comments_table_0
+I: [EXECUTING]	././testcases/optionals/delete_object_handles_0
+I: [OK]		././testcases/optionals/delete_object_handles_0
+I: [EXECUTING]	././testcases/optionals/handles_0
+I: [OK]		././testcases/optionals/handles_0
+I: [EXECUTING]	././testcases/optionals/handles_1
+I: [OK]		././testcases/optionals/handles_1
+I: [EXECUTING]	././testcases/optionals/log_prefix_0
+I: [OK]		././testcases/optionals/log_prefix_0
+I: [EXECUTING]	././testcases/optionals/update_object_handles_0
+I: [OK]		././testcases/optionals/update_object_handles_0
+I: [EXECUTING]	././testcases/owner/0001-flowtable-uaf
+I: [OK]		././testcases/owner/0001-flowtable-uaf
+I: [EXECUTING]	././testcases/parsing/describe
+I: [OK]		././testcases/parsing/describe
+I: [EXECUTING]	././testcases/parsing/large_rule_pipe
+I: [OK]		././testcases/parsing/large_rule_pipe
+I: [EXECUTING]	././testcases/parsing/log
+I: [OK]		././testcases/parsing/log
+I: [EXECUTING]	././testcases/parsing/octal
+I: [OK]		././testcases/parsing/octal
+I: [EXECUTING]	././testcases/rule_management/0001addinsertposition_0
+I: [OK]		././testcases/rule_management/0001addinsertposition_0
+I: [EXECUTING]	././testcases/rule_management/0002addinsertlocation_1
+I: [OK]		././testcases/rule_management/0002addinsertlocation_1
+I: [EXECUTING]	././testcases/rule_management/0003insert_0
+I: [OK]		././testcases/rule_management/0003insert_0
+I: [EXECUTING]	././testcases/rule_management/0004replace_0
+I: [OK]		././testcases/rule_management/0004replace_0
+I: [EXECUTING]	././testcases/rule_management/0005replace_1
+I: [OK]		././testcases/rule_management/0005replace_1
+I: [EXECUTING]	././testcases/rule_management/0006replace_1
+I: [OK]		././testcases/rule_management/0006replace_1
+I: [EXECUTING]	././testcases/rule_management/0007delete_0
+I: [OK]		././testcases/rule_management/0007delete_0
+I: [EXECUTING]	././testcases/rule_management/0008delete_1
+I: [OK]		././testcases/rule_management/0008delete_1
+I: [EXECUTING]	././testcases/rule_management/0009delete_1
+I: [OK]		././testcases/rule_management/0009delete_1
+I: [EXECUTING]	././testcases/rule_management/0010replace_0
+I: [OK]		././testcases/rule_management/0010replace_0
+I: [EXECUTING]	././testcases/rule_management/0011reset_0
+W: [FAILED]	././testcases/rule_management/0011reset_0
+I: [EXECUTING]	././testcases/rule_management/0012destroy_0
+W: [FAILED]	././testcases/rule_management/0012destroy_0
+I: [EXECUTING]	././testcases/sets/0001named_interval_0
+I: [OK]		././testcases/sets/0001named_interval_0
+I: [EXECUTING]	././testcases/sets/0002named_interval_automerging_0
+I: [OK]		././testcases/sets/0002named_interval_automerging_0
+I: [EXECUTING]	././testcases/sets/0003named_interval_missing_flag_0
+I: [OK]		././testcases/sets/0003named_interval_missing_flag_0
+I: [EXECUTING]	././testcases/sets/0004named_interval_shadow_0
+I: [OK]		././testcases/sets/0004named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0005named_interval_shadow_0
+I: [OK]		././testcases/sets/0005named_interval_shadow_0
+I: [EXECUTING]	././testcases/sets/0006create_set_0
+I: [OK]		././testcases/sets/0006create_set_0
+I: [EXECUTING]	././testcases/sets/0007create_element_0
+I: [OK]		././testcases/sets/0007create_element_0
+I: [EXECUTING]	././testcases/sets/0008comments_interval_0
+I: [OK]		././testcases/sets/0008comments_interval_0
+I: [EXECUTING]	././testcases/sets/0008create_verdict_map_0
+I: [OK]		././testcases/sets/0008create_verdict_map_0
+I: [EXECUTING]	././testcases/sets/0009comments_timeout_0
+I: [OK]		././testcases/sets/0009comments_timeout_0
+I: [EXECUTING]	././testcases/sets/0010comments_0
+I: [OK]		././testcases/sets/0010comments_0
+I: [EXECUTING]	././testcases/sets/0011add_many_elements_0
+I: [OK]		././testcases/sets/0011add_many_elements_0
+I: [EXECUTING]	././testcases/sets/0012add_delete_many_elements_0
+I: [OK]		././testcases/sets/0012add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0013add_delete_many_elements_0
+I: [OK]		././testcases/sets/0013add_delete_many_elements_0
+I: [EXECUTING]	././testcases/sets/0014malformed_set_is_not_defined_0
+I: [OK]		././testcases/sets/0014malformed_set_is_not_defined_0
+I: [EXECUTING]	././testcases/sets/0015rulesetflush_0
+I: [OK]		././testcases/sets/0015rulesetflush_0
+I: [EXECUTING]	././testcases/sets/0016element_leak_0
+I: [OK]		././testcases/sets/0016element_leak_0
+I: [EXECUTING]	././testcases/sets/0017add_after_flush_0
+I: [OK]		././testcases/sets/0017add_after_flush_0
+I: [EXECUTING]	././testcases/sets/0018set_check_size_1
+I: [OK]		././testcases/sets/0018set_check_size_1
+I: [EXECUTING]	././testcases/sets/0019set_check_size_0
+I: [OK]		././testcases/sets/0019set_check_size_0
+I: [EXECUTING]	././testcases/sets/0020comments_0
+I: [OK]		././testcases/sets/0020comments_0
+I: [EXECUTING]	././testcases/sets/0021nesting_0
+I: [OK]		././testcases/sets/0021nesting_0
+I: [EXECUTING]	././testcases/sets/0022type_selective_flush_0
+I: [OK]		././testcases/sets/0022type_selective_flush_0
+I: [EXECUTING]	././testcases/sets/0023incomplete_add_set_command_0
+I: [OK]		././testcases/sets/0023incomplete_add_set_command_0
+I: [EXECUTING]	././testcases/sets/0024named_objects_0
+I: [OK]		././testcases/sets/0024named_objects_0
+I: [EXECUTING]	././testcases/sets/0025anonymous_set_0
+I: [OK]		././testcases/sets/0025anonymous_set_0
+I: [EXECUTING]	././testcases/sets/0026named_limit_0
+I: [OK]		././testcases/sets/0026named_limit_0
+I: [EXECUTING]	././testcases/sets/0027ipv6_maps_ipv4_0
+I: [OK]		././testcases/sets/0027ipv6_maps_ipv4_0
+I: [EXECUTING]	././testcases/sets/0028autoselect_0
+I: [OK]		././testcases/sets/0028autoselect_0
+I: [EXECUTING]	././testcases/sets/0028delete_handle_0
+I: [OK]		././testcases/sets/0028delete_handle_0
+I: [EXECUTING]	././testcases/sets/0029named_ifname_dtype_0
+I: [OK]		././testcases/sets/0029named_ifname_dtype_0
+I: [EXECUTING]	././testcases/sets/0030add_many_elements_interval_0
+I: [OK]		././testcases/sets/0030add_many_elements_interval_0
+I: [EXECUTING]	././testcases/sets/0031set_timeout_size_0
+I: [OK]		././testcases/sets/0031set_timeout_size_0
+I: [EXECUTING]	././testcases/sets/0032restore_set_simple_0
+I: [OK]		././testcases/sets/0032restore_set_simple_0
+I: [EXECUTING]	././testcases/sets/0033add_set_simple_flat_0
+I: [OK]		././testcases/sets/0033add_set_simple_flat_0
+I: [EXECUTING]	././testcases/sets/0034get_element_0
+I: [OK]		././testcases/sets/0034get_element_0
+I: [EXECUTING]	././testcases/sets/0035add_set_elements_flat_0
+I: [OK]		././testcases/sets/0035add_set_elements_flat_0
+I: [EXECUTING]	././testcases/sets/0036add_set_element_expiration_0
+I: [OK]		././testcases/sets/0036add_set_element_expiration_0
+I: [EXECUTING]	././testcases/sets/0037_set_with_inet_service_0
+I: [OK]		././testcases/sets/0037_set_with_inet_service_0
+I: [EXECUTING]	././testcases/sets/0038meter_list_0
+I: [OK]		././testcases/sets/0038meter_list_0
+I: [EXECUTING]	././testcases/sets/0039delete_interval_0
+I: [OK]		././testcases/sets/0039delete_interval_0
+I: [EXECUTING]	././testcases/sets/0040get_host_endian_elements_0
+I: [OK]		././testcases/sets/0040get_host_endian_elements_0
+I: [EXECUTING]	././testcases/sets/0041interval_0
+I: [OK]		././testcases/sets/0041interval_0
+I: [EXECUTING]	././testcases/sets/0042update_set_0
+I: [OK]		././testcases/sets/0042update_set_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_0
+I: [OK]		././testcases/sets/0043concatenated_ranges_0
+I: [EXECUTING]	././testcases/sets/0043concatenated_ranges_1
+I: [OK]		././testcases/sets/0043concatenated_ranges_1
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_0
+I: [OK]		././testcases/sets/0044interval_overlap_0
+I: [EXECUTING]	././testcases/sets/0044interval_overlap_1
+I: [OK]		././testcases/sets/0044interval_overlap_1
+I: [EXECUTING]	././testcases/sets/0045concat_ipv4_service
+I: [OK]		././testcases/sets/0045concat_ipv4_service
+I: [EXECUTING]	././testcases/sets/0046netmap_0
+I: [OK]		././testcases/sets/0046netmap_0
+I: [EXECUTING]	././testcases/sets/0047nat_0
+I: [OK]		././testcases/sets/0047nat_0
+I: [EXECUTING]	././testcases/sets/0048set_counters_0
+I: [OK]		././testcases/sets/0048set_counters_0
+I: [EXECUTING]	././testcases/sets/0049set_define_0
+I: [OK]		././testcases/sets/0049set_define_0
+I: [EXECUTING]	././testcases/sets/0050set_define_1
+I: [OK]		././testcases/sets/0050set_define_1
+I: [EXECUTING]	././testcases/sets/0051set_interval_counter_0
+I: [OK]		././testcases/sets/0051set_interval_counter_0
+I: [EXECUTING]	././testcases/sets/0052overlap_0
+I: [OK]		././testcases/sets/0052overlap_0
+I: [EXECUTING]	././testcases/sets/0053echo_0
+I: [OK]		././testcases/sets/0053echo_0
+I: [EXECUTING]	././testcases/sets/0054comments_set_0
+I: [OK]		././testcases/sets/0054comments_set_0
+I: [EXECUTING]	././testcases/sets/0055tcpflags_0
+I: [OK]		././testcases/sets/0055tcpflags_0
+I: [EXECUTING]	././testcases/sets/0056dynamic_limit_0
+I: [OK]		././testcases/sets/0056dynamic_limit_0
+I: [EXECUTING]	././testcases/sets/0057set_create_fails_0
+I: [OK]		././testcases/sets/0057set_create_fails_0
+I: [EXECUTING]	././testcases/sets/0058_setupdate_timeout_0
+I: [OK]		././testcases/sets/0058_setupdate_timeout_0
+I: [EXECUTING]	././testcases/sets/0059set_update_multistmt_0
+I: [OK]		././testcases/sets/0059set_update_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_0
+I: [OK]		././testcases/sets/0060set_multistmt_0
+I: [EXECUTING]	././testcases/sets/0060set_multistmt_1
+I: [OK]		././testcases/sets/0060set_multistmt_1
+I: [EXECUTING]	././testcases/sets/0061anonymous_automerge_0
+I: [OK]		././testcases/sets/0061anonymous_automerge_0
+I: [EXECUTING]	././testcases/sets/0062set_connlimit_0
+I: [OK]		././testcases/sets/0062set_connlimit_0
+I: [EXECUTING]	././testcases/sets/0063set_catchall_0
+I: [OK]		././testcases/sets/0063set_catchall_0
+I: [EXECUTING]	././testcases/sets/0064map_catchall_0
+I: [OK]		././testcases/sets/0064map_catchall_0
+I: [EXECUTING]	././testcases/sets/0065_icmp_postprocessing
+I: [OK]		././testcases/sets/0065_icmp_postprocessing
+I: [EXECUTING]	././testcases/sets/0067nat_concat_interval_0
+I: [OK]		././testcases/sets/0067nat_concat_interval_0
+I: [EXECUTING]	././testcases/sets/0068interval_stack_overflow_0
+I: [OK]		././testcases/sets/0068interval_stack_overflow_0
+I: [EXECUTING]	././testcases/sets/0069interval_merge_0
+I: [OK]		././testcases/sets/0069interval_merge_0
+I: [EXECUTING]	././testcases/sets/0070stacked_l2_headers
+I: [OK]		././testcases/sets/0070stacked_l2_headers
+I: [EXECUTING]	././testcases/sets/0071unclosed_prefix_interval_0
+I: [OK]		././testcases/sets/0071unclosed_prefix_interval_0
+I: [EXECUTING]	././testcases/sets/0072destroy_0
+W: [FAILED]	././testcases/sets/0072destroy_0
+I: [EXECUTING]	././testcases/sets/automerge_0
+I: [OK]		././testcases/sets/automerge_0
+I: [EXECUTING]	././testcases/sets/collapse_elem_0
+I: [OK]		././testcases/sets/collapse_elem_0
+I: [EXECUTING]	././testcases/sets/concat_interval_0
+I: [OK]		././testcases/sets/concat_interval_0
+I: [EXECUTING]	././testcases/sets/dynset_missing
+I: [OK]		././testcases/sets/dynset_missing
+I: [EXECUTING]	././testcases/sets/errors_0
+I: [OK]		././testcases/sets/errors_0
+I: [EXECUTING]	././testcases/sets/exact_overlap_0
+I: [OK]		././testcases/sets/exact_overlap_0
+I: [EXECUTING]	././testcases/sets/inner_0
+W: [FAILED]	././testcases/sets/inner_0
+I: [EXECUTING]	././testcases/sets/reset_command_0
+W: [FAILED]	././testcases/sets/reset_command_0
+I: [EXECUTING]	././testcases/sets/set_eval_0
+I: [OK]		././testcases/sets/set_eval_0
+I: [EXECUTING]	././testcases/sets/sets_with_ifnames
+I: [OK]		././testcases/sets/sets_with_ifnames
+I: [EXECUTING]	././testcases/sets/typeof_raw_0
+I: [OK]		././testcases/sets/typeof_raw_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_0
+I: [OK]		././testcases/sets/typeof_sets_0
+I: [EXECUTING]	././testcases/sets/typeof_sets_1
+I: [OK]		././testcases/sets/typeof_sets_1
+I: [EXECUTING]	././testcases/sets/typeof_sets_concat
+I: [OK]		././testcases/sets/typeof_sets_concat
+I: [EXECUTING]	././testcases/sets/type_set_symbol
+I: [OK]		././testcases/sets/type_set_symbol
+I: [EXECUTING]	././testcases/transactions/0001table_0
+I: [OK]		././testcases/transactions/0001table_0
+I: [EXECUTING]	././testcases/transactions/0002table_0
+I: [OK]		././testcases/transactions/0002table_0
+I: [EXECUTING]	././testcases/transactions/0003table_0
+I: [OK]		././testcases/transactions/0003table_0
+I: [EXECUTING]	././testcases/transactions/0010chain_0
+I: [OK]		././testcases/transactions/0010chain_0
+I: [EXECUTING]	././testcases/transactions/0011chain_0
+I: [OK]		././testcases/transactions/0011chain_0
+I: [EXECUTING]	././testcases/transactions/0012chain_0
+I: [OK]		././testcases/transactions/0012chain_0
+I: [EXECUTING]	././testcases/transactions/0013chain_0
+I: [OK]		././testcases/transactions/0013chain_0
+I: [EXECUTING]	././testcases/transactions/0014chain_1
+I: [OK]		././testcases/transactions/0014chain_1
+I: [EXECUTING]	././testcases/transactions/0015chain_0
+I: [OK]		././testcases/transactions/0015chain_0
+I: [EXECUTING]	././testcases/transactions/0020rule_0
+I: [OK]		././testcases/transactions/0020rule_0
+I: [EXECUTING]	././testcases/transactions/0021rule_0
+I: [OK]		././testcases/transactions/0021rule_0
+I: [EXECUTING]	././testcases/transactions/0022rule_1
+I: [OK]		././testcases/transactions/0022rule_1
+I: [EXECUTING]	././testcases/transactions/0023rule_1
+I: [OK]		././testcases/transactions/0023rule_1
+I: [EXECUTING]	././testcases/transactions/0024rule_0
+I: [OK]		././testcases/transactions/0024rule_0
+I: [EXECUTING]	././testcases/transactions/0025rule_0
+I: [OK]		././testcases/transactions/0025rule_0
+I: [EXECUTING]	././testcases/transactions/0030set_0
+I: [OK]		././testcases/transactions/0030set_0
+I: [EXECUTING]	././testcases/transactions/0031set_0
+I: [OK]		././testcases/transactions/0031set_0
+I: [EXECUTING]	././testcases/transactions/0032set_0
+I: [OK]		././testcases/transactions/0032set_0
+I: [EXECUTING]	././testcases/transactions/0033set_0
+I: [OK]		././testcases/transactions/0033set_0
+I: [EXECUTING]	././testcases/transactions/0034set_0
+I: [OK]		././testcases/transactions/0034set_0
+I: [EXECUTING]	././testcases/transactions/0035set_0
+I: [OK]		././testcases/transactions/0035set_0
+I: [EXECUTING]	././testcases/transactions/0036set_1
+I: [OK]		././testcases/transactions/0036set_1
+I: [EXECUTING]	././testcases/transactions/0037set_0
+I: [OK]		././testcases/transactions/0037set_0
+I: [EXECUTING]	././testcases/transactions/0038set_0
+I: [OK]		././testcases/transactions/0038set_0
+I: [EXECUTING]	././testcases/transactions/0039set_0
+I: [OK]		././testcases/transactions/0039set_0
+I: [EXECUTING]	././testcases/transactions/0040set_0
+I: [OK]		././testcases/transactions/0040set_0
+I: [EXECUTING]	././testcases/transactions/0041nat_restore_0
+I: [OK]		././testcases/transactions/0041nat_restore_0
+I: [EXECUTING]	././testcases/transactions/0042_stateful_expr_0
+I: [OK]		././testcases/transactions/0042_stateful_expr_0
+I: [EXECUTING]	././testcases/transactions/0043set_1
+I: [OK]		././testcases/transactions/0043set_1
+I: [EXECUTING]	././testcases/transactions/0044rule_0
+I: [OK]		././testcases/transactions/0044rule_0
+I: [EXECUTING]	././testcases/transactions/0045anon-unbind_0
+I: [OK]		././testcases/transactions/0045anon-unbind_0
+I: [EXECUTING]	././testcases/transactions/0046set_0
+I: [OK]		././testcases/transactions/0046set_0
+I: [EXECUTING]	././testcases/transactions/0047set_0
+I: [OK]		././testcases/transactions/0047set_0
+I: [EXECUTING]	././testcases/transactions/0048helpers_0
+I: [OK]		././testcases/transactions/0048helpers_0
+I: [EXECUTING]	././testcases/transactions/0049huge_0
+I: [OK]		././testcases/transactions/0049huge_0
+I: [EXECUTING]	././testcases/transactions/0050rule_1
+I: [OK]		././testcases/transactions/0050rule_1
+I: [EXECUTING]	././testcases/transactions/0051map_0
+I: [OK]		././testcases/transactions/0051map_0
+I: [EXECUTING]	././testcases/transactions/30s-stress
+I: [OK]		././testcases/transactions/30s-stress
+I: [EXECUTING]	././testcases/transactions/anon_chain_loop
+I: [OK]		././testcases/transactions/anon_chain_loop
+I: [EXECUTING]	././testcases/transactions/bad_expression
+I: [OK]		././testcases/transactions/bad_expression
+
+W: [FAILED]	kmemleak detected 1333 memory leaks
+I: results: [OK] 363 [FAILED] 10 [TOTAL] 373
diff --git a/tests/shell/test-list.txt b/tests/shell/test-list.txt
new file mode 100644
index 0000000..a044896
--- /dev/null
+++ b/tests/shell/test-list.txt
@@ -0,0 +1,367 @@
+testcases/chains/0013rename_0
+testcases/chains/0029prio_bridge_srcnat_1
+testcases/chains/0017masquerade_jump_1
+testcases/chains/0004busy_1
+testcases/chains/0003jump_loop_1
+testcases/chains/0021prio_0
+testcases/chains/0014rename_0
+testcases/chains/0006masquerade_0
+testcases/chains/0007masquerade_1
+testcases/chains/0005busy_map_1
+testcases/chains/0001jumps_0
+testcases/chains/0031priority_variable_0
+testcases/chains/0024prio_inet_dstnat_1
+testcases/chains/0038policy_variable_1
+testcases/chains/0030create_0
+testcases/chains/0036policy_variable_0
+testcases/chains/0035policy_variable_0
+testcases/chains/0033priority_variable_1
+testcases/chains/0043chain_ingress_0
+testcases/chains/0034priority_variable_1
+testcases/chains/0026prio_netdev_1
+testcases/chains/0044chain_destroy_0
+testcases/chains/0037policy_variable_1
+testcases/chains/0019masquerade_jump_1
+testcases/chains/0010endless_jump_loop_1
+testcases/chains/0009masquerade_jump_1
+testcases/chains/0023prio_inet_srcnat_1
+testcases/chains/0042chain_variable_0
+testcases/chains/0016delete_handle_0
+testcases/chains/0025prio_arp_1
+testcases/chains/0002jumps_1
+testcases/chains/0022prio_dummy_1
+testcases/chains/0018check_jump_loop_1
+testcases/chains/netdev_chain_0
+testcases/chains/0041chain_binding_0
+testcases/chains/0008masquerade_jump_1
+testcases/chains/0045chain_destroy_0
+testcases/chains/0015check_jump_loop_1
+testcases/chains/0020depth_1
+testcases/chains/0011endless_jump_loop_1
+testcases/chains/0032priority_variable_0
+testcases/chains/0028prio_bridge_out_1
+testcases/chains/0027prio_bridge_dstnat_1
+testcases/chains/0039negative_priority_0
+testcases/bitwise/0040mark_binop_8
+testcases/bitwise/0040mark_binop_5
+testcases/bitwise/0040mark_binop_4
+testcases/bitwise/0040mark_binop_3
+testcases/bitwise/0040mark_binop_2
+testcases/bitwise/0040mark_binop_6
+testcases/bitwise/0040mark_binop_7
+testcases/bitwise/0040mark_binop_1
+testcases/bitwise/0040mark_binop_0
+testcases/bitwise/0040mark_binop_9
+testcases/maps/0011vmap_0
+testcases/maps/named_snat_map_0
+testcases/maps/typeof_maps_concat_update_0
+testcases/maps/typeof_maps_concat
+testcases/maps/different_map_types_1
+testcases/maps/0005interval_map_add_many_elements_0
+testcases/maps/0007named_ifname_dtype_0
+testcases/maps/typeof_maps_update_0
+testcases/maps/map_with_flags_0
+testcases/maps/0014destroy_0
+testcases/maps/typeof_maps_0
+testcases/maps/0004interval_map_create_once_0
+testcases/maps/0006interval_map_overlap_0
+testcases/maps/0009vmap_0
+testcases/maps/anon_objmap_concat
+testcases/maps/0013map_0
+testcases/maps/0008interval_map_delete_0
+testcases/maps/0010concat_map_0
+testcases/maps/0003map_add_many_elements_0
+testcases/maps/typeof_raw_0
+testcases/maps/anonymous_snat_map_0
+testcases/maps/nat_addr_port
+testcases/maps/0015destroy_0
+testcases/maps/0012map_0
+testcases/maps/typeof_integer_0
+testcases/listing/0013objects_0
+testcases/listing/0017objects_0
+testcases/listing/0010sets_0
+testcases/listing/0009ruleset_bridge_0
+testcases/listing/0006ruleset_ip6_0
+testcases/listing/0020flowtable_0
+testcases/listing/0012sets_0
+testcases/listing/0008ruleset_arp_0
+testcases/listing/0011sets_0
+testcases/listing/0002ruleset_0
+testcases/listing/0015dynamic_0
+testcases/listing/0004table_0
+testcases/listing/0001ruleset_0
+testcases/listing/0003table_0
+testcases/listing/0019set_0
+testcases/listing/0021ruleset_json_terse_0
+testcases/listing/0022terse_0
+testcases/listing/0005ruleset_ip_0
+testcases/listing/0016anonymous_0
+testcases/listing/0007ruleset_inet_0
+testcases/listing/0014objects_0
+testcases/listing/0018data_0
+testcases/nft-i/0001define_0
+testcases/optionals/handles_0
+testcases/optionals/comments_objects_0
+testcases/optionals/comments_chain_0
+testcases/optionals/delete_object_handles_0
+testcases/optionals/update_object_handles_0
+testcases/optionals/comments_table_0
+testcases/optionals/comments_objects_dup_0
+testcases/optionals/comments_handles_0
+testcases/optionals/comments_0
+testcases/optionals/handles_1
+testcases/optionals/log_prefix_0
+testcases/optimizations
+testcases/optimizations/skip_non_eq
+testcases/optimizations/merge_nat
+testcases/optimizations/merge_stmts_concat_vmap
+testcases/optimizations/single_anon_set
+testcases/optimizations/dependency_kill
+testcases/optimizations/merge_reject
+testcases/optimizations/not_mergeable
+testcases/optimizations/merge_stmts_vmap
+testcases/optimizations/merge_vmaps
+testcases/optimizations/skip_merge
+testcases/optimizations/merge_vmap_raw
+testcases/optimizations/merge_stmts
+testcases/optimizations/merge_stmts_concat
+testcases/optimizations/skip_unsupported
+testcases/optimizations/ruleset
+testcases/optimizations/variables
+testcases/json/netdev
+testcases/json/0005secmark_objref_0
+testcases/json/0002table_map_0
+testcases/json/0003json_schema_version_0
+testcases/json/0001set_statements_0
+testcases/json/0004json_schema_version_1
+testcases/json/0006obj_comment_0
+testcases/rule_management/0010replace_0
+testcases/rule_management/0003insert_0
+testcases/rule_management/0005replace_1
+testcases/rule_management/0004replace_0
+testcases/rule_management/0008delete_1
+testcases/rule_management/0011reset_0
+testcases/rule_management/0012destroy_0
+testcases/rule_management/0007delete_0
+testcases/rule_management/0002addinsertlocation_1
+testcases/rule_management/0013destroy_0
+testcases/rule_management/0006replace_1
+testcases/rule_management/0009delete_1
+testcases/rule_management/0001addinsertposition_0
+testcases/cache/0010_implicit_chain_0
+testcases/cache/0002_interval_0
+testcases/cache/0004_cache_update_0
+testcases/cache/0011_index_0
+testcases/cache/0005_cache_chain_flush
+testcases/cache/0009_delete_by_handle_incorrect_0
+testcases/cache/0007_echo_cache_init_0
+testcases/cache/0006_cache_table_flush
+testcases/cache/0001_cache_handling_0
+testcases/cache/0008_delete_by_handle_0
+testcases/cache/0003_cache_update_0
+testcases/flowtable/0016destroy_0
+testcases/flowtable/0001flowtable_0
+testcases/flowtable/0014addafterdelete_0
+testcases/flowtable/0012flowtable_variable_0
+testcases/flowtable/0008prio_1
+testcases/flowtable/0013addafterdelete_0
+testcases/flowtable/0006segfault_0
+testcases/flowtable/0007prio_0
+testcases/flowtable/0004delete_after_add_0
+testcases/flowtable/0011deleteafterflush_0
+testcases/flowtable/0010delete_handle_0
+testcases/flowtable/0002create_flowtable_0
+testcases/flowtable/0009deleteafterflush_0
+testcases/flowtable/0015destroy_0
+testcases/flowtable/0003add_after_flush_0
+testcases/flowtable/0005delete_in_use_1
+testcases/nft-f/0008split_tables_0
+testcases/nft-f/0005rollback_map_0
+testcases/nft-f/0028variable_cmdline_0
+testcases/nft-f/0017ct_timeout_obj_0
+testcases/nft-f/0010variable_0
+testcases/nft-f/0027split_chains_0
+testcases/nft-f/0023check_1
+testcases/nft-f/0012different_defines_0
+testcases/nft-f/0018jump_variable_0
+testcases/nft-f/0022variables_0
+testcases/nft-f/0018ct_expectation_obj_0
+testcases/nft-f/0016redefines_1
+testcases/nft-f/0029split_file_0
+testcases/nft-f/0004rollback_set_0
+testcases/nft-f/0031vmap_string_0
+testcases/nft-f/0001define_slash_0
+testcases/nft-f/0024priority_0
+testcases/nft-f/0003rollback_jump_0
+testcases/nft-f/0030variable_reuse_0
+testcases/nft-f/0013defines_1
+testcases/nft-f/0014defines_1
+testcases/nft-f/0020jump_variable_1
+testcases/nft-f/0006action_object_0
+testcases/nft-f/0002rollback_rule_0
+testcases/nft-f/0019jump_variable_1
+testcases/nft-f/0011manydefines_0
+testcases/nft-f/0025empty_dynset_0
+testcases/nft-f/0015defines_1
+testcases/nft-f/0009variable_0
+testcases/nft-f/0021list_ruleset_0
+testcases/nft-f/0007action_object_set_segfault_1
+testcases/nft-f/0026listing_0
+testcases/comments/comments_0
+testcases/transactions/0002table_0
+testcases/transactions/0039set_0
+testcases/transactions/0035set_0
+testcases/transactions/0037set_0
+testcases/transactions/0043set_1
+testcases/transactions/0041nat_restore_0
+testcases/transactions/0021rule_0
+testcases/transactions/0046set_0
+testcases/transactions/0023rule_1
+testcases/transactions/0045anon-unbind_0
+testcases/transactions/0014chain_1
+testcases/transactions/0022rule_1
+testcases/transactions/0038set_0
+testcases/transactions/0048helpers_0
+testcases/transactions/0040set_0
+testcases/transactions/0001table_0
+testcases/transactions/0032set_0
+testcases/transactions/0049huge_0
+testcases/transactions/0024rule_0
+testcases/transactions/0044rule_0
+testcases/transactions/0011chain_0
+testcases/transactions/0050rule_1
+testcases/transactions/0031set_0
+testcases/transactions/0036set_1
+testcases/transactions/0010chain_0
+testcases/transactions/0030set_0
+testcases/transactions/0013chain_0
+testcases/transactions/0025rule_0
+testcases/transactions/0012chain_0
+testcases/transactions/0042_stateful_expr_0
+testcases/transactions/0051map_0
+testcases/transactions/0003table_0
+testcases/transactions/0015chain_0
+testcases/transactions/0033set_0
+testcases/transactions/anon_chain_loop
+testcases/transactions/0047set_0
+testcases/transactions/0034set_0
+testcases/transactions/0020rule_0
+testcases/parsing/describe
+testcases/parsing/log
+testcases/parsing/octal
+testcases/include/0005glob_empty_0
+testcases/include/0020include_chain_0
+testcases/include/0019include_error_0
+testcases/include/0010glob_broken_file_1
+testcases/include/0018include_error_0
+testcases/include/0012glob_dependency_1
+testcases/include/0011glob_dependency_0
+testcases/include/0013input_descriptors_included_files_0
+testcases/include/0002relative_0
+testcases/include/0017glob_more_than_maxdepth_1
+testcases/include/0014glob_directory_0
+testcases/include/0016maxdepth_0
+testcases/include/0008glob_nofile_wildcard_0
+testcases/include/0013glob_dotfile_0
+testcases/include/0006glob_single_0
+testcases/include/0003includepath_0
+testcases/include/0004endlessloop_1
+testcases/include/0001absolute_0
+testcases/include/0015doubleincludepath_0
+testcases/include/0007glob_double_0
+testcases/include/0009glob_nofile_1
+testcases/owner/0001-flowtable-uaf
+testcases/sets/0028autoselect_0
+testcases/sets/0037_set_with_inet_service_0
+testcases/sets/0043concatenated_ranges_0
+testcases/sets/0073destroy_0
+testcases/sets/0064map_catchall_0
+testcases/sets/0058_setupdate_timeout_0
+testcases/sets/0068interval_stack_overflow_0
+testcases/sets/0003named_interval_missing_flag_0
+testcases/sets/0027ipv6_maps_ipv4_0
+testcases/sets/0049set_define_0
+testcases/sets/0021nesting_0
+testcases/sets/0019set_check_size_0
+testcases/sets/0008comments_interval_0
+testcases/sets/0029named_ifname_dtype_0
+testcases/sets/0024named_objects_0
+testcases/sets/0013add_delete_many_elements_0
+testcases/sets/type_set_symbol
+testcases/sets/0056dynamic_limit_0
+testcases/sets/errors_0
+testcases/sets/0028delete_handle_0
+testcases/sets/0006create_set_0
+testcases/sets/0031set_timeout_size_0
+testcases/sets/0014malformed_set_is_not_defined_0
+testcases/sets/0048set_counters_0
+testcases/sets/collapse_elem_0
+testcases/sets/0070stacked_l2_headers
+testcases/sets/0046netmap_0
+testcases/sets/0044interval_overlap_1
+testcases/sets/0057set_create_fails_0
+testcases/sets/0012add_delete_many_elements_0
+testcases/sets/0018set_check_size_1
+testcases/sets/0035add_set_elements_flat_0
+testcases/sets/0020comments_0
+testcases/sets/0052overlap_0
+testcases/sets/exact_overlap_0
+testcases/sets/0047nat_0
+testcases/sets/0069interval_merge_0
+testcases/sets/0051set_interval_counter_0
+testcases/sets/0022type_selective_flush_0
+testcases/sets/0039delete_interval_0
+testcases/sets/0016element_leak_0
+testcases/sets/0023incomplete_add_set_command_0
+testcases/sets/0033add_set_simple_flat_0
+testcases/sets/typeof_sets_1
+testcases/sets/0060set_multistmt_0
+testcases/sets/typeof_sets_concat
+testcases/sets/0026named_limit_0
+testcases/sets/0072destroy_0
+testcases/sets/0038meter_list_0
+testcases/sets/typeof_sets_0
+testcases/sets/0010comments_0
+testcases/sets/inner_0
+testcases/sets/set_eval_0
+testcases/sets/0045concat_ipv4_service
+testcases/sets/0041interval_0
+testcases/sets/0007create_element_0
+testcases/sets/0040get_host_endian_elements_0
+testcases/sets/0061anonymous_automerge_0
+testcases/sets/0055tcpflags_0
+testcases/sets/0071unclosed_prefix_interval_0
+testcases/sets/sets_with_ifnames
+testcases/sets/0017add_after_flush_0
+testcases/sets/0034get_element_0
+testcases/sets/0060set_multistmt_1
+testcases/sets/0043concatenated_ranges_1
+testcases/sets/0065_icmp_postprocessing
+testcases/sets/0063set_catchall_0
+testcases/sets/0030add_many_elements_interval_0
+testcases/sets/0008create_verdict_map_0
+testcases/sets/concat_interval_0
+testcases/sets/0025anonymous_set_0
+testcases/sets/0011add_many_elements_0
+testcases/sets/0059set_update_multistmt_0
+testcases/sets/0054comments_set_0
+testcases/sets/0009comments_timeout_0
+testcases/sets/0067nat_concat_interval_0
+testcases/sets/typeof_raw_0
+testcases/sets/0004named_interval_shadow_0
+testcases/sets/0036add_set_element_expiration_0
+testcases/sets/0044interval_overlap_0
+testcases/sets/automerge_0
+testcases/sets/dynset_missing
+testcases/sets/0032restore_set_simple_0
+testcases/sets/0002named_interval_automerging_0
+testcases/sets/0001named_interval_0
+testcases/sets/0042update_set_0
+testcases/sets/0053echo_0
+testcases/sets/0005named_interval_shadow_0
+testcases/sets/0062set_connlimit_0
+testcases/sets/0050set_define_1
+testcases/sets/0015rulesetflush_0
+testcases/netns/0001nft-f_0
+testcases/netns/0002loosecommands_0
+testcases/netns/0003many_0
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_0 b/tests/shell/testcases/bitwise/0040mark_binop_0
new file mode 100755
index 0000000..4ecc9d3
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_0
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table t
+  add chain t c { type filter hook output priority filter; }
+  add rule t c oif lo ct mark set (meta mark | 0x10) << 8
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_1 b/tests/shell/testcases/bitwise/0040mark_binop_1
new file mode 100755
index 0000000..bd9e028
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table t
+  add chain t c { type filter hook input priority filter; }
+  add rule t c iif lo ct mark & 0xff 0x10 meta mark set ct mark >> 8
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_2 b/tests/shell/testcases/bitwise/0040mark_binop_2
new file mode 100755
index 0000000..5e66a27
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_2
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table t
+  add chain t c { type filter hook output priority filter; }
+  add rule t c ct mark set ip dscp lshift 2 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_3 b/tests/shell/testcases/bitwise/0040mark_binop_3
new file mode 100755
index 0000000..21dda67
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_3
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table t
+  add chain t c { type filter hook input priority filter; }
+  add rule t c meta mark set ip dscp lshift 2 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_4 b/tests/shell/testcases/bitwise/0040mark_binop_4
new file mode 100755
index 0000000..e5c8a42
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_4
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table t
+  add chain t c { type filter hook output priority filter; }
+  add rule t c ct mark set ip dscp lshift 26 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_5 b/tests/shell/testcases/bitwise/0040mark_binop_5
new file mode 100755
index 0000000..184fbed
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_5
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table t
+  add chain t c { type filter hook input priority filter; }
+  add rule t c meta mark set ip dscp lshift 26 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_6 b/tests/shell/testcases/bitwise/0040mark_binop_6
new file mode 100755
index 0000000..129dd5c
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_6
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table ip6 t
+  add chain ip6 t c { type filter hook output priority filter; }
+  add rule ip6 t c ct mark set ip6 dscp lshift 2 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_7 b/tests/shell/testcases/bitwise/0040mark_binop_7
new file mode 100755
index 0000000..791a794
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_7
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table ip6 t
+  add chain ip6 t c { type filter hook input priority filter; }
+  add rule ip6 t c meta mark set ip6 dscp lshift 2 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_8 b/tests/shell/testcases/bitwise/0040mark_binop_8
new file mode 100755
index 0000000..5e7bd28
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_8
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table ip6 t
+  add chain ip6 t c { type filter hook output priority filter; }
+  add rule ip6 t c ct mark set ip6 dscp lshift 26 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/0040mark_binop_9 b/tests/shell/testcases/bitwise/0040mark_binop_9
new file mode 100755
index 0000000..a7b60fb
--- /dev/null
+++ b/tests/shell/testcases/bitwise/0040mark_binop_9
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_bitshift)
+
+set -e
+
+RULESET="
+  add table ip6 t
+  add chain ip6 t c { type filter hook input priority filter; }
+  add rule ip6 t c meta mark set ip6 dscp lshift 26 or 0x10
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft
new file mode 100644
index 0000000..fc0a600
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_0.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c {
+		type filter hook output priority filter; policy accept;
+		oif "lo" ct mark set (meta mark | 0x00000010) << 8
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft
new file mode 100644
index 0000000..dbaacef
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_1.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c {
+		type filter hook input priority filter; policy accept;
+		iif "lo" ct mark & 0x000000ff == 0x00000010 meta mark set ct mark >> 8
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft
new file mode 100644
index 0000000..2b9be36
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_2.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c {
+		type filter hook output priority filter; policy accept;
+		ct mark set ip dscp << 2 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft
new file mode 100644
index 0000000..8206fec
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_3.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c {
+		type filter hook input priority filter; policy accept;
+		meta mark set ip dscp << 2 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft
new file mode 100644
index 0000000..91d9f56
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_4.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c {
+		type filter hook output priority filter; policy accept;
+		ct mark set ip dscp << 26 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft
new file mode 100644
index 0000000..f2b51eb
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_5.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c {
+		type filter hook input priority filter; policy accept;
+		meta mark set ip dscp << 26 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft
new file mode 100644
index 0000000..cf7be90
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_6.nft
@@ -0,0 +1,6 @@
+table ip6 t {
+	chain c {
+		type filter hook output priority filter; policy accept;
+		ct mark set ip6 dscp << 2 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft
new file mode 100644
index 0000000..a9663e6
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_7.nft
@@ -0,0 +1,6 @@
+table ip6 t {
+	chain c {
+		type filter hook input priority filter; policy accept;
+		meta mark set ip6 dscp << 2 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft
new file mode 100644
index 0000000..04b866a
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_8.nft
@@ -0,0 +1,6 @@
+table ip6 t {
+	chain c {
+		type filter hook output priority filter; policy accept;
+		ct mark set ip6 dscp << 26 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft
new file mode 100644
index 0000000..d4745ea
--- /dev/null
+++ b/tests/shell/testcases/bitwise/dumps/0040mark_binop_9.nft
@@ -0,0 +1,6 @@
+table ip6 t {
+	chain c {
+		type filter hook input priority filter; policy accept;
+		meta mark set ip6 dscp << 26 | 0x10
+	}
+}
diff --git a/tests/shell/testcases/bogons/assert_failures b/tests/shell/testcases/bogons/assert_failures
new file mode 100755
index 0000000..7909942
--- /dev/null
+++ b/tests/shell/testcases/bogons/assert_failures
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+dir=$(dirname $0)/nft-f/
+
+for f in $dir/*; do
+	$NFT --check -f "$f"
+
+	if [ $? -ne 1 ]; then
+		echo "Bogus input file $f did not cause expected error code" 1>&2
+		exit 111
+	fi
+done
diff --git a/tests/shell/testcases/bogons/dumps/assert_failures.nft b/tests/shell/testcases/bogons/dumps/assert_failures.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/bogons/dumps/assert_failures.nft
diff --git a/tests/shell/testcases/bogons/nft-f/include-device b/tests/shell/testcases/bogons/nft-f/include-device
new file mode 100644
index 0000000..1eb7977
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/include-device
@@ -0,0 +1 @@
+include "/dev/null"
diff --git a/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert
new file mode 100644
index 0000000..18c7edd
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert
@@ -0,0 +1,7 @@
+table ip x {
+	chain y {
+	type nat hook postrouting priority srcnat; policy accept;
+		snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.1 }
+	}
+}
+
diff --git a/tests/shell/testcases/bogons/nft-f/scope_underflow_assert b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert
new file mode 100644
index 0000000..aee1dcb
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/scope_underflow_assert
@@ -0,0 +1,6 @@
+table t {
+	chain c {
+		jump{
+			jump {
+				jump
+
diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert
new file mode 100644
index 0000000..84f3307
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_assert
@@ -0,0 +1,5 @@
+table ip x {
+        chain Main_Ingress1 {
+                type filter hook ingress device""lo" priority -1
+	}
+}
diff --git a/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert
new file mode 100644
index 0000000..2c3e6c3
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/zero_length_devicename_flowtable_assert
@@ -0,0 +1,5 @@
+table t {
+	flowtable f {
+		devices = { """"lo }
+	}
+}
diff --git a/tests/shell/testcases/cache/0001_cache_handling_0 b/tests/shell/testcases/cache/0001_cache_handling_0
new file mode 100755
index 0000000..0a68440
--- /dev/null
+++ b/tests/shell/testcases/cache/0001_cache_handling_0
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+RULESET='
+table inet test {
+	set test {
+		type ipv4_addr
+		elements = { 1.1.1.1, 3.3.3.3}
+	}
+
+	chain test {
+		ip saddr @test counter accept
+		ip daddr { 2.2.2.2, 4.4.4.4} counter accept
+	}
+}'
+
+set -e
+
+$NFT -f - <<< "$RULESET"
+TMP=$(mktemp)
+echo "$RULESET" >> "$TMP"
+$NFT "flush ruleset;include \"$TMP\""
+rm -f "$TMP"
+rule_handle=$($NFT -a list ruleset | awk '/saddr/{print $NF}')
+$NFT delete rule inet test test handle $rule_handle
+$NFT delete set inet test test
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/cache/0002_interval_0 b/tests/shell/testcases/cache/0002_interval_0
new file mode 100755
index 0000000..506a6c8
--- /dev/null
+++ b/tests/shell/testcases/cache/0002_interval_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# This testcase checks that we can load a ruleset twice in a row.
+# bug --> Error: interval overlaps with an existing one
+
+set -e
+
+RULESET="flush ruleset
+table inet t {
+	set s { type ipv4_addr; flags interval; }
+}
+
+add element inet t s {
+	192.168.0.1/24,
+}"
+
+$NFT -f - <<< "$RULESET"
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/cache/0003_cache_update_0 b/tests/shell/testcases/cache/0003_cache_update_0
new file mode 100755
index 0000000..05edc9c
--- /dev/null
+++ b/tests/shell/testcases/cache/0003_cache_update_0
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+
+# Expose how naive cache update logic (i.e., drop cache and repopulate from
+# kernel ruleset) may mess things up. The following input does:
+#
+# list ruleset -> populate the cache, cache->genid is non-zero
+# add table ip t -> make kernel's genid increment (cache->genid remains
+#                   unchanged)
+# add table ip t2; -> first command of batch, new table t2 is added to the cache
+# add chain ip t2 c -> second command of batch, triggers cache_update() which
+#                      removes table t2 from it
+
+$NFT -i >/dev/null <<EOF
+list ruleset
+add table ip t
+add table ip t2; add chain ip t2 c
+EOF
+
+# The following test exposes a problem with simple locking of cache when local
+# entries are added:
+#
+# add table ip t3 -> cache would be locked without previous update
+# add chain ip t c -> table t is not found due to no cache update happening
+
+$NFT -i >/dev/null <<EOF
+add table ip t3; add chain ip t c
+EOF
+
+# The following test exposes a problem with incremental cache update when
+# reading commands from a file that add a rule using the "index" keyword.
+#
+# add rule ip t4 c meta l4proto icmp accept -> rule to reference in next step
+# add rule ip t4 c index 0 drop -> index 0 is not found due to rule cache not
+#                                  being updated
+# add rule ip t4 c index 2 drop -> index 2 is not found due to igmp rule being
+#                                  in same transaction and therefore not having
+#                                  an allocated handle
+$NFT -i >/dev/null <<EOF
+add table ip t4; add chain ip t4 c
+add rule ip t4 c meta l4proto icmp accept
+EOF
+$NFT -f - >/dev/null <<EOF
+add rule ip t4 c index 0 drop
+EOF
+$NFT -f - >/dev/null <<EOF
+add rule ip t4 c meta l4proto igmp accept
+add rule ip t4 c index 2 drop
+EOF
diff --git a/tests/shell/testcases/cache/0004_cache_update_0 b/tests/shell/testcases/cache/0004_cache_update_0
new file mode 100755
index 0000000..697d9de
--- /dev/null
+++ b/tests/shell/testcases/cache/0004_cache_update_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+# Trigger a crash or rule restore error with nft 0.9.1
+$NFT -f - >/dev/null <<EOF
+flush ruleset
+table inet testfilter {
+}
+table inet testfilter {
+      chain test {
+        counter
+    }
+}
+EOF
diff --git a/tests/shell/testcases/cache/0005_cache_chain_flush b/tests/shell/testcases/cache/0005_cache_chain_flush
new file mode 100755
index 0000000..7dfe5c1
--- /dev/null
+++ b/tests/shell/testcases/cache/0005_cache_chain_flush
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table ip x
+add chain x y
+add chain x z
+add map ip x mapping { type ipv4_addr : inet_service; flags dynamic,timeout; }
+add rule x y counter
+add rule x z counter"
+
+$NFT -f - <<< "$RULESET" 2>&1
+
+RULESET="flush chain x y; add rule x y update @mapping { ip saddr : tcp sport }; flush chain x z"
+
+$NFT "$RULESET" 2>&1
diff --git a/tests/shell/testcases/cache/0006_cache_table_flush b/tests/shell/testcases/cache/0006_cache_table_flush
new file mode 100755
index 0000000..fa4da97
--- /dev/null
+++ b/tests/shell/testcases/cache/0006_cache_table_flush
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table ip x
+add chain x y
+add chain x z
+add map ip x mapping { type ipv4_addr : inet_service; flags dynamic,timeout; }
+add rule x y counter
+add rule x z counter"
+
+$NFT -f - <<< "$RULESET" 2>&1
+
+RULESET="flush table x; add rule x y update @mapping { ip saddr : tcp sport }; flush chain x z"
+
+$NFT "$RULESET" 2>&1
diff --git a/tests/shell/testcases/cache/0007_echo_cache_init_0 b/tests/shell/testcases/cache/0007_echo_cache_init_0
new file mode 100755
index 0000000..280a0d0
--- /dev/null
+++ b/tests/shell/testcases/cache/0007_echo_cache_init_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+$NFT -i >/dev/null <<EOF
+add table inet t
+add chain inet t c
+add rule inet t c accept comment "first"
+add rule inet t c accept comment "third"
+EOF
+
+# make sure the rule cache gets initialized when using echo option
+#
+$NFT --echo add rule inet t c index 0 accept comment '"second"' >/dev/null
diff --git a/tests/shell/testcases/cache/0008_delete_by_handle_0 b/tests/shell/testcases/cache/0008_delete_by_handle_0
new file mode 100755
index 0000000..0db4c69
--- /dev/null
+++ b/tests/shell/testcases/cache/0008_delete_by_handle_0
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+HANDLE=`$NFT -a list ruleset | grep "table.*handle" | cut -d' ' -f7`
+$NFT delete table handle $HANDLE
+
+$NFT add table t
+
+$NFT add chain t c
+HANDLE=`$NFT -a list ruleset | grep "chain.*handle" | cut -d' ' -f6`
+$NFT delete chain t handle $HANDLE
+
+$NFT add set t s { type ipv4_addr\; }
+HANDLE=`$NFT -a list ruleset | grep "set.*handle" | cut -d' ' -f6`
+$NFT delete set t handle $HANDLE
+
+$NFT add flowtable t f { hook ingress priority 0\; devices = { lo } \; }
+HANDLE=`$NFT -a list ruleset | grep "flowtable.*handle" | cut -d' ' -f6`
+$NFT delete flowtable t handle $HANDLE
+
+$NFT add counter t x
+HANDLE=`$NFT -a list ruleset | grep "counter.*handle" | cut -d' ' -f6`
+$NFT delete counter t handle $HANDLE
diff --git a/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0 b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0
new file mode 100755
index 0000000..f0bb02a
--- /dev/null
+++ b/tests/shell/testcases/cache/0009_delete_by_handle_incorrect_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+$NFT delete table handle 4000 && exit 1
+$NFT delete chain t handle 4000 && exit 1
+$NFT delete set t handle 4000 && exit 1
+$NFT delete flowtable t handle 4000 && exit 1
+$NFT delete counter t handle 4000 && exit 1
+exit 0
diff --git a/tests/shell/testcases/cache/0010_implicit_chain_0 b/tests/shell/testcases/cache/0010_implicit_chain_0
new file mode 100755
index 0000000..834dc6e
--- /dev/null
+++ b/tests/shell/testcases/cache/0010_implicit_chain_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding)
+
+set -e
+
+EXPECTED="table ip f {
+	chain c {
+		jump {
+			accept
+		}
+	}
+}"
+
+$NFT 'table ip f { chain c { jump { accept; }; }; }'
+GET="$($NFT list chain ip f c)"
+
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/cache/0011_index_0 b/tests/shell/testcases/cache/0011_index_0
new file mode 100755
index 0000000..c9eb868
--- /dev/null
+++ b/tests/shell/testcases/cache/0011_index_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+RULESET="flush ruleset
+add table inet t
+add chain inet t c { type filter hook input priority 0 ; }
+add rule inet t c tcp dport 1234 accept
+add rule inet t c accept
+insert rule inet t c index 1 udp dport 4321 accept"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft
new file mode 100644
index 0000000..2099865
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0001_cache_handling_0.nft
@@ -0,0 +1,12 @@
+table inet test {
+	set test {
+		type ipv4_addr
+		elements = { 1.1.1.1, 3.3.3.3 }
+	}
+
+	chain test {
+		ip daddr { 2.2.2.2, 4.4.4.4 } counter packets 0 bytes 0 accept
+		ip saddr @test counter packets 0 bytes 0 accept
+		ip daddr { 2.2.2.2, 4.4.4.4 } counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0002_interval_0.nft b/tests/shell/testcases/cache/dumps/0002_interval_0.nft
new file mode 100644
index 0000000..6a08132
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0002_interval_0.nft
@@ -0,0 +1,7 @@
+table inet t {
+	set s {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.0.0/24 }
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft
new file mode 100644
index 0000000..43898d3
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0003_cache_update_0.nft
@@ -0,0 +1,18 @@
+table ip t {
+	chain c {
+	}
+}
+table ip t2 {
+	chain c {
+	}
+}
+table ip t3 {
+}
+table ip t4 {
+	chain c {
+		meta l4proto icmp accept
+		drop
+		meta l4proto igmp accept
+		drop
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft
new file mode 100644
index 0000000..4f5761b
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0004_cache_update_0.nft
@@ -0,0 +1,5 @@
+table inet testfilter {
+	chain test {
+		counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft
new file mode 100644
index 0000000..8ab55a2
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0005_cache_chain_flush.nft
@@ -0,0 +1,14 @@
+table ip x {
+	map mapping {
+		type ipv4_addr : inet_service
+		size 65535
+		flags dynamic,timeout
+	}
+
+	chain y {
+		update @mapping { ip saddr : tcp sport }
+	}
+
+	chain z {
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft
new file mode 100644
index 0000000..8ab55a2
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0006_cache_table_flush.nft
@@ -0,0 +1,14 @@
+table ip x {
+	map mapping {
+		type ipv4_addr : inet_service
+		size 65535
+		flags dynamic,timeout
+	}
+
+	chain y {
+		update @mapping { ip saddr : tcp sport }
+	}
+
+	chain z {
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.nft b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.nft
new file mode 100644
index 0000000..c774ee7
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0007_echo_cache_init_0.nft
@@ -0,0 +1,7 @@
+table inet t {
+	chain c {
+		accept comment "first"
+		accept comment "second"
+		accept comment "third"
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft
new file mode 100644
index 0000000..985768b
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0008_delete_by_handle_0.nft
@@ -0,0 +1,2 @@
+table ip t {
+}
diff --git a/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0009_delete_by_handle_incorrect_0.nft
diff --git a/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft
new file mode 100644
index 0000000..aba92c0
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0010_implicit_chain_0.nft
@@ -0,0 +1,7 @@
+table ip f {
+	chain c {
+		jump {
+			accept
+		}
+	}
+}
diff --git a/tests/shell/testcases/cache/dumps/0011_index_0.nft b/tests/shell/testcases/cache/dumps/0011_index_0.nft
new file mode 100644
index 0000000..7e855eb
--- /dev/null
+++ b/tests/shell/testcases/cache/dumps/0011_index_0.nft
@@ -0,0 +1,8 @@
+table inet t {
+	chain c {
+		type filter hook input priority filter; policy accept;
+		tcp dport 1234 accept
+		udp dport 4321 accept
+		accept
+	}
+}
diff --git a/tests/shell/testcases/chains/0001jumps_0 b/tests/shell/testcases/chains/0001jumps_0
new file mode 100755
index 0000000..b39df38
--- /dev/null
+++ b/tests/shell/testcases/chains/0001jumps_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+MAX_JUMPS=16
+
+$NFT add table t
+
+for i in $(seq 1 $MAX_JUMPS)
+do
+	$NFT add chain t c${i}
+done
+
+for i in $(seq 1 $((MAX_JUMPS - 1)))
+do
+	$NFT add rule t c${i} jump c$((i + 1))
+done
diff --git a/tests/shell/testcases/chains/0002jumps_1 b/tests/shell/testcases/chains/0002jumps_1
new file mode 100755
index 0000000..aa70037
--- /dev/null
+++ b/tests/shell/testcases/chains/0002jumps_1
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+MAX_JUMPS=16
+
+$NFT add table t
+
+$NFT add chain t c1 { type filter hook input priority 0\; }
+
+for i in $(seq 2 $MAX_JUMPS)
+do
+	$NFT add chain t c${i}
+done
+
+for i in $(seq 1 $((MAX_JUMPS - 1)))
+do
+	$NFT add rule t c${i} jump c$((i + 1))
+done
+
+# this last jump should fail: too many links
+$NFT add chain t c$((MAX_JUMPS + 1))
+
+$NFT add rule t c${MAX_JUMPS} jump c$((MAX_JUMPS + 1)) 2>/dev/null || exit 0
+echo "E: max jumps ignored?" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1
new file mode 100755
index 0000000..80e243f
--- /dev/null
+++ b/tests/shell/testcases/chains/0003jump_loop_1
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+MAX_JUMPS=16
+
+$NFT add table t
+
+for i in $(seq 1 $MAX_JUMPS)
+do
+	$NFT add chain t c${i}
+done
+
+for i in $(seq 1 $((MAX_JUMPS - 1)))
+do
+	$NFT add rule t c${i} jump c$((i + 1))
+done
+
+# this last jump should fail: loop
+$NFT add rule t c${MAX_JUMPS} jump c1 2>/dev/null || exit 0
+echo "E: loop of jumps ignored?" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0004busy_1 b/tests/shell/testcases/chains/0004busy_1
new file mode 100755
index 0000000..e68d1ba
--- /dev/null
+++ b/tests/shell/testcases/chains/0004busy_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c1
+$NFT add chain t c2
+$NFT add rule t c1 jump c2
+
+# kernel should return EBUSY
+$NFT delete chain t c2 2>/dev/null || exit 0
+echo "E: deleted a busy chain?" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0005busy_map_1 b/tests/shell/testcases/chains/0005busy_map_1
new file mode 100755
index 0000000..c800f19
--- /dev/null
+++ b/tests/shell/testcases/chains/0005busy_map_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c1
+$NFT add chain t c2
+$NFT add rule t c1 tcp dport vmap { 1 : jump c2 }
+
+# kernel should return EBUSY
+$NFT delete chain t c2 2>/dev/null || exit 0
+echo "E: deleted a busy chain?" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0006masquerade_0 b/tests/shell/testcases/chains/0006masquerade_0
new file mode 100755
index 0000000..7934998
--- /dev/null
+++ b/tests/shell/testcases/chains/0006masquerade_0
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c1 {type nat hook postrouting priority 0 \; }
+$NFT add rule t c1 masquerade
diff --git a/tests/shell/testcases/chains/0007masquerade_1 b/tests/shell/testcases/chains/0007masquerade_1
new file mode 100755
index 0000000..4434c89
--- /dev/null
+++ b/tests/shell/testcases/chains/0007masquerade_1
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c1 {type filter hook output priority 0 \; }
+
+# wrong hook output, only postrouting is valid
+$NFT add rule t c1 masquerade 2>/dev/null || exit 0
+echo "E: accepted masquerade in output hook" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0008masquerade_jump_1 b/tests/shell/testcases/chains/0008masquerade_jump_1
new file mode 100755
index 0000000..aee1475
--- /dev/null
+++ b/tests/shell/testcases/chains/0008masquerade_jump_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t output {type nat hook output priority 0 \; }
+$NFT add chain t c1
+$NFT add rule t c1 masquerade
+
+# kernel should return EOPNOTSUPP
+$NFT add rule t output jump c1 2>/dev/null || exit 0
+echo "E: accepted masquerade in output hook" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0009masquerade_jump_1 b/tests/shell/testcases/chains/0009masquerade_jump_1
new file mode 100755
index 0000000..2b931ee
--- /dev/null
+++ b/tests/shell/testcases/chains/0009masquerade_jump_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t output {type nat hook output priority 0 \; }
+$NFT add chain t c1
+$NFT add rule t c1 masquerade
+
+# kernel should return EOPNOTSUPP
+$NFT add rule t output tcp dport vmap {1 :jump c1 } 2>/dev/null || exit 0
+echo "E: accepted masquerade in output hook in a vmap" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1
new file mode 100755
index 0000000..5d3ef23
--- /dev/null
+++ b/tests/shell/testcases/chains/0010endless_jump_loop_1
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c
+
+# kernel should return ELOOP
+$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
+echo "E: accepted endless jump loop in a vmap" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1
new file mode 100755
index 0000000..d75932d
--- /dev/null
+++ b/tests/shell/testcases/chains/0011endless_jump_loop_1
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c1
+$NFT add chain t c2
+$NFT add map t m {type inet_service : verdict \;}
+$NFT add element t m {2 : jump c2}
+$NFT add rule t c1 tcp dport vmap @m
+
+# kernel should return ELOOP
+$NFT add element t m {1 : jump c1} 2>/dev/null || exit 0
+echo "E: accepted endless jump loop in a vmap" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0013rename_0 b/tests/shell/testcases/chains/0013rename_0
new file mode 100755
index 0000000..b9fe11a
--- /dev/null
+++ b/tests/shell/testcases/chains/0013rename_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c1
+# kernel should not return EEXIST
+$NFT rename chain t c1 c2
diff --git a/tests/shell/testcases/chains/0014rename_0 b/tests/shell/testcases/chains/0014rename_0
new file mode 100755
index 0000000..bd84e95
--- /dev/null
+++ b/tests/shell/testcases/chains/0014rename_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+$NFT add table t || exit 1
+$NFT add chain t c1 || exit 1
+$NFT add chain t c2 || exit 1
+# kernel should return EEXIST
+$NFT rename chain t c1 c2
+
+if [ $? -eq 0 ] ; then
+	echo "E: Renamed with existing chain" >&2
+	exit 1
+fi
+
+# same, should return EEXIST
+$NFT 'rename chain t c1 c3;rename chain t c2 c3'
+if [ $? -eq 0 ] ; then
+	echo "E: Renamed two chains to same name" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/chains/0015check_jump_loop_1 b/tests/shell/testcases/chains/0015check_jump_loop_1
new file mode 100755
index 0000000..a59bb3b
--- /dev/null
+++ b/tests/shell/testcases/chains/0015check_jump_loop_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t c1
+$NFT add chain t c2
+$NFT add t c1 jump c2
+# kernel should return ENOENT
+
+$NFT add t c2 ip daddr vmap { 1 : jump c3 } || exit 0
+echo "E: Jumped to non existing chain" >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0016delete_handle_0 b/tests/shell/testcases/chains/0016delete_handle_0
new file mode 100755
index 0000000..8fd1ad8
--- /dev/null
+++ b/tests/shell/testcases/chains/0016delete_handle_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+$NFT add table test-ip
+$NFT add chain test-ip x
+$NFT add chain test-ip y
+$NFT add chain test-ip z
+$NFT add table ip6 test-ip6
+$NFT add chain ip6 test-ip6 x
+$NFT add chain ip6 test-ip6 y
+$NFT add chain ip6 test-ip6 z
+
+chain_y_handle=$($NFT -a list ruleset | awk -v n=1 '/chain y/ && !--n {print $NF; exit}');
+chain_z_handle=$($NFT -a list ruleset | awk -v n=2 '/chain z/ && !--n {print $NF; exit}');
+
+$NFT delete chain test-ip handle $chain_y_handle
+$NFT delete chain ip6 test-ip6 handle $chain_z_handle
diff --git a/tests/shell/testcases/chains/0017masquerade_jump_1 b/tests/shell/testcases/chains/0017masquerade_jump_1
new file mode 100755
index 0000000..209e6d4
--- /dev/null
+++ b/tests/shell/testcases/chains/0017masquerade_jump_1
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t input {type filter hook input priority 4 \; }
+$NFT add chain t c1
+$NFT add rule t input jump c1
+
+# kernel should return EOPNOTSUPP
+$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0
+
+echo "E: Accepted masquerade rule in non-nat type base chain" 1>&2
+exit 1
diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1
new file mode 100755
index 0000000..b87520f
--- /dev/null
+++ b/tests/shell/testcases/chains/0018check_jump_loop_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table ip filter
+$NFT add chain ip filter ap1
+$NFT add chain ip filter ap2
+$NFT add rule ip filter ap1 jump ap2
+
+# kernel should return EOPNOTSUPP
+$NFT add rule ip filter ap1 jump ap1 2>/dev/null >&2 || exit 0
+echo "E: Accepted jump-to-self"
+exit 1
diff --git a/tests/shell/testcases/chains/0019masquerade_jump_1 b/tests/shell/testcases/chains/0019masquerade_jump_1
new file mode 100755
index 0000000..0ff1ac3
--- /dev/null
+++ b/tests/shell/testcases/chains/0019masquerade_jump_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table t
+$NFT add chain t input {type filter hook input priority 4 \; }
+$NFT add chain t c1
+$NFT add rule t input ip saddr vmap { 1.1.1.1 : jump c1 }
+
+# kernel should return EOPNOTSUPP
+$NFT add rule t c1 masquerade 2>/dev/null >&2 || exit 0
+echo "E: accepted masquerade in chain from non-nat type basechain" 1>&2
+exit 1
diff --git a/tests/shell/testcases/chains/0020depth_1 b/tests/shell/testcases/chains/0020depth_1
new file mode 100755
index 0000000..23e1f82
--- /dev/null
+++ b/tests/shell/testcases/chains/0020depth_1
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+$NFT add table ip filter
+$NFT add chain ip filter input { type filter hook input priority 0\; }
+
+for ((i=0;i<20;i++)); do
+	$NFT add chain ip filter a$i
+done
+
+$NFT add rule ip filter input jump a1
+
+for ((i=0;i<10;i++)); do
+	$NFT add rule ip filter a$i jump a$((i+1))
+done
+
+for ((i=11;i<19;i++)); do
+	$NFT add rule ip filter a$i jump a$((i+1))
+done
+
+$NFT add rule ip filter a10 jump a11 || exit 0
+echo "E: Expected 20th jump to fail due to jump stack exhaustion" 1>&2
+exit 1
diff --git a/tests/shell/testcases/chains/0021prio_0 b/tests/shell/testcases/chains/0021prio_0
new file mode 100755
index 0000000..ceda155
--- /dev/null
+++ b/tests/shell/testcases/chains/0021prio_0
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+set -e
+
+format_offset () {
+	local i=$1
+	if ((i == 0))
+	then
+		echo ""
+	elif ((i > 0))
+	then
+		echo "+$i"
+	else
+		echo "$i"
+	fi
+}
+
+chainname () {
+	local hook=$1
+	local prioname=$2
+	local priooffset=$3
+
+	echo "${hook}${prioname}${priooffset}" | tr "\-+" "mp"
+}
+
+gen_chains () {
+	local family=$1
+	local hook=$2
+	local prioname=$3
+	local device=${4:+device $4}
+
+	for i in -11 -10 0 10 11
+	do
+		local offset=`format_offset $i`
+		local cmd="add chain $family x"
+		cmd+=" `chainname $hook $prioname $offset` {"
+		cmd+=" type filter hook $hook $device"
+		cmd+=" priority $prioname $offset; }"
+		echo "$cmd"
+	done
+}
+
+tmpfile=$(mktemp)
+trap "rm $tmpfile" EXIT
+
+(
+
+for family in ip ip6 inet
+do
+	echo "add table $family x"
+	for hook in prerouting input forward output postrouting
+	do
+		for prioname in raw mangle filter security
+		do
+			gen_chains $family $hook $prioname
+		done
+	done
+	gen_chains $family prerouting dstnat
+	gen_chains $family postrouting srcnat
+done
+
+family=arp
+echo "add table $family x"
+for hook in input output
+do
+	gen_chains $family $hook filter
+done
+
+family=netdev
+echo "add table $family x"
+gen_chains $family ingress filter lo
+[ "$NFT_TEST_HAVE_netdev_egress" != n ] && gen_chains $family egress filter lo
+
+family=bridge
+echo "add table $family x"
+for hook in prerouting input forward output postrouting
+do
+	gen_chains $family $hook filter
+done
+gen_chains $family prerouting dstnat
+gen_chains $family output out
+gen_chains $family postrouting srcnat
+
+) >$tmpfile
+$NFT -f $tmpfile
+
+if [ "$NFT_TEST_HAVE_netdev_egress" = n ]; then
+	echo "Ran a modified version of the test due to NFT_TEST_HAVE_netdev_egress=n"
+	exit 77
+fi
diff --git a/tests/shell/testcases/chains/0022prio_dummy_1 b/tests/shell/testcases/chains/0022prio_dummy_1
new file mode 100755
index 0000000..66c4407
--- /dev/null
+++ b/tests/shell/testcases/chains/0022prio_dummy_1
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table ip x
+
+$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &> /dev/null || exit 0
+echo "E: dummy should not be a valid priority." >&2
+exit 1
diff --git a/tests/shell/testcases/chains/0023prio_inet_srcnat_1 b/tests/shell/testcases/chains/0023prio_inet_srcnat_1
new file mode 100755
index 0000000..e4a668e
--- /dev/null
+++ b/tests/shell/testcases/chains/0023prio_inet_srcnat_1
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+for family in ip ip6 inet
+do
+	for hook in prerouting forward output
+	do
+		$NFT add table $family x
+		$NFT add chain $family x y "{ type filter hook $hook priority srcnat; }" &> /dev/null
+		if (($? == 0))
+		then
+			echo "E: srcnat should not be a valid priority name in $family $hook chains." >&2
+			exit 1
+		fi
+	done
+done
+exit 0
diff --git a/tests/shell/testcases/chains/0024prio_inet_dstnat_1 b/tests/shell/testcases/chains/0024prio_inet_dstnat_1
new file mode 100755
index 0000000..f1b802a
--- /dev/null
+++ b/tests/shell/testcases/chains/0024prio_inet_dstnat_1
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+for family in ip ip6 inet
+do
+	for hook in input forward postrouting
+	do
+		$NFT add table $family x
+		$NFT add chain $family x y "{ type filter hook $hook priority dstnat; }" &> /dev/null
+		if (($? == 0))
+		then
+			echo "E: dstnat should not be a valid priority name in $family $hook chains." >&2
+			exit 1
+		fi
+	done
+done
+exit 0
diff --git a/tests/shell/testcases/chains/0025prio_arp_1 b/tests/shell/testcases/chains/0025prio_arp_1
new file mode 100755
index 0000000..1a17262
--- /dev/null
+++ b/tests/shell/testcases/chains/0025prio_arp_1
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+family=arp
+	for hook in input output
+	do
+		for prioname in raw mangle dstnat security srcnat
+		do
+			$NFT add table $family x
+			$NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null
+			if (($? == 0))
+			then
+				echo "E: $prioname should not be a valid priority name for arp family chains." >&2
+				exit 1
+			fi
+		done
+	done
+exit 0
diff --git a/tests/shell/testcases/chains/0026prio_netdev_1 b/tests/shell/testcases/chains/0026prio_netdev_1
new file mode 100755
index 0000000..b6fa3db
--- /dev/null
+++ b/tests/shell/testcases/chains/0026prio_netdev_1
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+family=netdev
+	for hook in ingress egress
+	do
+		for prioname in raw mangle dstnat security srcnat
+		do
+			$NFT add table $family x || exit 1
+			$NFT add chain $family x y "{ type filter hook $hook device lo priority $prioname; }" &> /dev/null
+			if (($? == 0))
+			then
+				echo "E: $prioname should not be a valid priority name for netdev family chains." >&2
+				exit 1
+			fi
+		done
+	done
+exit 0
diff --git a/tests/shell/testcases/chains/0027prio_bridge_dstnat_1 b/tests/shell/testcases/chains/0027prio_bridge_dstnat_1
new file mode 100755
index 0000000..52c73e6
--- /dev/null
+++ b/tests/shell/testcases/chains/0027prio_bridge_dstnat_1
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+family=bridge
+	for hook in input forward output postrouting
+	do
+		prioname=dstnat
+			$NFT add table $family x
+			$NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null
+			if (($? == 0))
+			then
+				echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
+				exit 1
+			fi
+	done
+exit 0
diff --git a/tests/shell/testcases/chains/0028prio_bridge_out_1 b/tests/shell/testcases/chains/0028prio_bridge_out_1
new file mode 100755
index 0000000..63aa296
--- /dev/null
+++ b/tests/shell/testcases/chains/0028prio_bridge_out_1
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+family=bridge
+	for hook in prerouting input forward postrouting
+	do
+		prioname=out
+			$NFT add table $family x
+			$NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null
+			if (($? == 0))
+			then
+				echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
+				exit 1
+			fi
+	done
+exit 0
diff --git a/tests/shell/testcases/chains/0029prio_bridge_srcnat_1 b/tests/shell/testcases/chains/0029prio_bridge_srcnat_1
new file mode 100755
index 0000000..3891711
--- /dev/null
+++ b/tests/shell/testcases/chains/0029prio_bridge_srcnat_1
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+family=bridge
+	for hook in prerouting input forward output
+	do
+		prioname=srcnat
+			$NFT add table $family x
+			$NFT add chain $family x y "{ type filter hook $hook priority $prioname; }" &> /dev/null
+			if (($? == 0))
+			then
+				echo "E: $prioname should not be a valid priority name for bridge $hook chains." >&2
+				exit 1
+			fi
+	done
+exit 0
diff --git a/tests/shell/testcases/chains/0030create_0 b/tests/shell/testcases/chains/0030create_0
new file mode 100755
index 0000000..0b457f9
--- /dev/null
+++ b/tests/shell/testcases/chains/0030create_0
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table ip x
+$NFT create chain ip x y
diff --git a/tests/shell/testcases/chains/0031priority_variable_0 b/tests/shell/testcases/chains/0031priority_variable_0
new file mode 100755
index 0000000..2b143db
--- /dev/null
+++ b/tests/shell/testcases/chains/0031priority_variable_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Tests use of variables in priority specification
+
+set -e
+
+RULESET="
+define pri = filter
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority \$pri
+        policy accept
+    }
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/chains/0032priority_variable_0 b/tests/shell/testcases/chains/0032priority_variable_0
new file mode 100755
index 0000000..8f2e57b
--- /dev/null
+++ b/tests/shell/testcases/chains/0032priority_variable_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Tests use of variables in priority specification
+
+set -e
+
+RULESET="
+define pri = 10
+define post = -10
+define for = \"filter - 100\"
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority \$pri
+        policy accept
+    }
+    chain forward {
+        type filter hook prerouting priority \$for
+        policy accept
+    }
+    chain postrouting {
+        type filter hook postrouting priority \$post
+        policy accept
+    }
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/chains/0033priority_variable_1 b/tests/shell/testcases/chains/0033priority_variable_1
new file mode 100755
index 0000000..eddaf5b
--- /dev/null
+++ b/tests/shell/testcases/chains/0033priority_variable_1
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Tests use of variables in priority specification
+
+set -e
+
+RULESET="
+define pri = *
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority \$pri
+        policy accept
+    }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/chains/0034priority_variable_1 b/tests/shell/testcases/chains/0034priority_variable_1
new file mode 100755
index 0000000..592cb56
--- /dev/null
+++ b/tests/shell/testcases/chains/0034priority_variable_1
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Tests use of variables in priority specification
+
+set -e
+
+RULESET="
+define pri = { 127.0.0.1 }
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority \$pri
+        policy accept
+    }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/chains/0035policy_variable_0 b/tests/shell/testcases/chains/0035policy_variable_0
new file mode 100755
index 0000000..b88e968
--- /dev/null
+++ b/tests/shell/testcases/chains/0035policy_variable_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Tests use of variables in chain policy
+
+set -e
+
+RULESET="
+define default_policy = \"accept\"
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority filter
+        policy \$default_policy
+    }
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/chains/0036policy_variable_0 b/tests/shell/testcases/chains/0036policy_variable_0
new file mode 100755
index 0000000..d4d98ed
--- /dev/null
+++ b/tests/shell/testcases/chains/0036policy_variable_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Tests use of variables in chain policy
+
+set -e
+
+RULESET="
+define default_policy = \"drop\"
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority filter
+        policy \$default_policy
+    }
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/chains/0037policy_variable_1 b/tests/shell/testcases/chains/0037policy_variable_1
new file mode 100755
index 0000000..ae35516
--- /dev/null
+++ b/tests/shell/testcases/chains/0037policy_variable_1
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Tests use of variables in chain policy
+
+set -e
+
+RULESET="
+define default_policy = { 127.0.0.1 }
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority filter
+        policy \$default_policy
+    }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/chains/0038policy_variable_1 b/tests/shell/testcases/chains/0038policy_variable_1
new file mode 100755
index 0000000..027eb01
--- /dev/null
+++ b/tests/shell/testcases/chains/0038policy_variable_1
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Tests use of variables in priority specification
+
+set -e
+
+RULESET="
+define default_policy = *
+
+table inet global {
+    chain prerouting {
+        type filter hook prerouting priority filter
+        policy \$default_policy
+    }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/chains/0039negative_priority_0 b/tests/shell/testcases/chains/0039negative_priority_0
new file mode 100755
index 0000000..ba17b8c
--- /dev/null
+++ b/tests/shell/testcases/chains/0039negative_priority_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Test parsing of negative priority values
+
+set -e
+
+$NFT add table t
+$NFT add chain t c { type filter hook input priority -30\; }
diff --git a/tests/shell/testcases/chains/0041chain_binding_0 b/tests/shell/testcases/chains/0041chain_binding_0
new file mode 100755
index 0000000..141a4b6
--- /dev/null
+++ b/tests/shell/testcases/chains/0041chain_binding_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# no table x, caused segfault in earlier nft releases
+$NFT insert rule inet x y handle 107 'goto { log prefix "MOO! "; }'
+if [ $? -ne 1 ]; then
+	exit 1
+fi
+
+if [ $NFT_TEST_HAVE_chain_binding = "n" ] ; then
+	echo "Test partially skipped due to NFT_TEST_HAVE_chain_binding=n"
+	exit 77
+fi
+
+set -e
+
+EXPECTED="table inet x {
+        chain y {
+                type filter hook input priority 0;
+                meta l4proto { tcp, udp } th dport 53 jump {
+                        ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter accept
+                        ip6 saddr ::1/128 counter accept
+                }
+        }
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add rule inet x y meta l4proto icmpv6 jump { counter accept\; }
+$NFT add rule inet x y meta l4proto sctp jump { drop\; }
+$NFT delete rule inet x y handle 13
diff --git a/tests/shell/testcases/chains/0042chain_variable_0 b/tests/shell/testcases/chains/0042chain_variable_0
new file mode 100755
index 0000000..1ea44e8
--- /dev/null
+++ b/tests/shell/testcases/chains/0042chain_variable_0
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+ip link add name dummy0 type dummy
+
+EXPECTED="define if_main = \"lo\"
+
+table netdev filter1 {
+	chain Main_Ingress1 {
+		type filter hook ingress device \$if_main priority -500; policy accept;
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
+
+EXPECTED="define if_main = \"lo\"
+
+table netdev filter2 {
+	chain Main_Ingress2 {
+		type filter hook ingress devices = { \$if_main, dummy0 } priority -500; policy accept;
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
+
+if [ "$NFT_TEST_HAVE_netdev_egress" = n ] ; then
+	echo "Skip parts of the test due to NFT_TEST_HAVE_netdev_egress=n"
+	exit 77
+fi
+
+EXPECTED="define if_main = { lo, dummy0 }
+define lan_interfaces = { lo }
+
+table netdev filter3 {
+	chain Main_Ingress3 {
+		type filter hook ingress devices = \$if_main priority -500; policy accept;
+	}
+	chain Main_Egress3 {
+		type filter hook egress devices = \$lan_interfaces priority -500; policy accept;
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
+
+
diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0
new file mode 100755
index 0000000..a6973b9
--- /dev/null
+++ b/tests/shell/testcases/chains/0043chain_ingress_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_ingress)
+
+set -e
+RULESET="table inet filter {
+	chain ingress {
+		type filter hook ingress device \"lo\" priority filter; policy accept;
+	}
+	chain input {
+		type filter hook input priority filter; policy accept;
+	}
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+	}
+}"
+
+$NFT -f - <<< "$RULESET" && exit 0
+exit 1
diff --git a/tests/shell/testcases/chains/0044chain_destroy_0 b/tests/shell/testcases/chains/0044chain_destroy_0
new file mode 100755
index 0000000..5c5a10a
--- /dev/null
+++ b/tests/shell/testcases/chains/0044chain_destroy_0
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
+$NFT add table t
+
+# pass for non-existent chain
+$NFT destroy chain t c
+
+# successfully delete existing chain
+$NFT add chain t c
+$NFT destroy chain t c
diff --git a/tests/shell/testcases/chains/dumps/0001jumps_0.nft b/tests/shell/testcases/chains/dumps/0001jumps_0.nft
new file mode 100644
index 0000000..7054cde
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0001jumps_0.nft
@@ -0,0 +1,64 @@
+table ip t {
+	chain c1 {
+		jump c2
+	}
+
+	chain c2 {
+		jump c3
+	}
+
+	chain c3 {
+		jump c4
+	}
+
+	chain c4 {
+		jump c5
+	}
+
+	chain c5 {
+		jump c6
+	}
+
+	chain c6 {
+		jump c7
+	}
+
+	chain c7 {
+		jump c8
+	}
+
+	chain c8 {
+		jump c9
+	}
+
+	chain c9 {
+		jump c10
+	}
+
+	chain c10 {
+		jump c11
+	}
+
+	chain c11 {
+		jump c12
+	}
+
+	chain c12 {
+		jump c13
+	}
+
+	chain c13 {
+		jump c14
+	}
+
+	chain c14 {
+		jump c15
+	}
+
+	chain c15 {
+		jump c16
+	}
+
+	chain c16 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0002jumps_1.nft b/tests/shell/testcases/chains/dumps/0002jumps_1.nft
new file mode 100644
index 0000000..ed37ad0
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0002jumps_1.nft
@@ -0,0 +1,68 @@
+table ip t {
+	chain c1 {
+		type filter hook input priority filter; policy accept;
+		jump c2
+	}
+
+	chain c2 {
+		jump c3
+	}
+
+	chain c3 {
+		jump c4
+	}
+
+	chain c4 {
+		jump c5
+	}
+
+	chain c5 {
+		jump c6
+	}
+
+	chain c6 {
+		jump c7
+	}
+
+	chain c7 {
+		jump c8
+	}
+
+	chain c8 {
+		jump c9
+	}
+
+	chain c9 {
+		jump c10
+	}
+
+	chain c10 {
+		jump c11
+	}
+
+	chain c11 {
+		jump c12
+	}
+
+	chain c12 {
+		jump c13
+	}
+
+	chain c13 {
+		jump c14
+	}
+
+	chain c14 {
+		jump c15
+	}
+
+	chain c15 {
+		jump c16
+	}
+
+	chain c16 {
+	}
+
+	chain c17 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
new file mode 100644
index 0000000..7054cde
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
@@ -0,0 +1,64 @@
+table ip t {
+	chain c1 {
+		jump c2
+	}
+
+	chain c2 {
+		jump c3
+	}
+
+	chain c3 {
+		jump c4
+	}
+
+	chain c4 {
+		jump c5
+	}
+
+	chain c5 {
+		jump c6
+	}
+
+	chain c6 {
+		jump c7
+	}
+
+	chain c7 {
+		jump c8
+	}
+
+	chain c8 {
+		jump c9
+	}
+
+	chain c9 {
+		jump c10
+	}
+
+	chain c10 {
+		jump c11
+	}
+
+	chain c11 {
+		jump c12
+	}
+
+	chain c12 {
+		jump c13
+	}
+
+	chain c13 {
+		jump c14
+	}
+
+	chain c14 {
+		jump c15
+	}
+
+	chain c15 {
+		jump c16
+	}
+
+	chain c16 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0004busy_1.nft b/tests/shell/testcases/chains/dumps/0004busy_1.nft
new file mode 100644
index 0000000..429dd49
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0004busy_1.nft
@@ -0,0 +1,8 @@
+table ip t {
+	chain c1 {
+		jump c2
+	}
+
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0005busy_map_1.nft b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft
new file mode 100644
index 0000000..acf2318
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0005busy_map_1.nft
@@ -0,0 +1,8 @@
+table ip t {
+	chain c1 {
+		tcp dport vmap { 1 : jump c2 }
+	}
+
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0006masquerade_0.nft b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft
new file mode 100644
index 0000000..90253a4
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0006masquerade_0.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c1 {
+		type nat hook postrouting priority filter; policy accept;
+		masquerade
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0007masquerade_1.nft b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft
new file mode 100644
index 0000000..b25355f
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0007masquerade_1.nft
@@ -0,0 +1,5 @@
+table ip t {
+	chain c1 {
+		type filter hook output priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft
new file mode 100644
index 0000000..4991071
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0008masquerade_jump_1.nft
@@ -0,0 +1,9 @@
+table ip t {
+	chain output {
+		type nat hook output priority filter; policy accept;
+	}
+
+	chain c1 {
+		masquerade
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft
new file mode 100644
index 0000000..4991071
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0009masquerade_jump_1.nft
@@ -0,0 +1,9 @@
+table ip t {
+	chain output {
+		type nat hook output priority filter; policy accept;
+	}
+
+	chain c1 {
+		masquerade
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
new file mode 100644
index 0000000..ca0a737
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
@@ -0,0 +1,13 @@
+table ip t {
+	map m {
+		type inet_service : verdict
+		elements = { 2 : jump c2 }
+	}
+
+	chain c1 {
+		tcp dport vmap @m
+	}
+
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0013rename_0.nft b/tests/shell/testcases/chains/dumps/0013rename_0.nft
new file mode 100644
index 0000000..e4e0171
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0013rename_0.nft
@@ -0,0 +1,4 @@
+table ip t {
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0014rename_0.nft b/tests/shell/testcases/chains/dumps/0014rename_0.nft
new file mode 100644
index 0000000..574c486
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0014rename_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	chain c1 {
+	}
+
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft
new file mode 100644
index 0000000..429dd49
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0015check_jump_loop_1.nft
@@ -0,0 +1,8 @@
+table ip t {
+	chain c1 {
+		jump c2
+	}
+
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft
new file mode 100644
index 0000000..c0adb1f
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0016delete_handle_0.nft
@@ -0,0 +1,14 @@
+table ip test-ip {
+	chain x {
+	}
+
+	chain z {
+	}
+}
+table ip6 test-ip6 {
+	chain x {
+	}
+
+	chain y {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft
new file mode 100644
index 0000000..636e844
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0017masquerade_jump_1.nft
@@ -0,0 +1,9 @@
+table ip t {
+	chain input {
+		type filter hook input priority filter + 4; policy accept;
+		jump c1
+	}
+
+	chain c1 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
new file mode 100644
index 0000000..437900b
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
@@ -0,0 +1,8 @@
+table ip filter {
+	chain ap1 {
+		jump ap2
+	}
+
+	chain ap2 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft
new file mode 100644
index 0000000..81cf9cc
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0019masquerade_jump_1.nft
@@ -0,0 +1,9 @@
+table ip t {
+	chain input {
+		type filter hook input priority filter + 4; policy accept;
+		ip saddr vmap { 1.1.1.1 : jump c1 }
+	}
+
+	chain c1 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0020depth_1.nft b/tests/shell/testcases/chains/dumps/0020depth_1.nft
new file mode 100644
index 0000000..422c395
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0020depth_1.nft
@@ -0,0 +1,84 @@
+table ip filter {
+	chain input {
+		type filter hook input priority filter; policy accept;
+		jump a1
+	}
+
+	chain a0 {
+		jump a1
+	}
+
+	chain a1 {
+		jump a2
+	}
+
+	chain a2 {
+		jump a3
+	}
+
+	chain a3 {
+		jump a4
+	}
+
+	chain a4 {
+		jump a5
+	}
+
+	chain a5 {
+		jump a6
+	}
+
+	chain a6 {
+		jump a7
+	}
+
+	chain a7 {
+		jump a8
+	}
+
+	chain a8 {
+		jump a9
+	}
+
+	chain a9 {
+		jump a10
+	}
+
+	chain a10 {
+	}
+
+	chain a11 {
+		jump a12
+	}
+
+	chain a12 {
+		jump a13
+	}
+
+	chain a13 {
+		jump a14
+	}
+
+	chain a14 {
+		jump a15
+	}
+
+	chain a15 {
+		jump a16
+	}
+
+	chain a16 {
+		jump a17
+	}
+
+	chain a17 {
+		jump a18
+	}
+
+	chain a18 {
+		jump a19
+	}
+
+	chain a19 {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0021prio_0.nft b/tests/shell/testcases/chains/dumps/0021prio_0.nft
new file mode 100644
index 0000000..4297d24
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0021prio_0.nft
@@ -0,0 +1,1566 @@
+table ip x {
+	chain preroutingrawm11 {
+		type filter hook prerouting priority -311; policy accept;
+	}
+
+	chain preroutingrawm10 {
+		type filter hook prerouting priority raw - 10; policy accept;
+	}
+
+	chain preroutingraw {
+		type filter hook prerouting priority raw; policy accept;
+	}
+
+	chain preroutingrawp10 {
+		type filter hook prerouting priority raw + 10; policy accept;
+	}
+
+	chain preroutingrawp11 {
+		type filter hook prerouting priority -289; policy accept;
+	}
+
+	chain preroutingmanglem11 {
+		type filter hook prerouting priority -161; policy accept;
+	}
+
+	chain preroutingmanglem10 {
+		type filter hook prerouting priority mangle - 10; policy accept;
+	}
+
+	chain preroutingmangle {
+		type filter hook prerouting priority mangle; policy accept;
+	}
+
+	chain preroutingmanglep10 {
+		type filter hook prerouting priority mangle + 10; policy accept;
+	}
+
+	chain preroutingmanglep11 {
+		type filter hook prerouting priority -139; policy accept;
+	}
+
+	chain preroutingfilterm11 {
+		type filter hook prerouting priority -11; policy accept;
+	}
+
+	chain preroutingfilterm10 {
+		type filter hook prerouting priority filter - 10; policy accept;
+	}
+
+	chain preroutingfilter {
+		type filter hook prerouting priority filter; policy accept;
+	}
+
+	chain preroutingfilterp10 {
+		type filter hook prerouting priority filter + 10; policy accept;
+	}
+
+	chain preroutingfilterp11 {
+		type filter hook prerouting priority 11; policy accept;
+	}
+
+	chain preroutingsecuritym11 {
+		type filter hook prerouting priority 39; policy accept;
+	}
+
+	chain preroutingsecuritym10 {
+		type filter hook prerouting priority security - 10; policy accept;
+	}
+
+	chain preroutingsecurity {
+		type filter hook prerouting priority security; policy accept;
+	}
+
+	chain preroutingsecurityp10 {
+		type filter hook prerouting priority security + 10; policy accept;
+	}
+
+	chain preroutingsecurityp11 {
+		type filter hook prerouting priority 61; policy accept;
+	}
+
+	chain inputrawm11 {
+		type filter hook input priority -311; policy accept;
+	}
+
+	chain inputrawm10 {
+		type filter hook input priority raw - 10; policy accept;
+	}
+
+	chain inputraw {
+		type filter hook input priority raw; policy accept;
+	}
+
+	chain inputrawp10 {
+		type filter hook input priority raw + 10; policy accept;
+	}
+
+	chain inputrawp11 {
+		type filter hook input priority -289; policy accept;
+	}
+
+	chain inputmanglem11 {
+		type filter hook input priority -161; policy accept;
+	}
+
+	chain inputmanglem10 {
+		type filter hook input priority mangle - 10; policy accept;
+	}
+
+	chain inputmangle {
+		type filter hook input priority mangle; policy accept;
+	}
+
+	chain inputmanglep10 {
+		type filter hook input priority mangle + 10; policy accept;
+	}
+
+	chain inputmanglep11 {
+		type filter hook input priority -139; policy accept;
+	}
+
+	chain inputfilterm11 {
+		type filter hook input priority -11; policy accept;
+	}
+
+	chain inputfilterm10 {
+		type filter hook input priority filter - 10; policy accept;
+	}
+
+	chain inputfilter {
+		type filter hook input priority filter; policy accept;
+	}
+
+	chain inputfilterp10 {
+		type filter hook input priority filter + 10; policy accept;
+	}
+
+	chain inputfilterp11 {
+		type filter hook input priority 11; policy accept;
+	}
+
+	chain inputsecuritym11 {
+		type filter hook input priority 39; policy accept;
+	}
+
+	chain inputsecuritym10 {
+		type filter hook input priority security - 10; policy accept;
+	}
+
+	chain inputsecurity {
+		type filter hook input priority security; policy accept;
+	}
+
+	chain inputsecurityp10 {
+		type filter hook input priority security + 10; policy accept;
+	}
+
+	chain inputsecurityp11 {
+		type filter hook input priority 61; policy accept;
+	}
+
+	chain forwardrawm11 {
+		type filter hook forward priority -311; policy accept;
+	}
+
+	chain forwardrawm10 {
+		type filter hook forward priority raw - 10; policy accept;
+	}
+
+	chain forwardraw {
+		type filter hook forward priority raw; policy accept;
+	}
+
+	chain forwardrawp10 {
+		type filter hook forward priority raw + 10; policy accept;
+	}
+
+	chain forwardrawp11 {
+		type filter hook forward priority -289; policy accept;
+	}
+
+	chain forwardmanglem11 {
+		type filter hook forward priority -161; policy accept;
+	}
+
+	chain forwardmanglem10 {
+		type filter hook forward priority mangle - 10; policy accept;
+	}
+
+	chain forwardmangle {
+		type filter hook forward priority mangle; policy accept;
+	}
+
+	chain forwardmanglep10 {
+		type filter hook forward priority mangle + 10; policy accept;
+	}
+
+	chain forwardmanglep11 {
+		type filter hook forward priority -139; policy accept;
+	}
+
+	chain forwardfilterm11 {
+		type filter hook forward priority -11; policy accept;
+	}
+
+	chain forwardfilterm10 {
+		type filter hook forward priority filter - 10; policy accept;
+	}
+
+	chain forwardfilter {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain forwardfilterp10 {
+		type filter hook forward priority filter + 10; policy accept;
+	}
+
+	chain forwardfilterp11 {
+		type filter hook forward priority 11; policy accept;
+	}
+
+	chain forwardsecuritym11 {
+		type filter hook forward priority 39; policy accept;
+	}
+
+	chain forwardsecuritym10 {
+		type filter hook forward priority security - 10; policy accept;
+	}
+
+	chain forwardsecurity {
+		type filter hook forward priority security; policy accept;
+	}
+
+	chain forwardsecurityp10 {
+		type filter hook forward priority security + 10; policy accept;
+	}
+
+	chain forwardsecurityp11 {
+		type filter hook forward priority 61; policy accept;
+	}
+
+	chain outputrawm11 {
+		type filter hook output priority -311; policy accept;
+	}
+
+	chain outputrawm10 {
+		type filter hook output priority raw - 10; policy accept;
+	}
+
+	chain outputraw {
+		type filter hook output priority raw; policy accept;
+	}
+
+	chain outputrawp10 {
+		type filter hook output priority raw + 10; policy accept;
+	}
+
+	chain outputrawp11 {
+		type filter hook output priority -289; policy accept;
+	}
+
+	chain outputmanglem11 {
+		type filter hook output priority -161; policy accept;
+	}
+
+	chain outputmanglem10 {
+		type filter hook output priority mangle - 10; policy accept;
+	}
+
+	chain outputmangle {
+		type filter hook output priority mangle; policy accept;
+	}
+
+	chain outputmanglep10 {
+		type filter hook output priority mangle + 10; policy accept;
+	}
+
+	chain outputmanglep11 {
+		type filter hook output priority -139; policy accept;
+	}
+
+	chain outputfilterm11 {
+		type filter hook output priority -11; policy accept;
+	}
+
+	chain outputfilterm10 {
+		type filter hook output priority filter - 10; policy accept;
+	}
+
+	chain outputfilter {
+		type filter hook output priority filter; policy accept;
+	}
+
+	chain outputfilterp10 {
+		type filter hook output priority filter + 10; policy accept;
+	}
+
+	chain outputfilterp11 {
+		type filter hook output priority 11; policy accept;
+	}
+
+	chain outputsecuritym11 {
+		type filter hook output priority 39; policy accept;
+	}
+
+	chain outputsecuritym10 {
+		type filter hook output priority security - 10; policy accept;
+	}
+
+	chain outputsecurity {
+		type filter hook output priority security; policy accept;
+	}
+
+	chain outputsecurityp10 {
+		type filter hook output priority security + 10; policy accept;
+	}
+
+	chain outputsecurityp11 {
+		type filter hook output priority 61; policy accept;
+	}
+
+	chain postroutingrawm11 {
+		type filter hook postrouting priority -311; policy accept;
+	}
+
+	chain postroutingrawm10 {
+		type filter hook postrouting priority raw - 10; policy accept;
+	}
+
+	chain postroutingraw {
+		type filter hook postrouting priority raw; policy accept;
+	}
+
+	chain postroutingrawp10 {
+		type filter hook postrouting priority raw + 10; policy accept;
+	}
+
+	chain postroutingrawp11 {
+		type filter hook postrouting priority -289; policy accept;
+	}
+
+	chain postroutingmanglem11 {
+		type filter hook postrouting priority -161; policy accept;
+	}
+
+	chain postroutingmanglem10 {
+		type filter hook postrouting priority mangle - 10; policy accept;
+	}
+
+	chain postroutingmangle {
+		type filter hook postrouting priority mangle; policy accept;
+	}
+
+	chain postroutingmanglep10 {
+		type filter hook postrouting priority mangle + 10; policy accept;
+	}
+
+	chain postroutingmanglep11 {
+		type filter hook postrouting priority -139; policy accept;
+	}
+
+	chain postroutingfilterm11 {
+		type filter hook postrouting priority -11; policy accept;
+	}
+
+	chain postroutingfilterm10 {
+		type filter hook postrouting priority filter - 10; policy accept;
+	}
+
+	chain postroutingfilter {
+		type filter hook postrouting priority filter; policy accept;
+	}
+
+	chain postroutingfilterp10 {
+		type filter hook postrouting priority filter + 10; policy accept;
+	}
+
+	chain postroutingfilterp11 {
+		type filter hook postrouting priority 11; policy accept;
+	}
+
+	chain postroutingsecuritym11 {
+		type filter hook postrouting priority 39; policy accept;
+	}
+
+	chain postroutingsecuritym10 {
+		type filter hook postrouting priority security - 10; policy accept;
+	}
+
+	chain postroutingsecurity {
+		type filter hook postrouting priority security; policy accept;
+	}
+
+	chain postroutingsecurityp10 {
+		type filter hook postrouting priority security + 10; policy accept;
+	}
+
+	chain postroutingsecurityp11 {
+		type filter hook postrouting priority 61; policy accept;
+	}
+
+	chain preroutingdstnatm11 {
+		type filter hook prerouting priority -111; policy accept;
+	}
+
+	chain preroutingdstnatm10 {
+		type filter hook prerouting priority dstnat - 10; policy accept;
+	}
+
+	chain preroutingdstnat {
+		type filter hook prerouting priority dstnat; policy accept;
+	}
+
+	chain preroutingdstnatp10 {
+		type filter hook prerouting priority dstnat + 10; policy accept;
+	}
+
+	chain preroutingdstnatp11 {
+		type filter hook prerouting priority -89; policy accept;
+	}
+
+	chain postroutingsrcnatm11 {
+		type filter hook postrouting priority 89; policy accept;
+	}
+
+	chain postroutingsrcnatm10 {
+		type filter hook postrouting priority srcnat - 10; policy accept;
+	}
+
+	chain postroutingsrcnat {
+		type filter hook postrouting priority srcnat; policy accept;
+	}
+
+	chain postroutingsrcnatp10 {
+		type filter hook postrouting priority srcnat + 10; policy accept;
+	}
+
+	chain postroutingsrcnatp11 {
+		type filter hook postrouting priority 111; policy accept;
+	}
+}
+table ip6 x {
+	chain preroutingrawm11 {
+		type filter hook prerouting priority -311; policy accept;
+	}
+
+	chain preroutingrawm10 {
+		type filter hook prerouting priority raw - 10; policy accept;
+	}
+
+	chain preroutingraw {
+		type filter hook prerouting priority raw; policy accept;
+	}
+
+	chain preroutingrawp10 {
+		type filter hook prerouting priority raw + 10; policy accept;
+	}
+
+	chain preroutingrawp11 {
+		type filter hook prerouting priority -289; policy accept;
+	}
+
+	chain preroutingmanglem11 {
+		type filter hook prerouting priority -161; policy accept;
+	}
+
+	chain preroutingmanglem10 {
+		type filter hook prerouting priority mangle - 10; policy accept;
+	}
+
+	chain preroutingmangle {
+		type filter hook prerouting priority mangle; policy accept;
+	}
+
+	chain preroutingmanglep10 {
+		type filter hook prerouting priority mangle + 10; policy accept;
+	}
+
+	chain preroutingmanglep11 {
+		type filter hook prerouting priority -139; policy accept;
+	}
+
+	chain preroutingfilterm11 {
+		type filter hook prerouting priority -11; policy accept;
+	}
+
+	chain preroutingfilterm10 {
+		type filter hook prerouting priority filter - 10; policy accept;
+	}
+
+	chain preroutingfilter {
+		type filter hook prerouting priority filter; policy accept;
+	}
+
+	chain preroutingfilterp10 {
+		type filter hook prerouting priority filter + 10; policy accept;
+	}
+
+	chain preroutingfilterp11 {
+		type filter hook prerouting priority 11; policy accept;
+	}
+
+	chain preroutingsecuritym11 {
+		type filter hook prerouting priority 39; policy accept;
+	}
+
+	chain preroutingsecuritym10 {
+		type filter hook prerouting priority security - 10; policy accept;
+	}
+
+	chain preroutingsecurity {
+		type filter hook prerouting priority security; policy accept;
+	}
+
+	chain preroutingsecurityp10 {
+		type filter hook prerouting priority security + 10; policy accept;
+	}
+
+	chain preroutingsecurityp11 {
+		type filter hook prerouting priority 61; policy accept;
+	}
+
+	chain inputrawm11 {
+		type filter hook input priority -311; policy accept;
+	}
+
+	chain inputrawm10 {
+		type filter hook input priority raw - 10; policy accept;
+	}
+
+	chain inputraw {
+		type filter hook input priority raw; policy accept;
+	}
+
+	chain inputrawp10 {
+		type filter hook input priority raw + 10; policy accept;
+	}
+
+	chain inputrawp11 {
+		type filter hook input priority -289; policy accept;
+	}
+
+	chain inputmanglem11 {
+		type filter hook input priority -161; policy accept;
+	}
+
+	chain inputmanglem10 {
+		type filter hook input priority mangle - 10; policy accept;
+	}
+
+	chain inputmangle {
+		type filter hook input priority mangle; policy accept;
+	}
+
+	chain inputmanglep10 {
+		type filter hook input priority mangle + 10; policy accept;
+	}
+
+	chain inputmanglep11 {
+		type filter hook input priority -139; policy accept;
+	}
+
+	chain inputfilterm11 {
+		type filter hook input priority -11; policy accept;
+	}
+
+	chain inputfilterm10 {
+		type filter hook input priority filter - 10; policy accept;
+	}
+
+	chain inputfilter {
+		type filter hook input priority filter; policy accept;
+	}
+
+	chain inputfilterp10 {
+		type filter hook input priority filter + 10; policy accept;
+	}
+
+	chain inputfilterp11 {
+		type filter hook input priority 11; policy accept;
+	}
+
+	chain inputsecuritym11 {
+		type filter hook input priority 39; policy accept;
+	}
+
+	chain inputsecuritym10 {
+		type filter hook input priority security - 10; policy accept;
+	}
+
+	chain inputsecurity {
+		type filter hook input priority security; policy accept;
+	}
+
+	chain inputsecurityp10 {
+		type filter hook input priority security + 10; policy accept;
+	}
+
+	chain inputsecurityp11 {
+		type filter hook input priority 61; policy accept;
+	}
+
+	chain forwardrawm11 {
+		type filter hook forward priority -311; policy accept;
+	}
+
+	chain forwardrawm10 {
+		type filter hook forward priority raw - 10; policy accept;
+	}
+
+	chain forwardraw {
+		type filter hook forward priority raw; policy accept;
+	}
+
+	chain forwardrawp10 {
+		type filter hook forward priority raw + 10; policy accept;
+	}
+
+	chain forwardrawp11 {
+		type filter hook forward priority -289; policy accept;
+	}
+
+	chain forwardmanglem11 {
+		type filter hook forward priority -161; policy accept;
+	}
+
+	chain forwardmanglem10 {
+		type filter hook forward priority mangle - 10; policy accept;
+	}
+
+	chain forwardmangle {
+		type filter hook forward priority mangle; policy accept;
+	}
+
+	chain forwardmanglep10 {
+		type filter hook forward priority mangle + 10; policy accept;
+	}
+
+	chain forwardmanglep11 {
+		type filter hook forward priority -139; policy accept;
+	}
+
+	chain forwardfilterm11 {
+		type filter hook forward priority -11; policy accept;
+	}
+
+	chain forwardfilterm10 {
+		type filter hook forward priority filter - 10; policy accept;
+	}
+
+	chain forwardfilter {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain forwardfilterp10 {
+		type filter hook forward priority filter + 10; policy accept;
+	}
+
+	chain forwardfilterp11 {
+		type filter hook forward priority 11; policy accept;
+	}
+
+	chain forwardsecuritym11 {
+		type filter hook forward priority 39; policy accept;
+	}
+
+	chain forwardsecuritym10 {
+		type filter hook forward priority security - 10; policy accept;
+	}
+
+	chain forwardsecurity {
+		type filter hook forward priority security; policy accept;
+	}
+
+	chain forwardsecurityp10 {
+		type filter hook forward priority security + 10; policy accept;
+	}
+
+	chain forwardsecurityp11 {
+		type filter hook forward priority 61; policy accept;
+	}
+
+	chain outputrawm11 {
+		type filter hook output priority -311; policy accept;
+	}
+
+	chain outputrawm10 {
+		type filter hook output priority raw - 10; policy accept;
+	}
+
+	chain outputraw {
+		type filter hook output priority raw; policy accept;
+	}
+
+	chain outputrawp10 {
+		type filter hook output priority raw + 10; policy accept;
+	}
+
+	chain outputrawp11 {
+		type filter hook output priority -289; policy accept;
+	}
+
+	chain outputmanglem11 {
+		type filter hook output priority -161; policy accept;
+	}
+
+	chain outputmanglem10 {
+		type filter hook output priority mangle - 10; policy accept;
+	}
+
+	chain outputmangle {
+		type filter hook output priority mangle; policy accept;
+	}
+
+	chain outputmanglep10 {
+		type filter hook output priority mangle + 10; policy accept;
+	}
+
+	chain outputmanglep11 {
+		type filter hook output priority -139; policy accept;
+	}
+
+	chain outputfilterm11 {
+		type filter hook output priority -11; policy accept;
+	}
+
+	chain outputfilterm10 {
+		type filter hook output priority filter - 10; policy accept;
+	}
+
+	chain outputfilter {
+		type filter hook output priority filter; policy accept;
+	}
+
+	chain outputfilterp10 {
+		type filter hook output priority filter + 10; policy accept;
+	}
+
+	chain outputfilterp11 {
+		type filter hook output priority 11; policy accept;
+	}
+
+	chain outputsecuritym11 {
+		type filter hook output priority 39; policy accept;
+	}
+
+	chain outputsecuritym10 {
+		type filter hook output priority security - 10; policy accept;
+	}
+
+	chain outputsecurity {
+		type filter hook output priority security; policy accept;
+	}
+
+	chain outputsecurityp10 {
+		type filter hook output priority security + 10; policy accept;
+	}
+
+	chain outputsecurityp11 {
+		type filter hook output priority 61; policy accept;
+	}
+
+	chain postroutingrawm11 {
+		type filter hook postrouting priority -311; policy accept;
+	}
+
+	chain postroutingrawm10 {
+		type filter hook postrouting priority raw - 10; policy accept;
+	}
+
+	chain postroutingraw {
+		type filter hook postrouting priority raw; policy accept;
+	}
+
+	chain postroutingrawp10 {
+		type filter hook postrouting priority raw + 10; policy accept;
+	}
+
+	chain postroutingrawp11 {
+		type filter hook postrouting priority -289; policy accept;
+	}
+
+	chain postroutingmanglem11 {
+		type filter hook postrouting priority -161; policy accept;
+	}
+
+	chain postroutingmanglem10 {
+		type filter hook postrouting priority mangle - 10; policy accept;
+	}
+
+	chain postroutingmangle {
+		type filter hook postrouting priority mangle; policy accept;
+	}
+
+	chain postroutingmanglep10 {
+		type filter hook postrouting priority mangle + 10; policy accept;
+	}
+
+	chain postroutingmanglep11 {
+		type filter hook postrouting priority -139; policy accept;
+	}
+
+	chain postroutingfilterm11 {
+		type filter hook postrouting priority -11; policy accept;
+	}
+
+	chain postroutingfilterm10 {
+		type filter hook postrouting priority filter - 10; policy accept;
+	}
+
+	chain postroutingfilter {
+		type filter hook postrouting priority filter; policy accept;
+	}
+
+	chain postroutingfilterp10 {
+		type filter hook postrouting priority filter + 10; policy accept;
+	}
+
+	chain postroutingfilterp11 {
+		type filter hook postrouting priority 11; policy accept;
+	}
+
+	chain postroutingsecuritym11 {
+		type filter hook postrouting priority 39; policy accept;
+	}
+
+	chain postroutingsecuritym10 {
+		type filter hook postrouting priority security - 10; policy accept;
+	}
+
+	chain postroutingsecurity {
+		type filter hook postrouting priority security; policy accept;
+	}
+
+	chain postroutingsecurityp10 {
+		type filter hook postrouting priority security + 10; policy accept;
+	}
+
+	chain postroutingsecurityp11 {
+		type filter hook postrouting priority 61; policy accept;
+	}
+
+	chain preroutingdstnatm11 {
+		type filter hook prerouting priority -111; policy accept;
+	}
+
+	chain preroutingdstnatm10 {
+		type filter hook prerouting priority dstnat - 10; policy accept;
+	}
+
+	chain preroutingdstnat {
+		type filter hook prerouting priority dstnat; policy accept;
+	}
+
+	chain preroutingdstnatp10 {
+		type filter hook prerouting priority dstnat + 10; policy accept;
+	}
+
+	chain preroutingdstnatp11 {
+		type filter hook prerouting priority -89; policy accept;
+	}
+
+	chain postroutingsrcnatm11 {
+		type filter hook postrouting priority 89; policy accept;
+	}
+
+	chain postroutingsrcnatm10 {
+		type filter hook postrouting priority srcnat - 10; policy accept;
+	}
+
+	chain postroutingsrcnat {
+		type filter hook postrouting priority srcnat; policy accept;
+	}
+
+	chain postroutingsrcnatp10 {
+		type filter hook postrouting priority srcnat + 10; policy accept;
+	}
+
+	chain postroutingsrcnatp11 {
+		type filter hook postrouting priority 111; policy accept;
+	}
+}
+table inet x {
+	chain preroutingrawm11 {
+		type filter hook prerouting priority -311; policy accept;
+	}
+
+	chain preroutingrawm10 {
+		type filter hook prerouting priority raw - 10; policy accept;
+	}
+
+	chain preroutingraw {
+		type filter hook prerouting priority raw; policy accept;
+	}
+
+	chain preroutingrawp10 {
+		type filter hook prerouting priority raw + 10; policy accept;
+	}
+
+	chain preroutingrawp11 {
+		type filter hook prerouting priority -289; policy accept;
+	}
+
+	chain preroutingmanglem11 {
+		type filter hook prerouting priority -161; policy accept;
+	}
+
+	chain preroutingmanglem10 {
+		type filter hook prerouting priority mangle - 10; policy accept;
+	}
+
+	chain preroutingmangle {
+		type filter hook prerouting priority mangle; policy accept;
+	}
+
+	chain preroutingmanglep10 {
+		type filter hook prerouting priority mangle + 10; policy accept;
+	}
+
+	chain preroutingmanglep11 {
+		type filter hook prerouting priority -139; policy accept;
+	}
+
+	chain preroutingfilterm11 {
+		type filter hook prerouting priority -11; policy accept;
+	}
+
+	chain preroutingfilterm10 {
+		type filter hook prerouting priority filter - 10; policy accept;
+	}
+
+	chain preroutingfilter {
+		type filter hook prerouting priority filter; policy accept;
+	}
+
+	chain preroutingfilterp10 {
+		type filter hook prerouting priority filter + 10; policy accept;
+	}
+
+	chain preroutingfilterp11 {
+		type filter hook prerouting priority 11; policy accept;
+	}
+
+	chain preroutingsecuritym11 {
+		type filter hook prerouting priority 39; policy accept;
+	}
+
+	chain preroutingsecuritym10 {
+		type filter hook prerouting priority security - 10; policy accept;
+	}
+
+	chain preroutingsecurity {
+		type filter hook prerouting priority security; policy accept;
+	}
+
+	chain preroutingsecurityp10 {
+		type filter hook prerouting priority security + 10; policy accept;
+	}
+
+	chain preroutingsecurityp11 {
+		type filter hook prerouting priority 61; policy accept;
+	}
+
+	chain inputrawm11 {
+		type filter hook input priority -311; policy accept;
+	}
+
+	chain inputrawm10 {
+		type filter hook input priority raw - 10; policy accept;
+	}
+
+	chain inputraw {
+		type filter hook input priority raw; policy accept;
+	}
+
+	chain inputrawp10 {
+		type filter hook input priority raw + 10; policy accept;
+	}
+
+	chain inputrawp11 {
+		type filter hook input priority -289; policy accept;
+	}
+
+	chain inputmanglem11 {
+		type filter hook input priority -161; policy accept;
+	}
+
+	chain inputmanglem10 {
+		type filter hook input priority mangle - 10; policy accept;
+	}
+
+	chain inputmangle {
+		type filter hook input priority mangle; policy accept;
+	}
+
+	chain inputmanglep10 {
+		type filter hook input priority mangle + 10; policy accept;
+	}
+
+	chain inputmanglep11 {
+		type filter hook input priority -139; policy accept;
+	}
+
+	chain inputfilterm11 {
+		type filter hook input priority -11; policy accept;
+	}
+
+	chain inputfilterm10 {
+		type filter hook input priority filter - 10; policy accept;
+	}
+
+	chain inputfilter {
+		type filter hook input priority filter; policy accept;
+	}
+
+	chain inputfilterp10 {
+		type filter hook input priority filter + 10; policy accept;
+	}
+
+	chain inputfilterp11 {
+		type filter hook input priority 11; policy accept;
+	}
+
+	chain inputsecuritym11 {
+		type filter hook input priority 39; policy accept;
+	}
+
+	chain inputsecuritym10 {
+		type filter hook input priority security - 10; policy accept;
+	}
+
+	chain inputsecurity {
+		type filter hook input priority security; policy accept;
+	}
+
+	chain inputsecurityp10 {
+		type filter hook input priority security + 10; policy accept;
+	}
+
+	chain inputsecurityp11 {
+		type filter hook input priority 61; policy accept;
+	}
+
+	chain forwardrawm11 {
+		type filter hook forward priority -311; policy accept;
+	}
+
+	chain forwardrawm10 {
+		type filter hook forward priority raw - 10; policy accept;
+	}
+
+	chain forwardraw {
+		type filter hook forward priority raw; policy accept;
+	}
+
+	chain forwardrawp10 {
+		type filter hook forward priority raw + 10; policy accept;
+	}
+
+	chain forwardrawp11 {
+		type filter hook forward priority -289; policy accept;
+	}
+
+	chain forwardmanglem11 {
+		type filter hook forward priority -161; policy accept;
+	}
+
+	chain forwardmanglem10 {
+		type filter hook forward priority mangle - 10; policy accept;
+	}
+
+	chain forwardmangle {
+		type filter hook forward priority mangle; policy accept;
+	}
+
+	chain forwardmanglep10 {
+		type filter hook forward priority mangle + 10; policy accept;
+	}
+
+	chain forwardmanglep11 {
+		type filter hook forward priority -139; policy accept;
+	}
+
+	chain forwardfilterm11 {
+		type filter hook forward priority -11; policy accept;
+	}
+
+	chain forwardfilterm10 {
+		type filter hook forward priority filter - 10; policy accept;
+	}
+
+	chain forwardfilter {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain forwardfilterp10 {
+		type filter hook forward priority filter + 10; policy accept;
+	}
+
+	chain forwardfilterp11 {
+		type filter hook forward priority 11; policy accept;
+	}
+
+	chain forwardsecuritym11 {
+		type filter hook forward priority 39; policy accept;
+	}
+
+	chain forwardsecuritym10 {
+		type filter hook forward priority security - 10; policy accept;
+	}
+
+	chain forwardsecurity {
+		type filter hook forward priority security; policy accept;
+	}
+
+	chain forwardsecurityp10 {
+		type filter hook forward priority security + 10; policy accept;
+	}
+
+	chain forwardsecurityp11 {
+		type filter hook forward priority 61; policy accept;
+	}
+
+	chain outputrawm11 {
+		type filter hook output priority -311; policy accept;
+	}
+
+	chain outputrawm10 {
+		type filter hook output priority raw - 10; policy accept;
+	}
+
+	chain outputraw {
+		type filter hook output priority raw; policy accept;
+	}
+
+	chain outputrawp10 {
+		type filter hook output priority raw + 10; policy accept;
+	}
+
+	chain outputrawp11 {
+		type filter hook output priority -289; policy accept;
+	}
+
+	chain outputmanglem11 {
+		type filter hook output priority -161; policy accept;
+	}
+
+	chain outputmanglem10 {
+		type filter hook output priority mangle - 10; policy accept;
+	}
+
+	chain outputmangle {
+		type filter hook output priority mangle; policy accept;
+	}
+
+	chain outputmanglep10 {
+		type filter hook output priority mangle + 10; policy accept;
+	}
+
+	chain outputmanglep11 {
+		type filter hook output priority -139; policy accept;
+	}
+
+	chain outputfilterm11 {
+		type filter hook output priority -11; policy accept;
+	}
+
+	chain outputfilterm10 {
+		type filter hook output priority filter - 10; policy accept;
+	}
+
+	chain outputfilter {
+		type filter hook output priority filter; policy accept;
+	}
+
+	chain outputfilterp10 {
+		type filter hook output priority filter + 10; policy accept;
+	}
+
+	chain outputfilterp11 {
+		type filter hook output priority 11; policy accept;
+	}
+
+	chain outputsecuritym11 {
+		type filter hook output priority 39; policy accept;
+	}
+
+	chain outputsecuritym10 {
+		type filter hook output priority security - 10; policy accept;
+	}
+
+	chain outputsecurity {
+		type filter hook output priority security; policy accept;
+	}
+
+	chain outputsecurityp10 {
+		type filter hook output priority security + 10; policy accept;
+	}
+
+	chain outputsecurityp11 {
+		type filter hook output priority 61; policy accept;
+	}
+
+	chain postroutingrawm11 {
+		type filter hook postrouting priority -311; policy accept;
+	}
+
+	chain postroutingrawm10 {
+		type filter hook postrouting priority raw - 10; policy accept;
+	}
+
+	chain postroutingraw {
+		type filter hook postrouting priority raw; policy accept;
+	}
+
+	chain postroutingrawp10 {
+		type filter hook postrouting priority raw + 10; policy accept;
+	}
+
+	chain postroutingrawp11 {
+		type filter hook postrouting priority -289; policy accept;
+	}
+
+	chain postroutingmanglem11 {
+		type filter hook postrouting priority -161; policy accept;
+	}
+
+	chain postroutingmanglem10 {
+		type filter hook postrouting priority mangle - 10; policy accept;
+	}
+
+	chain postroutingmangle {
+		type filter hook postrouting priority mangle; policy accept;
+	}
+
+	chain postroutingmanglep10 {
+		type filter hook postrouting priority mangle + 10; policy accept;
+	}
+
+	chain postroutingmanglep11 {
+		type filter hook postrouting priority -139; policy accept;
+	}
+
+	chain postroutingfilterm11 {
+		type filter hook postrouting priority -11; policy accept;
+	}
+
+	chain postroutingfilterm10 {
+		type filter hook postrouting priority filter - 10; policy accept;
+	}
+
+	chain postroutingfilter {
+		type filter hook postrouting priority filter; policy accept;
+	}
+
+	chain postroutingfilterp10 {
+		type filter hook postrouting priority filter + 10; policy accept;
+	}
+
+	chain postroutingfilterp11 {
+		type filter hook postrouting priority 11; policy accept;
+	}
+
+	chain postroutingsecuritym11 {
+		type filter hook postrouting priority 39; policy accept;
+	}
+
+	chain postroutingsecuritym10 {
+		type filter hook postrouting priority security - 10; policy accept;
+	}
+
+	chain postroutingsecurity {
+		type filter hook postrouting priority security; policy accept;
+	}
+
+	chain postroutingsecurityp10 {
+		type filter hook postrouting priority security + 10; policy accept;
+	}
+
+	chain postroutingsecurityp11 {
+		type filter hook postrouting priority 61; policy accept;
+	}
+
+	chain preroutingdstnatm11 {
+		type filter hook prerouting priority -111; policy accept;
+	}
+
+	chain preroutingdstnatm10 {
+		type filter hook prerouting priority dstnat - 10; policy accept;
+	}
+
+	chain preroutingdstnat {
+		type filter hook prerouting priority dstnat; policy accept;
+	}
+
+	chain preroutingdstnatp10 {
+		type filter hook prerouting priority dstnat + 10; policy accept;
+	}
+
+	chain preroutingdstnatp11 {
+		type filter hook prerouting priority -89; policy accept;
+	}
+
+	chain postroutingsrcnatm11 {
+		type filter hook postrouting priority 89; policy accept;
+	}
+
+	chain postroutingsrcnatm10 {
+		type filter hook postrouting priority srcnat - 10; policy accept;
+	}
+
+	chain postroutingsrcnat {
+		type filter hook postrouting priority srcnat; policy accept;
+	}
+
+	chain postroutingsrcnatp10 {
+		type filter hook postrouting priority srcnat + 10; policy accept;
+	}
+
+	chain postroutingsrcnatp11 {
+		type filter hook postrouting priority 111; policy accept;
+	}
+}
+table arp x {
+	chain inputfilterm11 {
+		type filter hook input priority -11; policy accept;
+	}
+
+	chain inputfilterm10 {
+		type filter hook input priority filter - 10; policy accept;
+	}
+
+	chain inputfilter {
+		type filter hook input priority filter; policy accept;
+	}
+
+	chain inputfilterp10 {
+		type filter hook input priority filter + 10; policy accept;
+	}
+
+	chain inputfilterp11 {
+		type filter hook input priority 11; policy accept;
+	}
+
+	chain outputfilterm11 {
+		type filter hook output priority -11; policy accept;
+	}
+
+	chain outputfilterm10 {
+		type filter hook output priority filter - 10; policy accept;
+	}
+
+	chain outputfilter {
+		type filter hook output priority filter; policy accept;
+	}
+
+	chain outputfilterp10 {
+		type filter hook output priority filter + 10; policy accept;
+	}
+
+	chain outputfilterp11 {
+		type filter hook output priority 11; policy accept;
+	}
+}
+table netdev x {
+	chain ingressfilterm11 {
+		type filter hook ingress device "lo" priority -11; policy accept;
+	}
+
+	chain ingressfilterm10 {
+		type filter hook ingress device "lo" priority filter - 10; policy accept;
+	}
+
+	chain ingressfilter {
+		type filter hook ingress device "lo" priority filter; policy accept;
+	}
+
+	chain ingressfilterp10 {
+		type filter hook ingress device "lo" priority filter + 10; policy accept;
+	}
+
+	chain ingressfilterp11 {
+		type filter hook ingress device "lo" priority 11; policy accept;
+	}
+
+	chain egressfilterm11 {
+		type filter hook egress device "lo" priority -11; policy accept;
+	}
+
+	chain egressfilterm10 {
+		type filter hook egress device "lo" priority filter - 10; policy accept;
+	}
+
+	chain egressfilter {
+		type filter hook egress device "lo" priority filter; policy accept;
+	}
+
+	chain egressfilterp10 {
+		type filter hook egress device "lo" priority filter + 10; policy accept;
+	}
+
+	chain egressfilterp11 {
+		type filter hook egress device "lo" priority 11; policy accept;
+	}
+}
+table bridge x {
+	chain preroutingfilterm11 {
+		type filter hook prerouting priority -211; policy accept;
+	}
+
+	chain preroutingfilterm10 {
+		type filter hook prerouting priority filter - 10; policy accept;
+	}
+
+	chain preroutingfilter {
+		type filter hook prerouting priority filter; policy accept;
+	}
+
+	chain preroutingfilterp10 {
+		type filter hook prerouting priority filter + 10; policy accept;
+	}
+
+	chain preroutingfilterp11 {
+		type filter hook prerouting priority -189; policy accept;
+	}
+
+	chain inputfilterm11 {
+		type filter hook input priority -211; policy accept;
+	}
+
+	chain inputfilterm10 {
+		type filter hook input priority filter - 10; policy accept;
+	}
+
+	chain inputfilter {
+		type filter hook input priority filter; policy accept;
+	}
+
+	chain inputfilterp10 {
+		type filter hook input priority filter + 10; policy accept;
+	}
+
+	chain inputfilterp11 {
+		type filter hook input priority -189; policy accept;
+	}
+
+	chain forwardfilterm11 {
+		type filter hook forward priority -211; policy accept;
+	}
+
+	chain forwardfilterm10 {
+		type filter hook forward priority filter - 10; policy accept;
+	}
+
+	chain forwardfilter {
+		type filter hook forward priority filter; policy accept;
+	}
+
+	chain forwardfilterp10 {
+		type filter hook forward priority filter + 10; policy accept;
+	}
+
+	chain forwardfilterp11 {
+		type filter hook forward priority -189; policy accept;
+	}
+
+	chain outputfilterm11 {
+		type filter hook output priority -211; policy accept;
+	}
+
+	chain outputfilterm10 {
+		type filter hook output priority filter - 10; policy accept;
+	}
+
+	chain outputfilter {
+		type filter hook output priority filter; policy accept;
+	}
+
+	chain outputfilterp10 {
+		type filter hook output priority filter + 10; policy accept;
+	}
+
+	chain outputfilterp11 {
+		type filter hook output priority -189; policy accept;
+	}
+
+	chain postroutingfilterm11 {
+		type filter hook postrouting priority -211; policy accept;
+	}
+
+	chain postroutingfilterm10 {
+		type filter hook postrouting priority filter - 10; policy accept;
+	}
+
+	chain postroutingfilter {
+		type filter hook postrouting priority filter; policy accept;
+	}
+
+	chain postroutingfilterp10 {
+		type filter hook postrouting priority filter + 10; policy accept;
+	}
+
+	chain postroutingfilterp11 {
+		type filter hook postrouting priority -189; policy accept;
+	}
+
+	chain preroutingdstnatm11 {
+		type filter hook prerouting priority -311; policy accept;
+	}
+
+	chain preroutingdstnatm10 {
+		type filter hook prerouting priority dstnat - 10; policy accept;
+	}
+
+	chain preroutingdstnat {
+		type filter hook prerouting priority dstnat; policy accept;
+	}
+
+	chain preroutingdstnatp10 {
+		type filter hook prerouting priority dstnat + 10; policy accept;
+	}
+
+	chain preroutingdstnatp11 {
+		type filter hook prerouting priority -289; policy accept;
+	}
+
+	chain outputoutm11 {
+		type filter hook output priority 89; policy accept;
+	}
+
+	chain outputoutm10 {
+		type filter hook output priority out - 10; policy accept;
+	}
+
+	chain outputout {
+		type filter hook output priority out; policy accept;
+	}
+
+	chain outputoutp10 {
+		type filter hook output priority out + 10; policy accept;
+	}
+
+	chain outputoutp11 {
+		type filter hook output priority 111; policy accept;
+	}
+
+	chain postroutingsrcnatm11 {
+		type filter hook postrouting priority 289; policy accept;
+	}
+
+	chain postroutingsrcnatm10 {
+		type filter hook postrouting priority srcnat - 10; policy accept;
+	}
+
+	chain postroutingsrcnat {
+		type filter hook postrouting priority srcnat; policy accept;
+	}
+
+	chain postroutingsrcnatp10 {
+		type filter hook postrouting priority srcnat + 10; policy accept;
+	}
+
+	chain postroutingsrcnatp11 {
+		type filter hook postrouting priority 311; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0022prio_dummy_1.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft
new file mode 100644
index 0000000..46912ea
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0023prio_inet_srcnat_1.nft
@@ -0,0 +1,6 @@
+table ip x {
+}
+table ip6 x {
+}
+table inet x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft
new file mode 100644
index 0000000..46912ea
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0024prio_inet_dstnat_1.nft
@@ -0,0 +1,6 @@
+table ip x {
+}
+table ip6 x {
+}
+table inet x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft
new file mode 100644
index 0000000..7483cda
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0025prio_arp_1.nft
@@ -0,0 +1,2 @@
+table arp x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft
new file mode 100644
index 0000000..aa571e0
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0026prio_netdev_1.nft
@@ -0,0 +1,2 @@
+table netdev x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft
new file mode 100644
index 0000000..d17be81
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0027prio_bridge_dstnat_1.nft
@@ -0,0 +1,2 @@
+table bridge x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft
new file mode 100644
index 0000000..d17be81
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0028prio_bridge_out_1.nft
@@ -0,0 +1,2 @@
+table bridge x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft
new file mode 100644
index 0000000..d17be81
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0029prio_bridge_srcnat_1.nft
@@ -0,0 +1,2 @@
+table bridge x {
+}
diff --git a/tests/shell/testcases/chains/dumps/0030create_0.nft b/tests/shell/testcases/chains/dumps/0030create_0.nft
new file mode 100644
index 0000000..8e818d2
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0030create_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+	chain y {
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft b/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft
new file mode 100644
index 0000000..f409309
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0031priority_variable_0.nft
@@ -0,0 +1,5 @@
+table inet global {
+	chain prerouting {
+		type filter hook prerouting priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft b/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft
new file mode 100644
index 0000000..1a1b079
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0032priority_variable_0.nft
@@ -0,0 +1,13 @@
+table inet global {
+	chain prerouting {
+		type filter hook prerouting priority filter + 10; policy accept;
+	}
+
+	chain forward {
+		type filter hook prerouting priority dstnat; policy accept;
+	}
+
+	chain postrouting {
+		type filter hook postrouting priority filter - 10; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0033priority_variable_1.nft
diff --git a/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0034priority_variable_1.nft
diff --git a/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft b/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft
new file mode 100644
index 0000000..f409309
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0035policy_variable_0.nft
@@ -0,0 +1,5 @@
+table inet global {
+	chain prerouting {
+		type filter hook prerouting priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft
new file mode 100644
index 0000000..d729e1e
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0036policy_variable_0.nft
@@ -0,0 +1,5 @@
+table inet global {
+	chain prerouting {
+		type filter hook prerouting priority filter; policy drop;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0037policy_variable_1.nft
diff --git a/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0038policy_variable_1.nft
diff --git a/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft
new file mode 100644
index 0000000..20f8272
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0039negative_priority_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+	chain c {
+		type filter hook input priority -30; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft
new file mode 100644
index 0000000..520203d
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0041chain_binding_0.nft
@@ -0,0 +1,12 @@
+table inet x {
+	chain y {
+		type filter hook input priority filter; policy accept;
+		meta l4proto { tcp, udp } th dport 53 jump {
+			ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } counter packets 0 bytes 0 accept
+			ip6 saddr ::1 counter packets 0 bytes 0 accept
+		}
+		meta l4proto ipv6-icmp jump {
+			counter packets 0 bytes 0 accept
+		}
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft
new file mode 100644
index 0000000..5ec230d
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft
@@ -0,0 +1,19 @@
+table netdev filter1 {
+	chain Main_Ingress1 {
+		type filter hook ingress device "lo" priority -500; policy accept;
+	}
+}
+table netdev filter2 {
+	chain Main_Ingress2 {
+		type filter hook ingress devices = { dummy0, lo } priority -500; policy accept;
+	}
+}
+table netdev filter3 {
+	chain Main_Ingress3 {
+		type filter hook ingress devices = { dummy0, lo } priority -500; policy accept;
+	}
+
+	chain Main_Egress3 {
+		type filter hook egress device "lo" priority -500; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft
new file mode 100644
index 0000000..8483b26
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0043chain_ingress_0.nft
@@ -0,0 +1,13 @@
+table inet filter {
+	chain ingress {
+		type filter hook ingress device "lo" priority filter; policy accept;
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft
new file mode 100644
index 0000000..985768b
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0044chain_destroy_0.nft
@@ -0,0 +1,2 @@
+table ip t {
+}
diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_0.nft b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft
new file mode 100644
index 0000000..aa571e0
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/netdev_chain_0.nft
@@ -0,0 +1,2 @@
+table netdev x {
+}
diff --git a/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/netdev_chain_autoremove.nft
diff --git a/tests/shell/testcases/chains/netdev_chain_0 b/tests/shell/testcases/chains/netdev_chain_0
new file mode 100755
index 0000000..a323e6e
--- /dev/null
+++ b/tests/shell/testcases/chains/netdev_chain_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_netdev_chain_without_device)
+
+set -e
+
+iface_cleanup() {
+	ip link del d0 &>/dev/null || :
+	ip link del d1 &>/dev/null || :
+	ip link del d2 &>/dev/null || :
+}
+trap 'iface_cleanup' EXIT
+iface_cleanup
+
+ip link add d0 type dummy
+ip link add d1 type dummy
+ip link add d2 type dummy
+
+RULESET="table netdev x {
+	chain y {
+		type filter hook ingress priority 0; policy accept;
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
+
+$NFT add chain netdev x y '{ devices = { d0 }; }'
+$NFT add chain netdev x y '{ devices = { d1, d2, lo }; }'
+$NFT delete chain netdev x y '{ devices = { lo }; }'
diff --git a/tests/shell/testcases/chains/netdev_chain_autoremove b/tests/shell/testcases/chains/netdev_chain_autoremove
new file mode 100755
index 0000000..21f3ad2
--- /dev/null
+++ b/tests/shell/testcases/chains/netdev_chain_autoremove
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+# Test auto-removal of chain hook on netns removal
+unshare -n bash -e -c "ip link add br0 type bridge; \
+ $NFT add table netdev test; \
+ $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \
+"
diff --git a/tests/shell/testcases/comments/comments_0 b/tests/shell/testcases/comments/comments_0
new file mode 100755
index 0000000..a50387d
--- /dev/null
+++ b/tests/shell/testcases/comments/comments_0
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+RULESET="table inet x {		# comment
+        # comment 1
+	# comment 2
+	set y { # comment here
+		type ipv4_addr	# comment
+		elements = {
+			# 1.1.1.1
+                        2.2.2.2, # comment
+                        # more comments
+                        3.3.3.3,	# comment
+# comment
+                }
+		# comment
+        }
+
+	# comments are allowed here
+	chain y {
+		# comments are allowed here
+		icmpv6 type {
+			1,	# comments are allowed here
+			2,
+		} accept
+
+		icmp type {
+# comment
+			1,
+			# comments also allowed here
+			2,
+		} accept
+
+		tcp dport {
+			# normal FTP
+			21,
+			# patched FTP
+			2121
+		} counter accept
+	}
+}
+"
+
+$NFT -f - <<< "$RULESET"
+
diff --git a/tests/shell/testcases/comments/dumps/comments_0.nft b/tests/shell/testcases/comments/dumps/comments_0.nft
new file mode 100644
index 0000000..82ae510
--- /dev/null
+++ b/tests/shell/testcases/comments/dumps/comments_0.nft
@@ -0,0 +1,12 @@
+table inet x {
+	set y {
+		type ipv4_addr
+		elements = { 2.2.2.2, 3.3.3.3 }
+	}
+
+	chain y {
+		icmpv6 type { destination-unreachable, packet-too-big } accept
+		icmp type { 1, 2 } accept
+		tcp dport { 21, 2121 } counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/flowtable/0001flowtable_0 b/tests/shell/testcases/flowtable/0001flowtable_0
new file mode 100755
index 0000000..2e18099
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0001flowtable_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+EXPECTED='table inet t {
+	flowtable f {
+		hook ingress priority 10
+		devices = { lo }
+	}
+
+	chain c {
+		flow add @f
+	}
+}'
+
+set -e
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/flowtable/0002create_flowtable_0 b/tests/shell/testcases/flowtable/0002create_flowtable_0
new file mode 100755
index 0000000..4c85c3f
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0002create_flowtable_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+$NFT add table t
+$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; }
+if $NFT create flowtable t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then
+	echo "E: flowtable creation not failing on existing set" >&2
+	exit 1
+fi
+$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; }
+
+exit 0
diff --git a/tests/shell/testcases/flowtable/0003add_after_flush_0 b/tests/shell/testcases/flowtable/0003add_after_flush_0
new file mode 100755
index 0000000..481c7ed
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0003add_after_flush_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+$NFT add table x
+$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
+$NFT flush ruleset
+$NFT add table x
+$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
diff --git a/tests/shell/testcases/flowtable/0004delete_after_add_0 b/tests/shell/testcases/flowtable/0004delete_after_add_0
new file mode 100755
index 0000000..8d9a842
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0004delete_after_add_0
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+$NFT add table x
+$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
+$NFT delete flowtable x y
diff --git a/tests/shell/testcases/flowtable/0005delete_in_use_1 b/tests/shell/testcases/flowtable/0005delete_in_use_1
new file mode 100755
index 0000000..ef52620
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0005delete_in_use_1
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+$NFT add table x
+$NFT add chain x x
+$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
+$NFT add rule x x flow add @y
+
+$NFT delete flowtable x y || exit 0
+echo "E: delete flowtable in use"
+exit 1
diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0
new file mode 100755
index 0000000..fb7c52f
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0006segfault_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Make sure nft does not segfault when given invalid syntax in 'add flowtable' commands.
+
+$NFT add table ip t
+
+$NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } }
+[[ $? -eq 1 ]] || exit 1
+
+$NFT add flowtable ip t f { hook ingress\; priority 10\; }
+[[ $? -eq 1 ]] || exit 1
diff --git a/tests/shell/testcases/flowtable/0007prio_0 b/tests/shell/testcases/flowtable/0007prio_0
new file mode 100755
index 0000000..49bbcac
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0007prio_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+format_offset () {
+	i=$1
+	if ((i == 0))
+	then
+		echo ""
+	elif ((i > 0))
+	then
+		echo "+$i"
+	else
+		echo "$i"
+	fi
+}
+
+$NFT add table t
+for offset in -11 -10 0 10 11
+do
+	$NFT add flowtable t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }"
+	$NFT delete flowtable t f
+done
+
diff --git a/tests/shell/testcases/flowtable/0008prio_1 b/tests/shell/testcases/flowtable/0008prio_1
new file mode 100755
index 0000000..48953d7
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0008prio_1
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+$NFT add table t
+for prioname in raw mangle dstnar security srcnat out dummy
+do
+	$NFT add flowtable t f { hook ingress priority $prioname \; devices = { lo }\; }
+	if (($? == 0))
+	then
+		echo "E: $prioname should not be a valid priority name for flowtables" >&2
+		exit 1
+	fi
+done
+
+exit 0
diff --git a/tests/shell/testcases/flowtable/0009deleteafterflush_0 b/tests/shell/testcases/flowtable/0009deleteafterflush_0
new file mode 100755
index 0000000..2cda563
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0009deleteafterflush_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+$NFT add table x
+$NFT add chain x y
+$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;}
+$NFT add rule x y flow add @f
+$NFT flush chain x y
+$NFT delete flowtable x f
diff --git a/tests/shell/testcases/flowtable/0010delete_handle_0 b/tests/shell/testcases/flowtable/0010delete_handle_0
new file mode 100755
index 0000000..8dd8d9f
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0010delete_handle_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# delete flowtable by handle
+
+set -e
+
+$NFT add table inet t
+$NFT add flowtable inet t f { hook ingress priority filter\; devices = { lo }\; }
+
+FH=$($NFT -a list ruleset | awk '/flowtable f/ { print $NF }')
+
+$NFT delete flowtable inet t handle $FH
+
+EXPECTED="table inet t {
+}"
+
+GET="$($NFT list ruleset)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/flowtable/0011deleteafterflush_0 b/tests/shell/testcases/flowtable/0011deleteafterflush_0
new file mode 100755
index 0000000..4f519a7
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0011deleteafterflush_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+$NFT add table x
+$NFT add chain x y
+$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;}
+$NFT add rule x y ip protocol tcp flow add @f
+$NFT add rule x y ip protocol udp flow add @f
+$NFT flush chain x y
+$NFT delete flowtable x f
diff --git a/tests/shell/testcases/flowtable/0012flowtable_variable_0 b/tests/shell/testcases/flowtable/0012flowtable_variable_0
new file mode 100755
index 0000000..080059d
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0012flowtable_variable_0
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -e
+
+iface_cleanup() {
+	ip link del dummy1 &>/dev/null || :
+}
+trap 'iface_cleanup' EXIT
+iface_cleanup
+
+ip link add name dummy1 type dummy
+
+EXPECTED="define if_main = { lo, dummy1 }
+
+table filter1 {
+	flowtable Main_ft1 {
+		hook ingress priority filter
+		counter
+		devices = \$if_main
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
+
+EXPECTED="define if_main = \"lo\"
+
+table filter2 {
+	flowtable Main_ft2 {
+		hook ingress priority filter
+		counter
+		devices = { \$if_main, dummy1 }
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/flowtable/0013addafterdelete_0 b/tests/shell/testcases/flowtable/0013addafterdelete_0
new file mode 100755
index 0000000..b23ab97
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0013addafterdelete_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -e
+
+RULESET='table inet filter {
+
+    flowtable f {
+	hook ingress priority filter - 1
+	devices = { lo }
+	counter
+    }
+}'
+
+$NFT -f - <<< "$RULESET"
+
+RULESET='delete flowtable inet filter f
+
+table inet filter {
+
+    flowtable f {
+	hook ingress priority filter - 1
+	devices = { lo }
+	counter
+    }
+}'
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/flowtable/0014addafterdelete_0 b/tests/shell/testcases/flowtable/0014addafterdelete_0
new file mode 100755
index 0000000..6a24c4b
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0014addafterdelete_0
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+RULESET='table inet filter {
+
+    flowtable f {
+        hook ingress priority filter - 1
+        devices = { lo }
+    }
+
+    chain y {
+        type filter hook forward priority 0;
+        flow add @f counter
+    }
+}'
+
+$NFT -f - <<< "$RULESET"
+
+RULESET='delete rule inet filter y handle 3
+delete flowtable inet filter f
+
+table inet filter {
+    flowtable f {
+        hook ingress priority filter - 1
+        devices = { lo }
+        counter
+    }
+
+    chain y {
+        type filter hook forward priority 0;
+        flow add @f counter
+    }
+}'
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/flowtable/0015destroy_0 b/tests/shell/testcases/flowtable/0015destroy_0
new file mode 100755
index 0000000..d2a87da
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0015destroy_0
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
+$NFT add table t
+
+# pass for non-existent flowtable
+$NFT destroy flowtable t f
+
+# successfully delete existing flowtable
+$NFT add flowtable t f '{ hook ingress priority 10; devices = { lo }; }'
+$NFT destroy flowtable t f
diff --git a/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft
new file mode 100644
index 0000000..629bfe8
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0001flowtable_0.nft
@@ -0,0 +1,10 @@
+table inet t {
+	flowtable f {
+		hook ingress priority filter + 10
+		devices = { lo }
+	}
+
+	chain c {
+		flow add @f
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft
new file mode 100644
index 0000000..aecfb2a
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0002create_flowtable_0.nft
@@ -0,0 +1,6 @@
+table ip t {
+	flowtable f {
+		hook ingress priority filter + 10
+		devices = { lo }
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft
new file mode 100644
index 0000000..dd904f4
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0003add_after_flush_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+	flowtable y {
+		hook ingress priority filter
+		devices = { lo }
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0004delete_after_add_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft
new file mode 100644
index 0000000..c1d79e7
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0005delete_in_use_1.nft
@@ -0,0 +1,10 @@
+table ip x {
+	flowtable y {
+		hook ingress priority filter
+		devices = { lo }
+	}
+
+	chain x {
+		flow add @y
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft
new file mode 100644
index 0000000..985768b
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0006segfault_0.nft
@@ -0,0 +1,2 @@
+table ip t {
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0007prio_0.nft b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft
new file mode 100644
index 0000000..985768b
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0007prio_0.nft
@@ -0,0 +1,2 @@
+table ip t {
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0008prio_1.nft b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft
new file mode 100644
index 0000000..985768b
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0008prio_1.nft
@@ -0,0 +1,2 @@
+table ip t {
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft
new file mode 100644
index 0000000..8e818d2
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0009deleteafterflush_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+	chain y {
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft
new file mode 100644
index 0000000..17838bd
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0010delete_handle_0.nft
@@ -0,0 +1,2 @@
+table inet t {
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft
new file mode 100644
index 0000000..8e818d2
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0011deleteafterflush_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+	chain y {
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft
new file mode 100644
index 0000000..df1c51a
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft
@@ -0,0 +1,14 @@
+table ip filter1 {
+	flowtable Main_ft1 {
+		hook ingress priority filter
+		devices = { lo }
+		counter
+	}
+}
+table ip filter2 {
+	flowtable Main_ft2 {
+		hook ingress priority filter
+		devices = { lo }
+		counter
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft
new file mode 100644
index 0000000..83fdd5d
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0013addafterdelete_0.nft
@@ -0,0 +1,7 @@
+table inet filter {
+	flowtable f {
+		hook ingress priority filter - 1
+		devices = { lo }
+		counter
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft
new file mode 100644
index 0000000..145aa08
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0014addafterdelete_0.nft
@@ -0,0 +1,12 @@
+table inet filter {
+	flowtable f {
+		hook ingress priority filter - 1
+		devices = { lo }
+		counter
+	}
+
+	chain y {
+		type filter hook forward priority filter; policy accept;
+		flow add @f counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft
new file mode 100644
index 0000000..985768b
--- /dev/null
+++ b/tests/shell/testcases/flowtable/dumps/0015destroy_0.nft
@@ -0,0 +1,2 @@
+table ip t {
+}
diff --git a/tests/shell/testcases/include/0001absolute_0 b/tests/shell/testcases/include/0001absolute_0
new file mode 100755
index 0000000..4ad874f
--- /dev/null
+++ b/tests/shell/testcases/include/0001absolute_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2=$(mktemp)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+trap "rm -rf $tmpfile1 $tmpfile2" EXIT # cleanup if aborted
+
+RULESET1="add table x"
+RULESET2="include \"$tmpfile1\""
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+
+$NFT -f $tmpfile2
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0002relative_0 b/tests/shell/testcases/include/0002relative_0
new file mode 100755
index 0000000..a91cd8f
--- /dev/null
+++ b/tests/shell/testcases/include/0002relative_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+tmpfile1=$(mktemp -p .)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2=$(mktemp -p .)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+trap "rm -rf $tmpfile1 $tmpfile2" EXIT # cleanup if aborted
+
+RULESET1="add table x"
+RULESET2="include \"$tmpfile1\""
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+
+$NFT -f $tmpfile2
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0003includepath_0 b/tests/shell/testcases/include/0003includepath_0
new file mode 100755
index 0000000..20037a8
--- /dev/null
+++ b/tests/shell/testcases/include/0003includepath_0
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile3="$(basename "$tmpfile1")"
+
+tmpfile2=$(mktemp)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+trap "rm -rf $tmpfile1 $tmpfile2" EXIT # cleanup if aborted
+
+RULESET1="add table x"
+RULESET2="include \"$tmpfile3\""
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+
+$NFT -I "$(dirname "$tmpfile1")" -f $tmpfile2
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load good ruleset" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/include/0004endlessloop_1 b/tests/shell/testcases/include/0004endlessloop_1
new file mode 100755
index 0000000..3e6789d
--- /dev/null
+++ b/tests/shell/testcases/include/0004endlessloop_1
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+RULESET="include \"$tmpfile\""
+
+echo "$RULESET" > $tmpfile
+
+$NFT -f $tmpfile 2>/dev/null || exit 0
+echo "E: endless include loop" >&2
+exit 1
diff --git a/tests/shell/testcases/include/0005glob_empty_0 b/tests/shell/testcases/include/0005glob_empty_0
new file mode 100755
index 0000000..0743d0d
--- /dev/null
+++ b/tests/shell/testcases/include/0005glob_empty_0
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Including files in an empty directory must not fail.
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1 && rmdir $tmpdir" EXIT
+
+RULESET1="include \"$tmpdir/*\""
+
+echo "$RULESET1" > $tmpfile1
+
+$NFT -f $tmpfile1
+
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0006glob_single_0 b/tests/shell/testcases/include/0006glob_single_0
new file mode 100755
index 0000000..754db6f
--- /dev/null
+++ b/tests/shell/testcases/include/0006glob_single_0
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1=$(mktemp -p $tmpdir)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2=$(mktemp)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1 $tmpfile2 && rmdir $tmpdir" EXIT
+
+RULESET1="add table x"
+RULESET2="include \"$tmpdir/*\""
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+
+$NFT -f $tmpfile2
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0007glob_double_0 b/tests/shell/testcases/include/0007glob_double_0
new file mode 100755
index 0000000..00c3efc
--- /dev/null
+++ b/tests/shell/testcases/include/0007glob_double_0
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpdir $tmpfile" EXIT
+
+RULESET1="add table x"
+RULESET2="add table y"
+RULESET3="include \"$tmpdir/*\""
+
+echo "$RULESET1" > $tmpdir/table_x
+echo "$RULESET2" > $tmpdir/table_y
+echo "$RULESET3" > $tmpfile
+
+$NFT -f $tmpfile
+
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0008glob_nofile_wildcard_0 b/tests/shell/testcases/include/0008glob_nofile_wildcard_0
new file mode 100755
index 0000000..f9c0aa1
--- /dev/null
+++ b/tests/shell/testcases/include/0008glob_nofile_wildcard_0
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# When using wildcards, not having any match is not an error.
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+# remove the directory
+rmdir $tmpdir
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1" EXIT
+
+RULESET1="include \"$tmpdir/non_existent_file*.nft\""
+
+echo "$RULESET1" > $tmpfile1
+
+$NFT -f $tmpfile1
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0009glob_nofile_1 b/tests/shell/testcases/include/0009glob_nofile_1
new file mode 100755
index 0000000..d769155
--- /dev/null
+++ b/tests/shell/testcases/include/0009glob_nofile_1
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# When not using wildcards, not having any match is an error.
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+# remove the directory
+rmdir $tmpdir
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1" EXIT
+
+RULESET1="include \"$tmpdir/non_existent_file.nft\""
+
+echo "$RULESET1" > $tmpfile1
+
+$NFT -f $tmpfile1 || exit 0
+echo "E: Failed to catch a missing include directory/file" >&2
+exit 1
diff --git a/tests/shell/testcases/include/0010glob_broken_file_1 b/tests/shell/testcases/include/0010glob_broken_file_1
new file mode 100755
index 0000000..a00babf
--- /dev/null
+++ b/tests/shell/testcases/include/0010glob_broken_file_1
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Loading broken files must fail.
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1=$(mktemp -p $tmpdir)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2=$(mktemp -p $tmpdir)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT
+
+RULESET1="add table x"
+
+# do an error in a file
+RULESET2="intentionally broken file"
+RULESET3="include \"$tmpdir/*\""
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+echo "$RULESET3" > $tmpfile3
+
+$NFT -f $tmpfile3 || exit 0
+echo "E: didn't catch a broken file in directory" >&2
+exit 1
diff --git a/tests/shell/testcases/include/0011glob_dependency_0 b/tests/shell/testcases/include/0011glob_dependency_0
new file mode 100755
index 0000000..8786850
--- /dev/null
+++ b/tests/shell/testcases/include/0011glob_dependency_0
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Files are included in alphabetical order.
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1="$tmpdir/01_file.nft"
+touch $tmpfile1
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2="$tmpdir/02_file.nft"
+touch $tmpfile2
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT
+
+# add interdependent rulesets
+RULESET1="add table x"
+RULESET2="add chain x y"
+RULESET3="include \"$tmpdir/*\""
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+echo "$RULESET3" > $tmpfile3
+
+$NFT -f $tmpfile3
+
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0012glob_dependency_1 b/tests/shell/testcases/include/0012glob_dependency_1
new file mode 100755
index 0000000..e4e12e2
--- /dev/null
+++ b/tests/shell/testcases/include/0012glob_dependency_1
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Files are included in alphabetical order.
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1="$tmpdir/01_file.nft"
+touch $tmpfile1
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2="$tmpdir/02_file.nft"
+touch $tmpfile2
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT
+
+# add interdependent rulesets
+RULESET1="add table x"
+RULESET2="add chain x y"
+RULESET3="include \"$tmpdir/*\""
+
+# Note different order when compared with 0011dir_dependency_0. The idea
+# here is to introduce wrong order to get the loading fail.
+echo "$RULESET1" > $tmpfile2
+echo "$RULESET2" > $tmpfile1
+echo "$RULESET3" > $tmpfile3
+
+$NFT -f $tmpfile3 || exit 0
+echo "E: did not catch wrong file order in include directory" >&2
+exit 1
diff --git a/tests/shell/testcases/include/0013glob_dotfile_0 b/tests/shell/testcases/include/0013glob_dotfile_0
new file mode 100755
index 0000000..36cfe1c
--- /dev/null
+++ b/tests/shell/testcases/include/0013glob_dotfile_0
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Must not load a dot file in globbed directory.
+
+set -e
+
+tmpdir=$(mktemp -d)
+if [ ! -d $tmpdir ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1=$(mktemp -p $tmpdir)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2=$(mktemp -p $tmpdir ".XXXXXXXX")
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 && rmdir $tmpdir" EXIT
+
+RULESET1="add table x"
+
+# an error in a dot file
+RULESET2="intentionally broken file"
+RULESET3="include \"$tmpdir/*\""
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+echo "$RULESET3" > $tmpfile3
+
+$NFT -f $tmpfile3
+
+if [ $? -ne 0 ] ; then
+        echo "E: tried to load a .dot file" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0013input_descriptors_included_files_0 b/tests/shell/testcases/include/0013input_descriptors_included_files_0
new file mode 100755
index 0000000..03de50b
--- /dev/null
+++ b/tests/shell/testcases/include/0013input_descriptors_included_files_0
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# This test the changes made in commit id "b14572f72aac".
+# When the commit was not applied, nft pointed to wrong files name.
+# As the commit only fixes the error messages and hence does not change the
+# return value so, we need to compare the "file name" in the error message
+# instead of return value of nft.
+
+
+tmpfile1=$(mktemp -p .)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2=$(mktemp -p .)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile3=$(mktemp -p .)
+if [ ! -w $tmpfile3 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile4=$(mktemp -p .)
+if [ ! -w $tmpfile4 ]; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+trap "rm -rf $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4" EXIT # cleanup if aborted
+
+RULESET1="include \"$tmpfile2\""
+RULESET2="include \"$tmpfile3\""
+RULESET3="add rule x y anything everything"			# wrong nft syntax
+
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" >> $tmpfile1
+echo "$RULESET3" > $tmpfile2
+
+$NFT -f $tmpfile1 2> $tmpfile4
+
+var=$(awk -F: '$4==" Error"{print $1;exit;}' $tmpfile4)
+
+if [ $var == "$tmpfile3" ]; then
+	echo "E: Test failed" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/include/0014glob_directory_0 b/tests/shell/testcases/include/0014glob_directory_0
new file mode 100755
index 0000000..9a2443a
--- /dev/null
+++ b/tests/shell/testcases/include/0014glob_directory_0
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Must not be confused in matched subdirectories.
+
+set -e
+
+tmpdir1=$(mktemp -d)
+if [ ! -d $tmpdir1 ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1=$(mktemp -p $tmpdir1)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpdir2=$(mktemp -p $tmpdir1 -d)
+if [ ! -w $tmpdir2 ] ; then
+        echo "Failed to create the second tmp directory" >&2
+        exit 0
+fi
+
+tmpdir3=$(mktemp -p $tmpdir2 -d)
+if [ ! -w $tmpdir3 ] ; then
+        echo "Failed to create the third tmp directory" >&2
+        exit 0
+fi
+
+# cleanup if aborted
+trap "rm -rf $tmpfile1 && rmdir $tmpdir3 && rmdir $tmpdir2 && rmdir $tmpdir1" EXIT
+
+RULESET1="include \"$tmpdir2/*\""
+
+echo "$RULESET1" > $tmpfile1
+
+$NFT -f $tmpfile1
+
+if [ $? -ne 0 ] ; then
+        echo "E: tried to include a matched directory" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/include/0015doubleincludepath_0 b/tests/shell/testcases/include/0015doubleincludepath_0
new file mode 100755
index 0000000..db70346
--- /dev/null
+++ b/tests/shell/testcases/include/0015doubleincludepath_0
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -e
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpdir1=$(mktemp -d)
+if [ ! -d $tmpdir1 ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpdir2=$(mktemp -d)
+if [ ! -d $tmpdir2 ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfile1=$(mktemp -p $tmpdir1)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpfile2=$(mktemp -p $tmpdir2)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+trap "rm -rf $tmpdfile $tmpfile1 $tmpfile2 && rmdir $tmpdir1 && rmdir $tmpdir2" EXIT # cleanup if aborted
+
+RULESET1="add table x"
+RULESET2="add chain x y"
+RULESET3=" \
+include \"$(basename $tmpfile1)\"
+include \"$(basename $tmpfile2)\"
+"
+
+echo "$RULESET1" > $tmpfile1
+echo "$RULESET2" > $tmpfile2
+echo "$RULESET3" > $tmpfile
+
+$NFT -I $tmpdir1 -I $tmpdir2 -f $tmpfile
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load good ruleset" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/include/0016maxdepth_0 b/tests/shell/testcases/include/0016maxdepth_0
new file mode 100755
index 0000000..89eb13c
--- /dev/null
+++ b/tests/shell/testcases/include/0016maxdepth_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+tmpfile=$(mktemp)
+
+echo 'include "/tmp/rules.nft"' > $tmpfile
+$NFT -f $tmpfile || exit 0
diff --git a/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1
new file mode 100755
index 0000000..6499bcc
--- /dev/null
+++ b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 0
+fi
+
+tmpdir1=$(mktemp -d)
+if [ ! -d $tmpdir1 ] ; then
+        echo "Failed to create tmp directory" >&2
+        exit 0
+fi
+
+tmpfiles=""
+for i in `seq -w 1 32`; do
+        tmpfile2=$(mktemp -p $tmpdir1)
+        if [ ! -w $tmpfile2 ] ; then
+                echo "Failed to create tmp file" >&2
+                exit 0
+        fi
+        tmpfiles="$tmpfiles $tmpfile2"
+done
+
+trap "rm -rf $tmpfile $tmpfiles && rmdir $tmpdir1" EXIT # cleanup if aborted
+
+RULESET=" \
+include \"$tmpdir1/*\"
+"
+
+echo "$RULESET" > $tmpfile
+
+$NFT -f $tmpfile
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load good ruleset" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/include/0018include_error_0 b/tests/shell/testcases/include/0018include_error_0
new file mode 100755
index 0000000..ae2dba3
--- /dev/null
+++ b/tests/shell/testcases/include/0018include_error_0
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 1
+fi
+
+touch $tmpfile1
+
+RULESET="include \"$tmpfile1\"
+)
+"
+
+tmpfile2=$(mktemp)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 1
+fi
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 1
+fi
+
+echo "/dev/stdin:2:1-1: Error: syntax error, unexpected ')'
+)
+^" > $tmpfile3
+
+$NFT -I/tmp/ -f - <<< "$RULESET" 2> $tmpfile2
+$DIFF -u $tmpfile2 $tmpfile3
+
+rm $tmpfile1 $tmpfile2 $tmpfile3
diff --git a/tests/shell/testcases/include/0019include_error_0 b/tests/shell/testcases/include/0019include_error_0
new file mode 100755
index 0000000..4b84a57
--- /dev/null
+++ b/tests/shell/testcases/include/0019include_error_0
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 1
+fi
+
+tmpfile2=$(mktemp)
+if [ ! -w $tmpfile2 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 1
+fi
+
+echo "(" >> $tmpfile2
+
+tmpdir=$(mktemp -d)
+
+echo "include \"$tmpfile2\"
+include \"$tmpdir/*.nft\"
+x" > $tmpfile1
+
+echo "=" > $tmpdir/1.nft
+echo ")" > $tmpdir/2.nft
+echo "-" > $tmpdir/3.nft
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 1
+fi
+
+echo "In file included from $tmpfile1:1:1-30:
+$tmpfile2:1:1-1: Error: syntax error, unexpected '('
+(
+^
+In file included from $tmpfile1:2:1-36:
+$tmpdir/1.nft:1:1-1: Error: syntax error, unexpected '='
+=
+^
+In file included from $tmpfile1:2:1-36:
+$tmpdir/2.nft:1:1-1: Error: syntax error, unexpected ')'
+)
+^
+In file included from $tmpfile1:2:1-36:
+$tmpdir/3.nft:1:1-1: Error: syntax error, unexpected -
+-
+^
+$tmpfile1:3:2-2: Error: syntax error, unexpected newline, expecting string
+x
+ ^" > $tmpfile3
+
+tmpfile4=$(mktemp)
+if [ ! -w $tmpfile4 ] ; then
+        echo "Failed to create tmp file" >&2
+        exit 1
+fi
+
+$NFT -I/tmp/ -f $tmpfile1 2> $tmpfile4
+$DIFF -u $tmpfile3 $tmpfile4
+
+rm $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4
+rm -r $tmpdir
diff --git a/tests/shell/testcases/include/0020include_chain_0 b/tests/shell/testcases/include/0020include_chain_0
new file mode 100755
index 0000000..8f78e8c
--- /dev/null
+++ b/tests/shell/testcases/include/0020include_chain_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+tmpfile1=$(mktemp -p .)
+if [ ! -w $tmpfile1 ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile1" EXIT # cleanup if aborted
+
+RULESET="table inet filter { }
+include \"$tmpfile1\""
+
+RULESET2="chain inet filter input2 {
+	type filter hook input priority filter; policy accept;
+	ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop
+}"
+
+echo "$RULESET2" > $tmpfile1
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/include/dumps/0001absolute_0.nft b/tests/shell/testcases/include/dumps/0001absolute_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0001absolute_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/include/dumps/0002relative_0.nft b/tests/shell/testcases/include/dumps/0002relative_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0002relative_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/include/dumps/0003includepath_0.nft b/tests/shell/testcases/include/dumps/0003includepath_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0003includepath_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/include/dumps/0004endlessloop_1.nft b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0004endlessloop_1.nft
diff --git a/tests/shell/testcases/include/dumps/0005glob_empty_0.nft b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0005glob_empty_0.nft
diff --git a/tests/shell/testcases/include/dumps/0006glob_single_0.nft b/tests/shell/testcases/include/dumps/0006glob_single_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0006glob_single_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/include/dumps/0007glob_double_0.nft b/tests/shell/testcases/include/dumps/0007glob_double_0.nft
new file mode 100644
index 0000000..e4e5f9b
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0007glob_double_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+}
+table ip y {
+}
diff --git a/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0008glob_nofile_wildcard_0.nft
diff --git a/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0009glob_nofile_1.nft
diff --git a/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0010glob_broken_file_1.nft
diff --git a/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft
new file mode 100644
index 0000000..8e818d2
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0011glob_dependency_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+	chain y {
+	}
+}
diff --git a/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0012glob_dependency_1.nft
diff --git a/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0013glob_dotfile_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0013input_descriptors_included_files_0.nft
diff --git a/tests/shell/testcases/include/dumps/0014glob_directory_0.nft b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0014glob_directory_0.nft
diff --git a/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft
new file mode 100644
index 0000000..8e818d2
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0015doubleincludepath_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+	chain y {
+	}
+}
diff --git a/tests/shell/testcases/include/dumps/0016maxdepth_0.nft b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0016maxdepth_0.nft
diff --git a/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0017glob_more_than_maxdepth_1.nft
diff --git a/tests/shell/testcases/include/dumps/0018include_error_0.nft b/tests/shell/testcases/include/dumps/0018include_error_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0018include_error_0.nft
diff --git a/tests/shell/testcases/include/dumps/0019include_error_0.nft b/tests/shell/testcases/include/dumps/0019include_error_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0019include_error_0.nft
diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.nft b/tests/shell/testcases/include/dumps/0020include_chain_0.nft
new file mode 100644
index 0000000..3ad6db1
--- /dev/null
+++ b/tests/shell/testcases/include/dumps/0020include_chain_0.nft
@@ -0,0 +1,6 @@
+table inet filter {
+	chain input2 {
+		type filter hook input priority filter; policy accept;
+		ip saddr 1.2.3.4 tcp dport { 22, 123, 443 } drop
+	}
+}
diff --git a/tests/shell/testcases/json/0001set_statements_0 b/tests/shell/testcases/json/0001set_statements_0
new file mode 100755
index 0000000..fc4941f
--- /dev/null
+++ b/tests/shell/testcases/json/0001set_statements_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "testt", "handle": 3}}, {"set": {"family": "ip", "name": "ssh_meter", "table": "testt", "type": "ipv4_addr", "handle": 2, "size": 65535}}, {"chain": {"family": "ip", "table": "testt", "name": "testc", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "accept"}}, {"rule": {"family": "ip", "table": "testt", "chain": "testc", "handle": 3, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 22}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"set": {"op": "add", "elem": {"payload": {"protocol": "ip", "field": "saddr"}}, "stmt": [{"limit": {"rate": 10, "burst": 5, "per": "second"}}], "set": "@ssh_meter"}}, {"accept": null}]}}]}'
+
+$NFT -j -f - <<< $RULESET
diff --git a/tests/shell/testcases/json/0002table_map_0 b/tests/shell/testcases/json/0002table_map_0
new file mode 100755
index 0000000..b375e99
--- /dev/null
+++ b/tests/shell/testcases/json/0002table_map_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "t", "handle": 4}}, {"map": {"family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [{"counter": {"packets": 0, "bytes": 0}}]}}]}'
+
+$NFT -j -f - <<< $RULESET
diff --git a/tests/shell/testcases/json/0003json_schema_version_0 b/tests/shell/testcases/json/0003json_schema_version_0
new file mode 100755
index 0000000..43f387a
--- /dev/null
+++ b/tests/shell/testcases/json/0003json_schema_version_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}]}'
+
+$NFT -j -f - <<< $RULESET
diff --git a/tests/shell/testcases/json/0004json_schema_version_1 b/tests/shell/testcases/json/0004json_schema_version_1
new file mode 100755
index 0000000..0f8d586
--- /dev/null
+++ b/tests/shell/testcases/json/0004json_schema_version_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"json_schema_version": 999}}]}'
+
+$NFT -j -f - <<< $RULESET && exit 1
+
+exit 0
diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0
new file mode 100755
index 0000000..992d1b0
--- /dev/null
+++ b/tests/shell/testcases/json/0005secmark_objref_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 4}}, {"secmark": {"family": "inet", "name": "ssh_server", "table": "x", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0"}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 2, "type": "filter", "hook": "input", "prio": -225, "policy": "accept"}}, {"chain": {"family": "inet", "table": "x", "name": "z", "handle": 3, "type": "filter", "hook": "output", "prio": 225, "policy": "accept"}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 4, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 2222}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"secmark": "ssh_server"}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 5, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 6, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 7, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 8, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}]}'
+
+$NFT -j -f - <<< $RULESET
diff --git a/tests/shell/testcases/json/0006obj_comment_0 b/tests/shell/testcases/json/0006obj_comment_0
new file mode 100755
index 0000000..4c2a0e8
--- /dev/null
+++ b/tests/shell/testcases/json/0006obj_comment_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "t", "handle": 9}}, {"counter": {"family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0}}]}'
+
+$NFT -j -f - <<< $RULESET
diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.nft b/tests/shell/testcases/json/dumps/0001set_statements_0.nft
new file mode 100644
index 0000000..d80a432
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/0001set_statements_0.nft
@@ -0,0 +1,12 @@
+table ip testt {
+	set ssh_meter {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+	}
+
+	chain testc {
+		type filter hook input priority filter; policy accept;
+		tcp dport 22 ct state new add @ssh_meter { ip saddr limit rate 10/second burst 5 packets } accept
+	}
+}
diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.nft b/tests/shell/testcases/json/dumps/0002table_map_0.nft
new file mode 100644
index 0000000..357e92c
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/0002table_map_0.nft
@@ -0,0 +1,6 @@
+table ip t {
+	map m {
+		type ipv4_addr : mark
+		counter
+	}
+}
diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft
diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft
diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft
new file mode 100644
index 0000000..4c218e9
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft
@@ -0,0 +1,18 @@
+table inet x {
+	secmark ssh_server {
+		"system_u:object_r:ssh_server_packet_t:s0"
+	}
+
+	chain y {
+		type filter hook input priority -225; policy accept;
+		tcp dport 2222 ct state new meta secmark set "ssh_server"
+		ct state new ct secmark set meta secmark
+		ct state established,related meta secmark set ct secmark
+	}
+
+	chain z {
+		type filter hook output priority 225; policy accept;
+		ct state new ct secmark set meta secmark
+		ct state established,related meta secmark set ct secmark
+	}
+}
diff --git a/tests/shell/testcases/json/dumps/0006obj_comment_0.nft b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft
new file mode 100644
index 0000000..e52b21b
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/0006obj_comment_0.nft
@@ -0,0 +1,6 @@
+table inet t {
+	counter mycounter {
+		comment "my comment in counter"
+		packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/json/dumps/netdev.nft b/tests/shell/testcases/json/dumps/netdev.nft
new file mode 100644
index 0000000..3c568ed
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/netdev.nft
@@ -0,0 +1,2 @@
+table netdev test_table {
+}
diff --git a/tests/shell/testcases/json/netdev b/tests/shell/testcases/json/netdev
new file mode 100755
index 0000000..8c16cf4
--- /dev/null
+++ b/tests/shell/testcases/json/netdev
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+iface_cleanup() {
+	ip link del d0 &>/dev/null || :
+}
+trap 'iface_cleanup' EXIT
+iface_cleanup
+
+ip link add d0 type dummy
+
+$NFT flush ruleset
+$NFT add table inet test
+$NFT add chain inet test c
+
+$NFT flush ruleset
+
+RULESET='{"nftables":[{"flush":{"ruleset":null}},{"add":{"table":{"family":"netdev","name":"test_table"}}},{"add":{"chain":{"family":"netdev","table":"test_table","name":"test_chain","type":"filter","hook":"ingress","prio":0,"dev":"d0","policy":"accept"}}}]}'
+
+if [ "$NFT_TEST_HAVE_json" != n ]; then
+	$NFT -j -f - <<< $RULESET
+fi
+
+if [ "$NFT_TEST_HAVE_json" = n ]; then
+	echo "Test partially skipped due to missing JSON support."
+	exit 77
+fi
diff --git a/tests/shell/testcases/listing/0001ruleset_0 b/tests/shell/testcases/listing/0001ruleset_0
new file mode 100755
index 0000000..19cb3b0
--- /dev/null
+++ b/tests/shell/testcases/listing/0001ruleset_0
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# list ruleset shows a table
+
+set -e
+
+$NFT add table test
diff --git a/tests/shell/testcases/listing/0002ruleset_0 b/tests/shell/testcases/listing/0002ruleset_0
new file mode 100755
index 0000000..b4a535c
--- /dev/null
+++ b/tests/shell/testcases/listing/0002ruleset_0
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# list ruleset show nothing if empty ruleset
+
+EXPECTED=""
+
+set -e
diff --git a/tests/shell/testcases/listing/0003table_0 b/tests/shell/testcases/listing/0003table_0
new file mode 100755
index 0000000..5060be0
--- /dev/null
+++ b/tests/shell/testcases/listing/0003table_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# list table show what is expected
+
+EXPECTED="table ip test {
+}"
+
+set -e
+
+$NFT add table test
+
+GET="$($NFT list table test)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
+# also this way
+GET="$($NFT list table ip test)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0004table_0 b/tests/shell/testcases/listing/0004table_0
new file mode 100755
index 0000000..1d69119
--- /dev/null
+++ b/tests/shell/testcases/listing/0004table_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# list table only show table asked for
+
+EXPECTED="table ip test {
+}"
+
+set -e
+
+$NFT add table test
+$NFT add table test2
+
+GET="$($NFT list table test)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
diff --git a/tests/shell/testcases/listing/0005ruleset_ip_0 b/tests/shell/testcases/listing/0005ruleset_ip_0
new file mode 100755
index 0000000..39c0328
--- /dev/null
+++ b/tests/shell/testcases/listing/0005ruleset_ip_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# listing ruleset per family
+
+EXPECTED="table ip test {
+}"
+
+set -e
+
+$NFT add table ip test
+$NFT add table ip6 test
+$NFT add table inet test
+$NFT add table arp test
+$NFT add table bridge test
+
+GET="$($NFT list ruleset ip)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0006ruleset_ip6_0 b/tests/shell/testcases/listing/0006ruleset_ip6_0
new file mode 100755
index 0000000..1b67f50
--- /dev/null
+++ b/tests/shell/testcases/listing/0006ruleset_ip6_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# listing ruleset per family
+
+EXPECTED="table ip6 test {
+}"
+
+set -e
+
+$NFT add table ip test
+$NFT add table ip6 test
+$NFT add table inet test
+$NFT add table arp test
+$NFT add table bridge test
+
+GET="$($NFT list ruleset ip6)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0007ruleset_inet_0 b/tests/shell/testcases/listing/0007ruleset_inet_0
new file mode 100755
index 0000000..257c7a9
--- /dev/null
+++ b/tests/shell/testcases/listing/0007ruleset_inet_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# listing ruleset per family
+
+EXPECTED="table inet test {
+}"
+
+set -e
+
+$NFT add table ip test
+$NFT add table ip6 test
+$NFT add table inet test
+$NFT add table arp test
+$NFT add table bridge test
+
+GET="$($NFT list ruleset inet)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0008ruleset_arp_0 b/tests/shell/testcases/listing/0008ruleset_arp_0
new file mode 100755
index 0000000..be42c47
--- /dev/null
+++ b/tests/shell/testcases/listing/0008ruleset_arp_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# listing ruleset per family
+
+EXPECTED="table arp test {
+}"
+
+set -e
+
+$NFT add table ip test
+$NFT add table ip6 test
+$NFT add table inet test
+$NFT add table arp test
+$NFT add table bridge test
+
+GET="$($NFT list ruleset arp)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0009ruleset_bridge_0 b/tests/shell/testcases/listing/0009ruleset_bridge_0
new file mode 100755
index 0000000..c6a99f5
--- /dev/null
+++ b/tests/shell/testcases/listing/0009ruleset_bridge_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# listing ruleset per family
+
+EXPECTED="table bridge test {
+}"
+
+set -e
+
+$NFT add table ip test
+$NFT add table ip6 test
+$NFT add table inet test
+$NFT add table arp test
+$NFT add table bridge test
+
+GET="$($NFT list ruleset bridge)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0010sets_0 b/tests/shell/testcases/listing/0010sets_0
new file mode 100755
index 0000000..0f5f2bd
--- /dev/null
+++ b/tests/shell/testcases/listing/0010sets_0
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# listing all sets
+
+EXPECTED="table ip nat {
+	set ssh {
+		type ipv4_addr
+	}
+}
+table ip6 test {
+	set testset {
+		type ipv6_addr
+	}
+}
+table arp test_arp {
+	set test_set_arp00 {
+		type inet_service
+	}
+	set test_set_arp01 {
+		type inet_service
+		flags constant
+	}
+}
+table bridge test_bridge {
+	set test_set_bridge {
+		type inet_service
+	}
+}
+table inet filter {
+	set set0 {
+		type inet_service
+	}
+	set set1 {
+		type inet_service
+		flags constant
+	}
+	set set2 {
+		type icmpv6_type
+	}
+}"
+
+set -e
+
+$NFT add table ip nat
+$NFT add set ip nat ssh { type ipv4_addr \; }
+$NFT add table ip6 test
+$NFT add set ip6 test testset { type ipv6_addr \; }
+$NFT add table arp test_arp
+$NFT add set arp test_arp test_set_arp00 { type inet_service \; }
+$NFT add set arp test_arp test_set_arp01 { type inet_service \; flags constant \; }
+$NFT add table bridge test_bridge
+$NFT add set bridge test_bridge test_set_bridge { type inet_service \; }
+$NFT add table inet filter
+$NFT add set inet filter set0 { type inet_service \; }
+$NFT add set inet filter set1 { type inet_service \; flags constant \; }
+$NFT add set inet filter set2 { type icmpv6_type \; }
+
+GET="$($NFT list sets)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0011sets_0 b/tests/shell/testcases/listing/0011sets_0
new file mode 100755
index 0000000..b6f12b5
--- /dev/null
+++ b/tests/shell/testcases/listing/0011sets_0
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# listing all sets, no anonymous sets allowed
+
+EXPECTED="table ip nat {
+}
+table ip6 test {
+}
+table arp test_arp {
+}
+table bridge test_bridge {
+}
+table inet filter {
+}"
+
+set -e
+
+$NFT add table ip nat
+$NFT add chain ip nat test
+$NFT add rule ip nat test tcp dport {123, 321}
+
+$NFT add table ip6 test
+$NFT add chain ip6 test test
+$NFT add rule ip6 test test udp sport {123, 321}
+
+$NFT add table arp test_arp
+$NFT add chain arp test_arp test
+$NFT add rule arp test_arp test meta mark {123, 321}
+
+$NFT add table bridge test_bridge
+$NFT add chain bridge test_bridge test
+$NFT add rule bridge test_bridge test ip daddr {1.1.1.1, 2.2.2.2}
+
+$NFT add table inet filter
+$NFT add chain inet filter test
+$NFT add rule inet filter test tcp dport {80, 443}
+
+GET="$($NFT list sets)"
+
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0012sets_0 b/tests/shell/testcases/listing/0012sets_0
new file mode 100755
index 0000000..6e4c959
--- /dev/null
+++ b/tests/shell/testcases/listing/0012sets_0
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# listing all sets, filtering by family
+
+EXPECTED="table inet filter {
+	set set0 {
+		type inet_service
+	}
+	set set1 {
+		type inet_service
+		flags constant
+	}
+	set set2 {
+		type icmpv6_type
+	}
+}"
+
+set -e
+
+$NFT add table ip nat
+$NFT add set ip nat ssh { type ipv4_addr \; }
+$NFT add table ip6 test
+$NFT add set ip6 test testset { type ipv6_addr \; }
+$NFT add table arp test_arp
+$NFT add set arp test_arp test_set_arp00 { type inet_service \; }
+$NFT add set arp test_arp test_set_arp01 { type inet_service \; flags constant \; }
+$NFT add table bridge test_bridge
+$NFT add set bridge test_bridge test_set_bridge { type inet_service \; }
+$NFT add table inet filter
+$NFT add set inet filter set0 { type inet_service \; }
+$NFT add set inet filter set1 { type inet_service \; flags constant \; }
+$NFT add set inet filter set2 { type icmpv6_type \; }
+
+GET="$($NFT list sets inet)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0
new file mode 100755
index 0000000..c78ada9
--- /dev/null
+++ b/tests/shell/testcases/listing/0013objects_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table test
+$NFT add chain test input
+$NFT add quota test https-quota 25 mbytes
+$NFT add ct helper test cthelp { type \"sip\" protocol tcp \; }
+if [ "$NFT_TEST_HAVE_cttimeout" != n ] ; then
+	$NFT add ct timeout test cttime { protocol udp \; policy = {replied : 12, unreplied : 15 } \; }
+fi
+if [ "$NFT_TEST_HAVE_ctexpect" != n ] ; then
+	$NFT add ct expectation test ctexpect { protocol tcp \; dport 5432 \; timeout 1h \; size 12 \; }
+fi
+
+if [ "$NFT_TEST_HAVE_cttimeout" = n ] ; then
+	echo "Ran partial test due to NFT_TEST_HAVE_cttimeout=n (skipped)"
+	exit 77
+fi
+if [ "$NFT_TEST_HAVE_ctexpect" = n ] ; then
+	echo "Ran partial test due to NFT_TEST_HAVE_ctexpect=n (skipped)"
+	exit 77
+fi
diff --git a/tests/shell/testcases/listing/0014objects_0 b/tests/shell/testcases/listing/0014objects_0
new file mode 100755
index 0000000..31d94f8
--- /dev/null
+++ b/tests/shell/testcases/listing/0014objects_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# list only the object asked for with table
+
+EXPECTED="table ip test {
+	quota https-quota {
+		25 mbytes
+	}
+}"
+
+set -e
+
+$NFT add table test
+$NFT add quota test https-quota 25 mbytes
+$NFT add ct helper test cthelp { type \"sip\" protocol tcp \; }
+$NFT add table test-ip
+
+GET="$($NFT list quotas)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
+GET="$($NFT list quota test https-quota)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
diff --git a/tests/shell/testcases/listing/0015dynamic_0 b/tests/shell/testcases/listing/0015dynamic_0
new file mode 100755
index 0000000..65fbe62
--- /dev/null
+++ b/tests/shell/testcases/listing/0015dynamic_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# list only the object asked for with table
+
+EXPECTED="table ip filter {
+	set test_set {
+		type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto
+		size 100000
+		flags dynamic,timeout
+	}
+}"
+
+set -e
+
+$NFT -f - <<< "$EXPECTED"
+
+GET="$($NFT list set ip filter test_set)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
+$NFT flush set ip filter test_set
diff --git a/tests/shell/testcases/listing/0016anonymous_0 b/tests/shell/testcases/listing/0016anonymous_0
new file mode 100755
index 0000000..83acbcc
--- /dev/null
+++ b/tests/shell/testcases/listing/0016anonymous_0
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+$NFT add table x
+$NFT add chain x y
+$NFT add rule x y ip saddr { 1.1.1.1 }
+$NFT add rule x y meta mark set ip saddr map { 1.1.1.1 : 2 }
+
+$NFT list set x __set0 &>/dev/null
+ret=$?
+if [ $ret -eq 0 ]
+then
+	exit 1
+fi
+
+$NFT flush set x __set0 &>/dev/null
+ret=$?
+if [ $ret -eq 0 ]
+then
+	exit 1
+fi
+
+$NFT list map x __map0 &>/dev/null
+if [ $ret -eq 0 ]
+then
+	exit 1
+fi
+
+$NFT flush map x __map0 &>/dev/null
+ret=$?
+if [ $ret -eq 0 ]
+then
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0017objects_0 b/tests/shell/testcases/listing/0017objects_0
new file mode 100755
index 0000000..c4e72db
--- /dev/null
+++ b/tests/shell/testcases/listing/0017objects_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+EXPECTED="table inet filter {
+	map countermap {
+		type ipv4_addr : counter
+	}
+}"
+
+set -e
+
+$NFT -f - <<< "$EXPECTED"
+$NFT flush map inet filter countermap
+
+GET="$($NFT list map inet filter countermap)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0018data_0 b/tests/shell/testcases/listing/0018data_0
new file mode 100755
index 0000000..4af253d
--- /dev/null
+++ b/tests/shell/testcases/listing/0018data_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+EXPECTED="table inet filter {
+	map ipmap {
+		type ipv4_addr : ipv4_addr
+	}
+}"
+
+set -e
+
+$NFT -f - <<< "$EXPECTED"
+$NFT flush map inet filter ipmap
+
+GET="$($NFT list map inet filter ipmap)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0019set_0 b/tests/shell/testcases/listing/0019set_0
new file mode 100755
index 0000000..6e8cb4d
--- /dev/null
+++ b/tests/shell/testcases/listing/0019set_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+EXPECTED="table inet filter {
+	set ipset {
+		type ipv4_addr
+	}
+}"
+
+set -e
+
+$NFT -f - <<< "$EXPECTED"
+$NFT flush set inet filter ipset
+
+GET="$($NFT list set inet filter ipset)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/0020flowtable_0 b/tests/shell/testcases/listing/0020flowtable_0
new file mode 100755
index 0000000..6eb82cf
--- /dev/null
+++ b/tests/shell/testcases/listing/0020flowtable_0
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# list only the flowtable asked for with table
+
+set -e
+
+FLOWTABLES="flowtable f {
+	hook ingress priority filter
+	devices = { lo }
+}
+flowtable f2 {
+	hook ingress priority filter
+	devices = { d0 }
+}"
+
+RULESET="table inet filter {
+	$FLOWTABLES
+}
+table ip filter {
+	$FLOWTABLES
+}"
+
+EXPECTED="table inet filter {
+	flowtable f {
+		hook ingress priority filter
+		devices = { lo }
+	}
+}"
+EXPECTED2="table ip filter {
+	flowtable f2 {
+		hook ingress priority filter
+		devices = { d0 }
+	}
+}"
+EXPECTED3="table ip filter {
+	flowtable f {
+		hook ingress priority filter
+		devices = { lo }
+	}
+	flowtable f2 {
+		hook ingress priority filter
+		devices = { d0 }
+	}
+}"
+
+iface_cleanup() {
+	ip link del d0 &>/dev/null || :
+}
+trap 'iface_cleanup' EXIT
+iface_cleanup
+
+ip link add d0 type dummy
+
+$NFT -f - <<< "$RULESET"
+
+GET="$($NFT list flowtable inet filter f)"
+$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+
+GET="$($NFT list flowtable ip filter f2)"
+$DIFF -u <(echo "$EXPECTED2") <(echo "$GET")
+
+GET="$($NFT list flowtables ip)"
+$DIFF -u <(echo "$EXPECTED3") <(echo "$GET")
diff --git a/tests/shell/testcases/listing/0021ruleset_json_terse_0 b/tests/shell/testcases/listing/0021ruleset_json_terse_0
new file mode 100755
index 0000000..98a7ce8
--- /dev/null
+++ b/tests/shell/testcases/listing/0021ruleset_json_terse_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+$NFT flush ruleset
+$NFT add table ip test
+$NFT add chain ip test c
+$NFT add set ip test s { type ipv4_addr\; }
+$NFT add element ip test s { 192.168.3.4, 192.168.3.5 }
+
+if [ "$NFT_TEST_HAVE_json" != n ]; then
+	if $NFT -j -t list ruleset | grep '192\.168'
+	then
+		exit 1
+	fi
+fi
+
+if [ "$NFT_TEST_HAVE_json" = n ]; then
+    echo "Test partially skipped due to missing JSON support."
+    exit 77
+fi
diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0
new file mode 100755
index 0000000..4841771
--- /dev/null
+++ b/tests/shell/testcases/listing/0022terse_0
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+RULESET="table inet filter {
+	set example {
+		type ipv4_addr
+		flags interval
+		elements = { 10.10.10.10, 10.10.11.11 }
+	}
+
+	chain input {
+		type filter hook prerouting priority filter; policy accept;
+		ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop
+	}
+}"
+
+set -e
+
+$NFT -f - <<< "$RULESET"
+
+GET="$($NFT list ruleset)"
+if [ "$RULESET" != "$GET" ] ; then
+	$DIFF -u <(echo "$RULESET") <(echo "$GET")
+	exit 1
+fi
+
+EXPECTED="table inet filter {
+	set example {
+		type ipv4_addr
+		flags interval
+	}
+
+	chain input {
+		type filter hook prerouting priority filter; policy accept;
+		ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop
+	}
+}"
+
+GET="$($NFT -t list ruleset)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
+EXPECTED="table inet filter {
+	set example {
+		type ipv4_addr
+		flags interval
+		elements = { 10.10.10.10, 10.10.11.11 }
+	}
+}"
+
+GET="$($NFT list set inet filter example)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
+EXPECTED="table inet filter {
+	set example {
+		type ipv4_addr
+		flags interval
+	}
+}"
+
+GET="$($NFT -t list set inet filter example)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/listing/dumps/0001ruleset_0.nft b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft
new file mode 100644
index 0000000..1c9f40c
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0001ruleset_0.nft
@@ -0,0 +1,2 @@
+table ip test {
+}
diff --git a/tests/shell/testcases/listing/dumps/0002ruleset_0.nft b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0002ruleset_0.nft
diff --git a/tests/shell/testcases/listing/dumps/0003table_0.nft b/tests/shell/testcases/listing/dumps/0003table_0.nft
new file mode 100644
index 0000000..1c9f40c
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0003table_0.nft
@@ -0,0 +1,2 @@
+table ip test {
+}
diff --git a/tests/shell/testcases/listing/dumps/0004table_0.nft b/tests/shell/testcases/listing/dumps/0004table_0.nft
new file mode 100644
index 0000000..56d035d
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0004table_0.nft
@@ -0,0 +1,4 @@
+table ip test {
+}
+table ip test2 {
+}
diff --git a/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft
new file mode 100644
index 0000000..c37261b
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0005ruleset_ip_0.nft
@@ -0,0 +1,10 @@
+table ip test {
+}
+table ip6 test {
+}
+table inet test {
+}
+table arp test {
+}
+table bridge test {
+}
diff --git a/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft
new file mode 100644
index 0000000..c37261b
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0006ruleset_ip6_0.nft
@@ -0,0 +1,10 @@
+table ip test {
+}
+table ip6 test {
+}
+table inet test {
+}
+table arp test {
+}
+table bridge test {
+}
diff --git a/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft
new file mode 100644
index 0000000..c37261b
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0007ruleset_inet_0.nft
@@ -0,0 +1,10 @@
+table ip test {
+}
+table ip6 test {
+}
+table inet test {
+}
+table arp test {
+}
+table bridge test {
+}
diff --git a/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft
new file mode 100644
index 0000000..c37261b
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0008ruleset_arp_0.nft
@@ -0,0 +1,10 @@
+table ip test {
+}
+table ip6 test {
+}
+table inet test {
+}
+table arp test {
+}
+table bridge test {
+}
diff --git a/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft
new file mode 100644
index 0000000..c37261b
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0009ruleset_bridge_0.nft
@@ -0,0 +1,10 @@
+table ip test {
+}
+table ip6 test {
+}
+table inet test {
+}
+table arp test {
+}
+table bridge test {
+}
diff --git a/tests/shell/testcases/listing/dumps/0010sets_0.nft b/tests/shell/testcases/listing/dumps/0010sets_0.nft
new file mode 100644
index 0000000..7303c40
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0010sets_0.nft
@@ -0,0 +1,39 @@
+table ip nat {
+	set ssh {
+		type ipv4_addr
+	}
+}
+table ip6 test {
+	set testset {
+		type ipv6_addr
+	}
+}
+table arp test_arp {
+	set test_set_arp00 {
+		type inet_service
+	}
+
+	set test_set_arp01 {
+		type inet_service
+		flags constant
+	}
+}
+table bridge test_bridge {
+	set test_set_bridge {
+		type inet_service
+	}
+}
+table inet filter {
+	set set0 {
+		type inet_service
+	}
+
+	set set1 {
+		type inet_service
+		flags constant
+	}
+
+	set set2 {
+		type icmpv6_type
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0011sets_0.nft b/tests/shell/testcases/listing/dumps/0011sets_0.nft
new file mode 100644
index 0000000..4d0aeaf
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0011sets_0.nft
@@ -0,0 +1,25 @@
+table ip nat {
+	chain test {
+		tcp dport { 123, 321 }
+	}
+}
+table ip6 test {
+	chain test {
+		udp sport { 123, 321 }
+	}
+}
+table arp test_arp {
+	chain test {
+		meta mark { 0x0000007b, 0x00000141 }
+	}
+}
+table bridge test_bridge {
+	chain test {
+		ip daddr { 1.1.1.1, 2.2.2.2 }
+	}
+}
+table inet filter {
+	chain test {
+		tcp dport { 80, 443 }
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0012sets_0.nft b/tests/shell/testcases/listing/dumps/0012sets_0.nft
new file mode 100644
index 0000000..7303c40
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0012sets_0.nft
@@ -0,0 +1,39 @@
+table ip nat {
+	set ssh {
+		type ipv4_addr
+	}
+}
+table ip6 test {
+	set testset {
+		type ipv6_addr
+	}
+}
+table arp test_arp {
+	set test_set_arp00 {
+		type inet_service
+	}
+
+	set test_set_arp01 {
+		type inet_service
+		flags constant
+	}
+}
+table bridge test_bridge {
+	set test_set_bridge {
+		type inet_service
+	}
+}
+table inet filter {
+	set set0 {
+		type inet_service
+	}
+
+	set set1 {
+		type inet_service
+		flags constant
+	}
+
+	set set2 {
+		type icmpv6_type
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0013objects_0.nft b/tests/shell/testcases/listing/dumps/0013objects_0.nft
new file mode 100644
index 0000000..427db26
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0013objects_0.nft
@@ -0,0 +1,27 @@
+table ip test {
+	quota https-quota {
+		25 mbytes
+	}
+
+	ct helper cthelp {
+		type "sip" protocol tcp
+		l3proto ip
+	}
+
+	ct timeout cttime {
+		protocol udp
+		l3proto ip
+		policy = { unreplied : 15s, replied : 12s }
+	}
+
+	ct expectation ctexpect {
+		protocol tcp
+		dport 5432
+		timeout 1h
+		size 12
+		l3proto ip
+	}
+
+	chain input {
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0014objects_0.nft b/tests/shell/testcases/listing/dumps/0014objects_0.nft
new file mode 100644
index 0000000..9281a1a
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0014objects_0.nft
@@ -0,0 +1,12 @@
+table ip test {
+	quota https-quota {
+		25 mbytes
+	}
+
+	ct helper cthelp {
+		type "sip" protocol tcp
+		l3proto ip
+	}
+}
+table ip test-ip {
+}
diff --git a/tests/shell/testcases/listing/dumps/0015dynamic_0.nft b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft
new file mode 100644
index 0000000..0f4244b
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0015dynamic_0.nft
@@ -0,0 +1,7 @@
+table ip filter {
+	set test_set {
+		type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto
+		size 100000
+		flags dynamic,timeout
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0016anonymous_0.nft b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft
new file mode 100644
index 0000000..cb08933
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0016anonymous_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+	chain y {
+		ip saddr 1.1.1.1
+		meta mark set ip saddr map { 1.1.1.1 : 0x00000002 }
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0017objects_0.nft b/tests/shell/testcases/listing/dumps/0017objects_0.nft
new file mode 100644
index 0000000..e60e3af
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0017objects_0.nft
@@ -0,0 +1,5 @@
+table inet filter {
+	map countermap {
+		type ipv4_addr : counter
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0018data_0.nft b/tests/shell/testcases/listing/dumps/0018data_0.nft
new file mode 100644
index 0000000..5d31855
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0018data_0.nft
@@ -0,0 +1,5 @@
+table inet filter {
+	map ipmap {
+		type ipv4_addr : ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0019set_0.nft b/tests/shell/testcases/listing/dumps/0019set_0.nft
new file mode 100644
index 0000000..915922c
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0019set_0.nft
@@ -0,0 +1,5 @@
+table inet filter {
+	set ipset {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0020flowtable_0.nft b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft
new file mode 100644
index 0000000..4a64e53
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0020flowtable_0.nft
@@ -0,0 +1,20 @@
+table inet filter {
+	flowtable f {
+		hook ingress priority filter
+		devices = { lo }
+	}
+
+	flowtable f2 {
+		hook ingress priority filter
+	}
+}
+table ip filter {
+	flowtable f {
+		hook ingress priority filter
+		devices = { lo }
+	}
+
+	flowtable f2 {
+		hook ingress priority filter
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft
new file mode 100644
index 0000000..13c8ac6
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0021ruleset_json_terse_0.nft
@@ -0,0 +1,9 @@
+table ip test {
+	set s {
+		type ipv4_addr
+		elements = { 192.168.3.4, 192.168.3.5 }
+	}
+
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/listing/dumps/0022terse_0.nft b/tests/shell/testcases/listing/dumps/0022terse_0.nft
new file mode 100644
index 0000000..40665cb
--- /dev/null
+++ b/tests/shell/testcases/listing/dumps/0022terse_0.nft
@@ -0,0 +1,12 @@
+table inet filter {
+	set example {
+		type ipv4_addr
+		flags interval
+		elements = { 10.10.10.10, 10.10.11.11 }
+	}
+
+	chain input {
+		type filter hook prerouting priority filter; policy accept;
+		ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop
+	}
+}
diff --git a/tests/shell/testcases/maps/0003map_add_many_elements_0 b/tests/shell/testcases/maps/0003map_add_many_elements_0
new file mode 100755
index 0000000..2b254c5
--- /dev/null
+++ b/tests/shell/testcases/maps/0003map_add_many_elements_0
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# test adding many map elements
+
+HOWMANY=31
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate_add() {
+	echo -n "{"
+	for ((i=HOWMANY; i>=1; i--)) ; do
+		for ((j=HOWMANY; j>=1; j--)) ; do
+			[ "$i" == 1 ] && [ "$j" == 1 ] && break
+			echo -n "10.0.${i}.${j} : 10.0.${i}.${j}, "
+		done
+	done
+	echo -n "}"
+}
+
+generate_test() {
+	count=0
+	elements=""
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			((count++))
+			elements="${elements}10.0.${i}.${j} : 10.0.${i}.${j}"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			if [ "$count" == "2" ] ; then
+				count=0
+				elements="${elements},\\n\\t\\t\\t     "
+			else
+				elements="${elements}, "
+			fi
+		done
+	done
+	echo -e "$elements"
+}
+
+echo "add table x
+add map x y { type ipv4_addr : ipv4_addr; }
+add element x y $(generate_add)" > $tmpfile
+
+set -e
+$NFT -f $tmpfile
+
+n=$HOWMANY
+echo "add element x y { 10.0.1.1 : 10.0.1.1 }" > $tmpfile
+$NFT -f $tmpfile
+
+EXPECTED="table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		elements = { "$(generate_test)" }
+	}
+}"
+GET=$($NFT list ruleset)
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
diff --git a/tests/shell/testcases/maps/0004interval_map_create_once_0 b/tests/shell/testcases/maps/0004interval_map_create_once_0
new file mode 100755
index 0000000..64f434a
--- /dev/null
+++ b/tests/shell/testcases/maps/0004interval_map_create_once_0
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# test adding many elements to an interval map
+# this always works because nft is only called once
+
+HOWMANY=63
+
+if [ "$NFT_TEST_SKIP_slow" = y ] ; then
+	HOWMANY=5
+fi
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate_add() {
+	echo -n "{"
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			echo -n "10.${i}.${j}.0/24 : 10.0.${i}.${j}"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			echo -n ", "
+		done
+	done
+	echo -n "}"
+}
+
+generate_test() {
+	count=0
+	elements=""
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			((count++))
+			elements="${elements}10.${i}.${j}.0/24 : 10.0.${i}.${j}"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			if [ "$count" == "2" ] ; then
+				count=0
+				elements="${elements},\\n\\t\\t\\t     "
+			else
+				elements="${elements}, "
+			fi
+		done
+	done
+	echo -e "$elements"
+}
+
+echo "add table x
+add map x y { type ipv4_addr : ipv4_addr; flags interval; }
+add element x y $(generate_add)" > $tmpfile
+
+set -e
+$NFT -f $tmpfile
+
+EXPECTED="table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		flags interval
+		elements = { "$(generate_test)" }
+	}
+}"
+GET=$($NFT list ruleset)
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
+
+if [ "$HOWMANY" != 63 ] ; then
+	echo "Run a partial test due to NFT_TEST_SKIP_slow=y. Skip"
+	exit 77
+fi
diff --git a/tests/shell/testcases/maps/0005interval_map_add_many_elements_0 b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0
new file mode 100755
index 0000000..0714963
--- /dev/null
+++ b/tests/shell/testcases/maps/0005interval_map_add_many_elements_0
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+# test adding many elements to an interval map
+# even with HOWMANY=2 there are memory allocation failures in the current
+# master - the patch fixes that
+# NOTE this is only an issue with two separate nft calls
+
+HOWMANY=2
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate_add() {
+	echo -n "{"
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			echo -n "10.${i}.${j}.0/24 : 10.0.${i}.${j}, "
+		done
+	done
+	echo -n "}"
+}
+
+generate_test() {
+	count=0
+	elements=""
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			((count++))
+			elements="${elements}10.${i}.${j}.0/24 : 10.0.${i}.${j}"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			if [ "$count" == "2" ] ; then
+				count=0
+				elements="${elements},\\n\\t\\t\\t     "
+			else
+				elements="${elements}, "
+			fi
+		done
+	done
+	echo -e "$elements"
+}
+
+echo "add table x
+add map x y { type ipv4_addr : ipv4_addr; flags interval; }
+add element x y $(generate_add)" > $tmpfile
+
+set -e
+$NFT -f $tmpfile
+
+n=$HOWMANY
+echo "add element x y { 10.${n}.${n}.0/24 : 10.0.${n}.${n} }" > $tmpfile
+
+$NFT -f $tmpfile
diff --git a/tests/shell/testcases/maps/0006interval_map_overlap_0 b/tests/shell/testcases/maps/0006interval_map_overlap_0
new file mode 100755
index 0000000..4606ce3
--- /dev/null
+++ b/tests/shell/testcases/maps/0006interval_map_overlap_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# test adding elements to an interval map
+# shows how disjoint intervals are seen as overlaps
+# NOTE this is only an issue with two separate nft calls
+
+n=1
+RULESET="add table x
+add map x y { type ipv4_addr : ipv4_addr; flags interval; }
+add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }"
+
+set -e
+$NFT -f - <<< "$RULESET"
+
+n=2
+$NFT "add element x y { 10.0.${n}.0/24 : 10.0.0.${n} }"
diff --git a/tests/shell/testcases/maps/0007named_ifname_dtype_0 b/tests/shell/testcases/maps/0007named_ifname_dtype_0
new file mode 100755
index 0000000..b5c5116
--- /dev/null
+++ b/tests/shell/testcases/maps/0007named_ifname_dtype_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# support for ifname in named maps
+
+EXPECTED="table inet t {
+	map m1 {
+		type ifname : ipv4_addr
+		elements = { \"eth0\" : 1.1.1.1 }
+	}
+
+	chain c {
+		ip daddr set iifname map @m1
+		ip daddr set oifname map @m1
+	}
+}"
+
+set -e
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/0008interval_map_delete_0 b/tests/shell/testcases/maps/0008interval_map_delete_0
new file mode 100755
index 0000000..39ea312
--- /dev/null
+++ b/tests/shell/testcases/maps/0008interval_map_delete_0
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table ip filter {
+	map m {
+		type ipv4_addr : mark
+		flags interval
+		elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 }
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+		meta mark set ip daddr map @m
+		meta mark 0x00000002 counter accept
+		meta mark 0x00000003 counter accept
+		counter
+	}
+}"
+
+$NFT -f - <<< "$EXPECTED"
+$NFT delete element filter m { 127.0.0.2 }
+$NFT delete element filter m { 127.0.0.3 }
+$NFT add element filter m { 127.0.0.3 : 0x3 }
+$NFT add element filter m { 127.0.0.2 : 0x2 }
+
+GET=$($NFT -s list ruleset)
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0
new file mode 100755
index 0000000..d31e160
--- /dev/null
+++ b/tests/shell/testcases/maps/0009vmap_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet filter {
+        chain ssh_input {
+        }
+
+        chain wan_input {
+                tcp dport vmap { 22 : jump ssh_input }
+        }
+
+        chain prerouting {
+                type filter hook prerouting priority -300; policy accept;
+                iif vmap { "lo" counter : jump wan_input }
+        }
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0
new file mode 100755
index 0000000..4848d97
--- /dev/null
+++ b/tests/shell/testcases/maps/0010concat_map_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet x {
+	map z {
+		type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
+		elements = {
+			1.1.1.1 . tcp . 20 : 2.2.2.2 . 30
+		}
+	}
+
+	chain y {
+		type nat hook prerouting priority dstnat;
+		dnat ip addr . port to ip saddr . ip protocol . tcp dport map @z
+	}
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0
new file mode 100755
index 0000000..3e6fa78
--- /dev/null
+++ b/tests/shell/testcases/maps/0011vmap_0
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet filter {
+	map portmap {
+		type inet_service : verdict
+		counter
+	}
+
+        chain ssh_input {
+        }
+
+        chain wan_input {
+                tcp dport vmap @portmap
+        }
+
+        chain prerouting {
+                type filter hook prerouting priority -300; policy accept;
+                iif vmap { "lo" : jump wan_input }
+        }
+}"
+
+$NFT -f - <<< "$EXPECTED"
+
+if [ "$NFT_TEST_HAVE_catchall_element" != n ]; then
+	$NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }'
+fi
+
+if [ "$NFT_TEST_HAVE_catchall_element" = n ]; then
+	echo "Ran partial tests due to NFT_TEST_HAVE_catchall_element=n (skipped)"
+	exit 77
+fi
diff --git a/tests/shell/testcases/maps/0012map_0 b/tests/shell/testcases/maps/0012map_0
new file mode 100755
index 0000000..49e51b7
--- /dev/null
+++ b/tests/shell/testcases/maps/0012map_0
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="define interfaces = { eth0, eth1 }
+
+table ip x {
+	map z {
+		type ifname : verdict
+		elements = { \$interfaces : drop, lo : accept }
+	}
+	chain y {
+		iifname vmap { lo : accept, \$interfaces : drop }
+	}
+}"
+
+$NFT -f - <<< "$EXPECTED"
+
+EXPECTED="table ip x {
+	map w {
+		typeof ip saddr . meta mark : verdict
+		flags interval
+		counter
+		elements = {
+			127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : accept,
+		}
+	}
+
+	chain k {
+		type filter hook input priority filter + 1; policy accept;
+		meta mark set 0x123434
+		ip saddr . meta mark vmap @w
+	}
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0
new file mode 100755
index 0000000..70d7fd3
--- /dev/null
+++ b/tests/shell/testcases/maps/0013map_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+flush ruleset
+
+add table ip filter
+add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
+add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; }
+add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol  . th dport vmap @forwport counter
+add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/maps/0014destroy_0 b/tests/shell/testcases/maps/0014destroy_0
new file mode 100755
index 0000000..ee81e3c
--- /dev/null
+++ b/tests/shell/testcases/maps/0014destroy_0
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
+$NFT add table x
+
+# pass for non-existent map
+$NFT destroy map x y
+
+# successfully delete existing map
+$NFT add map x y '{ type ipv4_addr : ipv4_addr; }'
+$NFT destroy map x y
diff --git a/tests/shell/testcases/maps/0016map_leak_0 b/tests/shell/testcases/maps/0016map_leak_0
new file mode 100755
index 0000000..e110ee4
--- /dev/null
+++ b/tests/shell/testcases/maps/0016map_leak_0
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip t {
+        map sourcemap {
+                type ipv4_addr : verdict
+                elements = { 100.123.10.2 : jump c }
+        }
+
+        chain c {
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
+# again, since it is addition, not creation, it is successful
+$NFT -f - <<< "$RULESET"
+# flush it to check for refcount leak
+$NFT flush ruleset
+
+#
+# again with stateful objects
+#
+
+RULESET="table ip t {
+	counter c {}
+
+        map sourcemap {
+                type ipv4_addr : counter
+                elements = { 100.123.10.2 : \"c\" }
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
+# again, since it is addition, not creation, it is successful
+$NFT -f - <<< "$RULESET"
+# flush it to check for refcount leak
+$NFT flush ruleset
diff --git a/tests/shell/testcases/maps/0017_map_variable_0 b/tests/shell/testcases/maps/0017_map_variable_0
new file mode 100755
index 0000000..e01adb4
--- /dev/null
+++ b/tests/shell/testcases/maps/0017_map_variable_0
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+if [ "$NFT_TEST_HAVE_catchall_element" != n ] ; then
+	CATCHALL="* : 3,"
+else
+	CATCHALL=","
+fi
+
+RULESET="define x = {
+        1.1.1.1 : 2,
+        $CATCHALL
+}
+
+table ip x {
+        map y {
+                typeof ip saddr : mark
+                elements = \$x
+        }
+        map z {
+                typeof ip saddr : mark
+                elements = \$x
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
+
+if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then
+	echo "Ran modified version of test due to NFT_TEST_HAVE_catchall_element=n (skipped)"
+	exit 77
+fi
diff --git a/tests/shell/testcases/maps/0018map_leak_timeout_0 b/tests/shell/testcases/maps/0018map_leak_timeout_0
new file mode 100755
index 0000000..09db315
--- /dev/null
+++ b/tests/shell/testcases/maps/0018map_leak_timeout_0
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+
+set -e
+
+RULESET="table ip t {
+        map sourcemap {
+                type ipv4_addr : verdict
+                timeout 3s
+                elements = { 100.123.10.2 : jump c }
+        }
+
+        chain c {
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
+# again, since it is addition, not creation, it is successful
+$NFT -f - <<< "$RULESET"
+
+# wait for elements to expire
+sleep 5
+
+# flush it to check for refcount leak
+$NFT flush ruleset
+
+#
+# again with stateful objects
+#
+
+RULESET="table ip t {
+	counter c {}
+
+        map sourcemap {
+                type ipv4_addr : counter
+                timeout 3s
+                elements = { 100.123.10.2 : \"c\" }
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
+# again, since it is addition, not creation, it is successful
+$NFT -f - <<< "$RULESET"
+# flush it to check for refcount leak
+
+# wait for elements to expire
+sleep 5
+
+$NFT flush ruleset
diff --git a/tests/shell/testcases/maps/anon_objmap_concat b/tests/shell/testcases/maps/anon_objmap_concat
new file mode 100755
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/maps/anon_objmap_concat
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/maps/anonymous_snat_map_0 b/tests/shell/testcases/maps/anonymous_snat_map_0
new file mode 100755
index 0000000..32aac8a
--- /dev/null
+++ b/tests/shell/testcases/maps/anonymous_snat_map_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# anonymous map can be added to a snat rule
+
+set -e
+$NFT add table nat
+$NFT add chain nat postrouting
+$NFT add rule nat postrouting snat ip saddr map {1.1.1.1 : 2.2.2.2}
diff --git a/tests/shell/testcases/maps/different_map_types_1 b/tests/shell/testcases/maps/different_map_types_1
new file mode 100755
index 0000000..a7e831f
--- /dev/null
+++ b/tests/shell/testcases/maps/different_map_types_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# must fail: expr MAP { expr : type1, expr : type2, .. } expr
+
+set -e
+
+$NFT add table ip filter
+$NFT add chain ip filter output { type filter hook output priority 0 \; }
+
+$NFT add rule ip filter output meta mark set tcp dport map { 22 : 1, 23 : 192.168.0.1 } || exit 0
+
+echo "E: Added two different types of expression to map"
+exit 1
diff --git a/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft
new file mode 100644
index 0000000..c651af0
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0003map_add_many_elements_0.nft
@@ -0,0 +1,486 @@
+table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		elements = { 10.0.1.1 : 10.0.1.1, 10.0.1.2 : 10.0.1.2,
+			     10.0.1.3 : 10.0.1.3, 10.0.1.4 : 10.0.1.4,
+			     10.0.1.5 : 10.0.1.5, 10.0.1.6 : 10.0.1.6,
+			     10.0.1.7 : 10.0.1.7, 10.0.1.8 : 10.0.1.8,
+			     10.0.1.9 : 10.0.1.9, 10.0.1.10 : 10.0.1.10,
+			     10.0.1.11 : 10.0.1.11, 10.0.1.12 : 10.0.1.12,
+			     10.0.1.13 : 10.0.1.13, 10.0.1.14 : 10.0.1.14,
+			     10.0.1.15 : 10.0.1.15, 10.0.1.16 : 10.0.1.16,
+			     10.0.1.17 : 10.0.1.17, 10.0.1.18 : 10.0.1.18,
+			     10.0.1.19 : 10.0.1.19, 10.0.1.20 : 10.0.1.20,
+			     10.0.1.21 : 10.0.1.21, 10.0.1.22 : 10.0.1.22,
+			     10.0.1.23 : 10.0.1.23, 10.0.1.24 : 10.0.1.24,
+			     10.0.1.25 : 10.0.1.25, 10.0.1.26 : 10.0.1.26,
+			     10.0.1.27 : 10.0.1.27, 10.0.1.28 : 10.0.1.28,
+			     10.0.1.29 : 10.0.1.29, 10.0.1.30 : 10.0.1.30,
+			     10.0.1.31 : 10.0.1.31, 10.0.2.1 : 10.0.2.1,
+			     10.0.2.2 : 10.0.2.2, 10.0.2.3 : 10.0.2.3,
+			     10.0.2.4 : 10.0.2.4, 10.0.2.5 : 10.0.2.5,
+			     10.0.2.6 : 10.0.2.6, 10.0.2.7 : 10.0.2.7,
+			     10.0.2.8 : 10.0.2.8, 10.0.2.9 : 10.0.2.9,
+			     10.0.2.10 : 10.0.2.10, 10.0.2.11 : 10.0.2.11,
+			     10.0.2.12 : 10.0.2.12, 10.0.2.13 : 10.0.2.13,
+			     10.0.2.14 : 10.0.2.14, 10.0.2.15 : 10.0.2.15,
+			     10.0.2.16 : 10.0.2.16, 10.0.2.17 : 10.0.2.17,
+			     10.0.2.18 : 10.0.2.18, 10.0.2.19 : 10.0.2.19,
+			     10.0.2.20 : 10.0.2.20, 10.0.2.21 : 10.0.2.21,
+			     10.0.2.22 : 10.0.2.22, 10.0.2.23 : 10.0.2.23,
+			     10.0.2.24 : 10.0.2.24, 10.0.2.25 : 10.0.2.25,
+			     10.0.2.26 : 10.0.2.26, 10.0.2.27 : 10.0.2.27,
+			     10.0.2.28 : 10.0.2.28, 10.0.2.29 : 10.0.2.29,
+			     10.0.2.30 : 10.0.2.30, 10.0.2.31 : 10.0.2.31,
+			     10.0.3.1 : 10.0.3.1, 10.0.3.2 : 10.0.3.2,
+			     10.0.3.3 : 10.0.3.3, 10.0.3.4 : 10.0.3.4,
+			     10.0.3.5 : 10.0.3.5, 10.0.3.6 : 10.0.3.6,
+			     10.0.3.7 : 10.0.3.7, 10.0.3.8 : 10.0.3.8,
+			     10.0.3.9 : 10.0.3.9, 10.0.3.10 : 10.0.3.10,
+			     10.0.3.11 : 10.0.3.11, 10.0.3.12 : 10.0.3.12,
+			     10.0.3.13 : 10.0.3.13, 10.0.3.14 : 10.0.3.14,
+			     10.0.3.15 : 10.0.3.15, 10.0.3.16 : 10.0.3.16,
+			     10.0.3.17 : 10.0.3.17, 10.0.3.18 : 10.0.3.18,
+			     10.0.3.19 : 10.0.3.19, 10.0.3.20 : 10.0.3.20,
+			     10.0.3.21 : 10.0.3.21, 10.0.3.22 : 10.0.3.22,
+			     10.0.3.23 : 10.0.3.23, 10.0.3.24 : 10.0.3.24,
+			     10.0.3.25 : 10.0.3.25, 10.0.3.26 : 10.0.3.26,
+			     10.0.3.27 : 10.0.3.27, 10.0.3.28 : 10.0.3.28,
+			     10.0.3.29 : 10.0.3.29, 10.0.3.30 : 10.0.3.30,
+			     10.0.3.31 : 10.0.3.31, 10.0.4.1 : 10.0.4.1,
+			     10.0.4.2 : 10.0.4.2, 10.0.4.3 : 10.0.4.3,
+			     10.0.4.4 : 10.0.4.4, 10.0.4.5 : 10.0.4.5,
+			     10.0.4.6 : 10.0.4.6, 10.0.4.7 : 10.0.4.7,
+			     10.0.4.8 : 10.0.4.8, 10.0.4.9 : 10.0.4.9,
+			     10.0.4.10 : 10.0.4.10, 10.0.4.11 : 10.0.4.11,
+			     10.0.4.12 : 10.0.4.12, 10.0.4.13 : 10.0.4.13,
+			     10.0.4.14 : 10.0.4.14, 10.0.4.15 : 10.0.4.15,
+			     10.0.4.16 : 10.0.4.16, 10.0.4.17 : 10.0.4.17,
+			     10.0.4.18 : 10.0.4.18, 10.0.4.19 : 10.0.4.19,
+			     10.0.4.20 : 10.0.4.20, 10.0.4.21 : 10.0.4.21,
+			     10.0.4.22 : 10.0.4.22, 10.0.4.23 : 10.0.4.23,
+			     10.0.4.24 : 10.0.4.24, 10.0.4.25 : 10.0.4.25,
+			     10.0.4.26 : 10.0.4.26, 10.0.4.27 : 10.0.4.27,
+			     10.0.4.28 : 10.0.4.28, 10.0.4.29 : 10.0.4.29,
+			     10.0.4.30 : 10.0.4.30, 10.0.4.31 : 10.0.4.31,
+			     10.0.5.1 : 10.0.5.1, 10.0.5.2 : 10.0.5.2,
+			     10.0.5.3 : 10.0.5.3, 10.0.5.4 : 10.0.5.4,
+			     10.0.5.5 : 10.0.5.5, 10.0.5.6 : 10.0.5.6,
+			     10.0.5.7 : 10.0.5.7, 10.0.5.8 : 10.0.5.8,
+			     10.0.5.9 : 10.0.5.9, 10.0.5.10 : 10.0.5.10,
+			     10.0.5.11 : 10.0.5.11, 10.0.5.12 : 10.0.5.12,
+			     10.0.5.13 : 10.0.5.13, 10.0.5.14 : 10.0.5.14,
+			     10.0.5.15 : 10.0.5.15, 10.0.5.16 : 10.0.5.16,
+			     10.0.5.17 : 10.0.5.17, 10.0.5.18 : 10.0.5.18,
+			     10.0.5.19 : 10.0.5.19, 10.0.5.20 : 10.0.5.20,
+			     10.0.5.21 : 10.0.5.21, 10.0.5.22 : 10.0.5.22,
+			     10.0.5.23 : 10.0.5.23, 10.0.5.24 : 10.0.5.24,
+			     10.0.5.25 : 10.0.5.25, 10.0.5.26 : 10.0.5.26,
+			     10.0.5.27 : 10.0.5.27, 10.0.5.28 : 10.0.5.28,
+			     10.0.5.29 : 10.0.5.29, 10.0.5.30 : 10.0.5.30,
+			     10.0.5.31 : 10.0.5.31, 10.0.6.1 : 10.0.6.1,
+			     10.0.6.2 : 10.0.6.2, 10.0.6.3 : 10.0.6.3,
+			     10.0.6.4 : 10.0.6.4, 10.0.6.5 : 10.0.6.5,
+			     10.0.6.6 : 10.0.6.6, 10.0.6.7 : 10.0.6.7,
+			     10.0.6.8 : 10.0.6.8, 10.0.6.9 : 10.0.6.9,
+			     10.0.6.10 : 10.0.6.10, 10.0.6.11 : 10.0.6.11,
+			     10.0.6.12 : 10.0.6.12, 10.0.6.13 : 10.0.6.13,
+			     10.0.6.14 : 10.0.6.14, 10.0.6.15 : 10.0.6.15,
+			     10.0.6.16 : 10.0.6.16, 10.0.6.17 : 10.0.6.17,
+			     10.0.6.18 : 10.0.6.18, 10.0.6.19 : 10.0.6.19,
+			     10.0.6.20 : 10.0.6.20, 10.0.6.21 : 10.0.6.21,
+			     10.0.6.22 : 10.0.6.22, 10.0.6.23 : 10.0.6.23,
+			     10.0.6.24 : 10.0.6.24, 10.0.6.25 : 10.0.6.25,
+			     10.0.6.26 : 10.0.6.26, 10.0.6.27 : 10.0.6.27,
+			     10.0.6.28 : 10.0.6.28, 10.0.6.29 : 10.0.6.29,
+			     10.0.6.30 : 10.0.6.30, 10.0.6.31 : 10.0.6.31,
+			     10.0.7.1 : 10.0.7.1, 10.0.7.2 : 10.0.7.2,
+			     10.0.7.3 : 10.0.7.3, 10.0.7.4 : 10.0.7.4,
+			     10.0.7.5 : 10.0.7.5, 10.0.7.6 : 10.0.7.6,
+			     10.0.7.7 : 10.0.7.7, 10.0.7.8 : 10.0.7.8,
+			     10.0.7.9 : 10.0.7.9, 10.0.7.10 : 10.0.7.10,
+			     10.0.7.11 : 10.0.7.11, 10.0.7.12 : 10.0.7.12,
+			     10.0.7.13 : 10.0.7.13, 10.0.7.14 : 10.0.7.14,
+			     10.0.7.15 : 10.0.7.15, 10.0.7.16 : 10.0.7.16,
+			     10.0.7.17 : 10.0.7.17, 10.0.7.18 : 10.0.7.18,
+			     10.0.7.19 : 10.0.7.19, 10.0.7.20 : 10.0.7.20,
+			     10.0.7.21 : 10.0.7.21, 10.0.7.22 : 10.0.7.22,
+			     10.0.7.23 : 10.0.7.23, 10.0.7.24 : 10.0.7.24,
+			     10.0.7.25 : 10.0.7.25, 10.0.7.26 : 10.0.7.26,
+			     10.0.7.27 : 10.0.7.27, 10.0.7.28 : 10.0.7.28,
+			     10.0.7.29 : 10.0.7.29, 10.0.7.30 : 10.0.7.30,
+			     10.0.7.31 : 10.0.7.31, 10.0.8.1 : 10.0.8.1,
+			     10.0.8.2 : 10.0.8.2, 10.0.8.3 : 10.0.8.3,
+			     10.0.8.4 : 10.0.8.4, 10.0.8.5 : 10.0.8.5,
+			     10.0.8.6 : 10.0.8.6, 10.0.8.7 : 10.0.8.7,
+			     10.0.8.8 : 10.0.8.8, 10.0.8.9 : 10.0.8.9,
+			     10.0.8.10 : 10.0.8.10, 10.0.8.11 : 10.0.8.11,
+			     10.0.8.12 : 10.0.8.12, 10.0.8.13 : 10.0.8.13,
+			     10.0.8.14 : 10.0.8.14, 10.0.8.15 : 10.0.8.15,
+			     10.0.8.16 : 10.0.8.16, 10.0.8.17 : 10.0.8.17,
+			     10.0.8.18 : 10.0.8.18, 10.0.8.19 : 10.0.8.19,
+			     10.0.8.20 : 10.0.8.20, 10.0.8.21 : 10.0.8.21,
+			     10.0.8.22 : 10.0.8.22, 10.0.8.23 : 10.0.8.23,
+			     10.0.8.24 : 10.0.8.24, 10.0.8.25 : 10.0.8.25,
+			     10.0.8.26 : 10.0.8.26, 10.0.8.27 : 10.0.8.27,
+			     10.0.8.28 : 10.0.8.28, 10.0.8.29 : 10.0.8.29,
+			     10.0.8.30 : 10.0.8.30, 10.0.8.31 : 10.0.8.31,
+			     10.0.9.1 : 10.0.9.1, 10.0.9.2 : 10.0.9.2,
+			     10.0.9.3 : 10.0.9.3, 10.0.9.4 : 10.0.9.4,
+			     10.0.9.5 : 10.0.9.5, 10.0.9.6 : 10.0.9.6,
+			     10.0.9.7 : 10.0.9.7, 10.0.9.8 : 10.0.9.8,
+			     10.0.9.9 : 10.0.9.9, 10.0.9.10 : 10.0.9.10,
+			     10.0.9.11 : 10.0.9.11, 10.0.9.12 : 10.0.9.12,
+			     10.0.9.13 : 10.0.9.13, 10.0.9.14 : 10.0.9.14,
+			     10.0.9.15 : 10.0.9.15, 10.0.9.16 : 10.0.9.16,
+			     10.0.9.17 : 10.0.9.17, 10.0.9.18 : 10.0.9.18,
+			     10.0.9.19 : 10.0.9.19, 10.0.9.20 : 10.0.9.20,
+			     10.0.9.21 : 10.0.9.21, 10.0.9.22 : 10.0.9.22,
+			     10.0.9.23 : 10.0.9.23, 10.0.9.24 : 10.0.9.24,
+			     10.0.9.25 : 10.0.9.25, 10.0.9.26 : 10.0.9.26,
+			     10.0.9.27 : 10.0.9.27, 10.0.9.28 : 10.0.9.28,
+			     10.0.9.29 : 10.0.9.29, 10.0.9.30 : 10.0.9.30,
+			     10.0.9.31 : 10.0.9.31, 10.0.10.1 : 10.0.10.1,
+			     10.0.10.2 : 10.0.10.2, 10.0.10.3 : 10.0.10.3,
+			     10.0.10.4 : 10.0.10.4, 10.0.10.5 : 10.0.10.5,
+			     10.0.10.6 : 10.0.10.6, 10.0.10.7 : 10.0.10.7,
+			     10.0.10.8 : 10.0.10.8, 10.0.10.9 : 10.0.10.9,
+			     10.0.10.10 : 10.0.10.10, 10.0.10.11 : 10.0.10.11,
+			     10.0.10.12 : 10.0.10.12, 10.0.10.13 : 10.0.10.13,
+			     10.0.10.14 : 10.0.10.14, 10.0.10.15 : 10.0.10.15,
+			     10.0.10.16 : 10.0.10.16, 10.0.10.17 : 10.0.10.17,
+			     10.0.10.18 : 10.0.10.18, 10.0.10.19 : 10.0.10.19,
+			     10.0.10.20 : 10.0.10.20, 10.0.10.21 : 10.0.10.21,
+			     10.0.10.22 : 10.0.10.22, 10.0.10.23 : 10.0.10.23,
+			     10.0.10.24 : 10.0.10.24, 10.0.10.25 : 10.0.10.25,
+			     10.0.10.26 : 10.0.10.26, 10.0.10.27 : 10.0.10.27,
+			     10.0.10.28 : 10.0.10.28, 10.0.10.29 : 10.0.10.29,
+			     10.0.10.30 : 10.0.10.30, 10.0.10.31 : 10.0.10.31,
+			     10.0.11.1 : 10.0.11.1, 10.0.11.2 : 10.0.11.2,
+			     10.0.11.3 : 10.0.11.3, 10.0.11.4 : 10.0.11.4,
+			     10.0.11.5 : 10.0.11.5, 10.0.11.6 : 10.0.11.6,
+			     10.0.11.7 : 10.0.11.7, 10.0.11.8 : 10.0.11.8,
+			     10.0.11.9 : 10.0.11.9, 10.0.11.10 : 10.0.11.10,
+			     10.0.11.11 : 10.0.11.11, 10.0.11.12 : 10.0.11.12,
+			     10.0.11.13 : 10.0.11.13, 10.0.11.14 : 10.0.11.14,
+			     10.0.11.15 : 10.0.11.15, 10.0.11.16 : 10.0.11.16,
+			     10.0.11.17 : 10.0.11.17, 10.0.11.18 : 10.0.11.18,
+			     10.0.11.19 : 10.0.11.19, 10.0.11.20 : 10.0.11.20,
+			     10.0.11.21 : 10.0.11.21, 10.0.11.22 : 10.0.11.22,
+			     10.0.11.23 : 10.0.11.23, 10.0.11.24 : 10.0.11.24,
+			     10.0.11.25 : 10.0.11.25, 10.0.11.26 : 10.0.11.26,
+			     10.0.11.27 : 10.0.11.27, 10.0.11.28 : 10.0.11.28,
+			     10.0.11.29 : 10.0.11.29, 10.0.11.30 : 10.0.11.30,
+			     10.0.11.31 : 10.0.11.31, 10.0.12.1 : 10.0.12.1,
+			     10.0.12.2 : 10.0.12.2, 10.0.12.3 : 10.0.12.3,
+			     10.0.12.4 : 10.0.12.4, 10.0.12.5 : 10.0.12.5,
+			     10.0.12.6 : 10.0.12.6, 10.0.12.7 : 10.0.12.7,
+			     10.0.12.8 : 10.0.12.8, 10.0.12.9 : 10.0.12.9,
+			     10.0.12.10 : 10.0.12.10, 10.0.12.11 : 10.0.12.11,
+			     10.0.12.12 : 10.0.12.12, 10.0.12.13 : 10.0.12.13,
+			     10.0.12.14 : 10.0.12.14, 10.0.12.15 : 10.0.12.15,
+			     10.0.12.16 : 10.0.12.16, 10.0.12.17 : 10.0.12.17,
+			     10.0.12.18 : 10.0.12.18, 10.0.12.19 : 10.0.12.19,
+			     10.0.12.20 : 10.0.12.20, 10.0.12.21 : 10.0.12.21,
+			     10.0.12.22 : 10.0.12.22, 10.0.12.23 : 10.0.12.23,
+			     10.0.12.24 : 10.0.12.24, 10.0.12.25 : 10.0.12.25,
+			     10.0.12.26 : 10.0.12.26, 10.0.12.27 : 10.0.12.27,
+			     10.0.12.28 : 10.0.12.28, 10.0.12.29 : 10.0.12.29,
+			     10.0.12.30 : 10.0.12.30, 10.0.12.31 : 10.0.12.31,
+			     10.0.13.1 : 10.0.13.1, 10.0.13.2 : 10.0.13.2,
+			     10.0.13.3 : 10.0.13.3, 10.0.13.4 : 10.0.13.4,
+			     10.0.13.5 : 10.0.13.5, 10.0.13.6 : 10.0.13.6,
+			     10.0.13.7 : 10.0.13.7, 10.0.13.8 : 10.0.13.8,
+			     10.0.13.9 : 10.0.13.9, 10.0.13.10 : 10.0.13.10,
+			     10.0.13.11 : 10.0.13.11, 10.0.13.12 : 10.0.13.12,
+			     10.0.13.13 : 10.0.13.13, 10.0.13.14 : 10.0.13.14,
+			     10.0.13.15 : 10.0.13.15, 10.0.13.16 : 10.0.13.16,
+			     10.0.13.17 : 10.0.13.17, 10.0.13.18 : 10.0.13.18,
+			     10.0.13.19 : 10.0.13.19, 10.0.13.20 : 10.0.13.20,
+			     10.0.13.21 : 10.0.13.21, 10.0.13.22 : 10.0.13.22,
+			     10.0.13.23 : 10.0.13.23, 10.0.13.24 : 10.0.13.24,
+			     10.0.13.25 : 10.0.13.25, 10.0.13.26 : 10.0.13.26,
+			     10.0.13.27 : 10.0.13.27, 10.0.13.28 : 10.0.13.28,
+			     10.0.13.29 : 10.0.13.29, 10.0.13.30 : 10.0.13.30,
+			     10.0.13.31 : 10.0.13.31, 10.0.14.1 : 10.0.14.1,
+			     10.0.14.2 : 10.0.14.2, 10.0.14.3 : 10.0.14.3,
+			     10.0.14.4 : 10.0.14.4, 10.0.14.5 : 10.0.14.5,
+			     10.0.14.6 : 10.0.14.6, 10.0.14.7 : 10.0.14.7,
+			     10.0.14.8 : 10.0.14.8, 10.0.14.9 : 10.0.14.9,
+			     10.0.14.10 : 10.0.14.10, 10.0.14.11 : 10.0.14.11,
+			     10.0.14.12 : 10.0.14.12, 10.0.14.13 : 10.0.14.13,
+			     10.0.14.14 : 10.0.14.14, 10.0.14.15 : 10.0.14.15,
+			     10.0.14.16 : 10.0.14.16, 10.0.14.17 : 10.0.14.17,
+			     10.0.14.18 : 10.0.14.18, 10.0.14.19 : 10.0.14.19,
+			     10.0.14.20 : 10.0.14.20, 10.0.14.21 : 10.0.14.21,
+			     10.0.14.22 : 10.0.14.22, 10.0.14.23 : 10.0.14.23,
+			     10.0.14.24 : 10.0.14.24, 10.0.14.25 : 10.0.14.25,
+			     10.0.14.26 : 10.0.14.26, 10.0.14.27 : 10.0.14.27,
+			     10.0.14.28 : 10.0.14.28, 10.0.14.29 : 10.0.14.29,
+			     10.0.14.30 : 10.0.14.30, 10.0.14.31 : 10.0.14.31,
+			     10.0.15.1 : 10.0.15.1, 10.0.15.2 : 10.0.15.2,
+			     10.0.15.3 : 10.0.15.3, 10.0.15.4 : 10.0.15.4,
+			     10.0.15.5 : 10.0.15.5, 10.0.15.6 : 10.0.15.6,
+			     10.0.15.7 : 10.0.15.7, 10.0.15.8 : 10.0.15.8,
+			     10.0.15.9 : 10.0.15.9, 10.0.15.10 : 10.0.15.10,
+			     10.0.15.11 : 10.0.15.11, 10.0.15.12 : 10.0.15.12,
+			     10.0.15.13 : 10.0.15.13, 10.0.15.14 : 10.0.15.14,
+			     10.0.15.15 : 10.0.15.15, 10.0.15.16 : 10.0.15.16,
+			     10.0.15.17 : 10.0.15.17, 10.0.15.18 : 10.0.15.18,
+			     10.0.15.19 : 10.0.15.19, 10.0.15.20 : 10.0.15.20,
+			     10.0.15.21 : 10.0.15.21, 10.0.15.22 : 10.0.15.22,
+			     10.0.15.23 : 10.0.15.23, 10.0.15.24 : 10.0.15.24,
+			     10.0.15.25 : 10.0.15.25, 10.0.15.26 : 10.0.15.26,
+			     10.0.15.27 : 10.0.15.27, 10.0.15.28 : 10.0.15.28,
+			     10.0.15.29 : 10.0.15.29, 10.0.15.30 : 10.0.15.30,
+			     10.0.15.31 : 10.0.15.31, 10.0.16.1 : 10.0.16.1,
+			     10.0.16.2 : 10.0.16.2, 10.0.16.3 : 10.0.16.3,
+			     10.0.16.4 : 10.0.16.4, 10.0.16.5 : 10.0.16.5,
+			     10.0.16.6 : 10.0.16.6, 10.0.16.7 : 10.0.16.7,
+			     10.0.16.8 : 10.0.16.8, 10.0.16.9 : 10.0.16.9,
+			     10.0.16.10 : 10.0.16.10, 10.0.16.11 : 10.0.16.11,
+			     10.0.16.12 : 10.0.16.12, 10.0.16.13 : 10.0.16.13,
+			     10.0.16.14 : 10.0.16.14, 10.0.16.15 : 10.0.16.15,
+			     10.0.16.16 : 10.0.16.16, 10.0.16.17 : 10.0.16.17,
+			     10.0.16.18 : 10.0.16.18, 10.0.16.19 : 10.0.16.19,
+			     10.0.16.20 : 10.0.16.20, 10.0.16.21 : 10.0.16.21,
+			     10.0.16.22 : 10.0.16.22, 10.0.16.23 : 10.0.16.23,
+			     10.0.16.24 : 10.0.16.24, 10.0.16.25 : 10.0.16.25,
+			     10.0.16.26 : 10.0.16.26, 10.0.16.27 : 10.0.16.27,
+			     10.0.16.28 : 10.0.16.28, 10.0.16.29 : 10.0.16.29,
+			     10.0.16.30 : 10.0.16.30, 10.0.16.31 : 10.0.16.31,
+			     10.0.17.1 : 10.0.17.1, 10.0.17.2 : 10.0.17.2,
+			     10.0.17.3 : 10.0.17.3, 10.0.17.4 : 10.0.17.4,
+			     10.0.17.5 : 10.0.17.5, 10.0.17.6 : 10.0.17.6,
+			     10.0.17.7 : 10.0.17.7, 10.0.17.8 : 10.0.17.8,
+			     10.0.17.9 : 10.0.17.9, 10.0.17.10 : 10.0.17.10,
+			     10.0.17.11 : 10.0.17.11, 10.0.17.12 : 10.0.17.12,
+			     10.0.17.13 : 10.0.17.13, 10.0.17.14 : 10.0.17.14,
+			     10.0.17.15 : 10.0.17.15, 10.0.17.16 : 10.0.17.16,
+			     10.0.17.17 : 10.0.17.17, 10.0.17.18 : 10.0.17.18,
+			     10.0.17.19 : 10.0.17.19, 10.0.17.20 : 10.0.17.20,
+			     10.0.17.21 : 10.0.17.21, 10.0.17.22 : 10.0.17.22,
+			     10.0.17.23 : 10.0.17.23, 10.0.17.24 : 10.0.17.24,
+			     10.0.17.25 : 10.0.17.25, 10.0.17.26 : 10.0.17.26,
+			     10.0.17.27 : 10.0.17.27, 10.0.17.28 : 10.0.17.28,
+			     10.0.17.29 : 10.0.17.29, 10.0.17.30 : 10.0.17.30,
+			     10.0.17.31 : 10.0.17.31, 10.0.18.1 : 10.0.18.1,
+			     10.0.18.2 : 10.0.18.2, 10.0.18.3 : 10.0.18.3,
+			     10.0.18.4 : 10.0.18.4, 10.0.18.5 : 10.0.18.5,
+			     10.0.18.6 : 10.0.18.6, 10.0.18.7 : 10.0.18.7,
+			     10.0.18.8 : 10.0.18.8, 10.0.18.9 : 10.0.18.9,
+			     10.0.18.10 : 10.0.18.10, 10.0.18.11 : 10.0.18.11,
+			     10.0.18.12 : 10.0.18.12, 10.0.18.13 : 10.0.18.13,
+			     10.0.18.14 : 10.0.18.14, 10.0.18.15 : 10.0.18.15,
+			     10.0.18.16 : 10.0.18.16, 10.0.18.17 : 10.0.18.17,
+			     10.0.18.18 : 10.0.18.18, 10.0.18.19 : 10.0.18.19,
+			     10.0.18.20 : 10.0.18.20, 10.0.18.21 : 10.0.18.21,
+			     10.0.18.22 : 10.0.18.22, 10.0.18.23 : 10.0.18.23,
+			     10.0.18.24 : 10.0.18.24, 10.0.18.25 : 10.0.18.25,
+			     10.0.18.26 : 10.0.18.26, 10.0.18.27 : 10.0.18.27,
+			     10.0.18.28 : 10.0.18.28, 10.0.18.29 : 10.0.18.29,
+			     10.0.18.30 : 10.0.18.30, 10.0.18.31 : 10.0.18.31,
+			     10.0.19.1 : 10.0.19.1, 10.0.19.2 : 10.0.19.2,
+			     10.0.19.3 : 10.0.19.3, 10.0.19.4 : 10.0.19.4,
+			     10.0.19.5 : 10.0.19.5, 10.0.19.6 : 10.0.19.6,
+			     10.0.19.7 : 10.0.19.7, 10.0.19.8 : 10.0.19.8,
+			     10.0.19.9 : 10.0.19.9, 10.0.19.10 : 10.0.19.10,
+			     10.0.19.11 : 10.0.19.11, 10.0.19.12 : 10.0.19.12,
+			     10.0.19.13 : 10.0.19.13, 10.0.19.14 : 10.0.19.14,
+			     10.0.19.15 : 10.0.19.15, 10.0.19.16 : 10.0.19.16,
+			     10.0.19.17 : 10.0.19.17, 10.0.19.18 : 10.0.19.18,
+			     10.0.19.19 : 10.0.19.19, 10.0.19.20 : 10.0.19.20,
+			     10.0.19.21 : 10.0.19.21, 10.0.19.22 : 10.0.19.22,
+			     10.0.19.23 : 10.0.19.23, 10.0.19.24 : 10.0.19.24,
+			     10.0.19.25 : 10.0.19.25, 10.0.19.26 : 10.0.19.26,
+			     10.0.19.27 : 10.0.19.27, 10.0.19.28 : 10.0.19.28,
+			     10.0.19.29 : 10.0.19.29, 10.0.19.30 : 10.0.19.30,
+			     10.0.19.31 : 10.0.19.31, 10.0.20.1 : 10.0.20.1,
+			     10.0.20.2 : 10.0.20.2, 10.0.20.3 : 10.0.20.3,
+			     10.0.20.4 : 10.0.20.4, 10.0.20.5 : 10.0.20.5,
+			     10.0.20.6 : 10.0.20.6, 10.0.20.7 : 10.0.20.7,
+			     10.0.20.8 : 10.0.20.8, 10.0.20.9 : 10.0.20.9,
+			     10.0.20.10 : 10.0.20.10, 10.0.20.11 : 10.0.20.11,
+			     10.0.20.12 : 10.0.20.12, 10.0.20.13 : 10.0.20.13,
+			     10.0.20.14 : 10.0.20.14, 10.0.20.15 : 10.0.20.15,
+			     10.0.20.16 : 10.0.20.16, 10.0.20.17 : 10.0.20.17,
+			     10.0.20.18 : 10.0.20.18, 10.0.20.19 : 10.0.20.19,
+			     10.0.20.20 : 10.0.20.20, 10.0.20.21 : 10.0.20.21,
+			     10.0.20.22 : 10.0.20.22, 10.0.20.23 : 10.0.20.23,
+			     10.0.20.24 : 10.0.20.24, 10.0.20.25 : 10.0.20.25,
+			     10.0.20.26 : 10.0.20.26, 10.0.20.27 : 10.0.20.27,
+			     10.0.20.28 : 10.0.20.28, 10.0.20.29 : 10.0.20.29,
+			     10.0.20.30 : 10.0.20.30, 10.0.20.31 : 10.0.20.31,
+			     10.0.21.1 : 10.0.21.1, 10.0.21.2 : 10.0.21.2,
+			     10.0.21.3 : 10.0.21.3, 10.0.21.4 : 10.0.21.4,
+			     10.0.21.5 : 10.0.21.5, 10.0.21.6 : 10.0.21.6,
+			     10.0.21.7 : 10.0.21.7, 10.0.21.8 : 10.0.21.8,
+			     10.0.21.9 : 10.0.21.9, 10.0.21.10 : 10.0.21.10,
+			     10.0.21.11 : 10.0.21.11, 10.0.21.12 : 10.0.21.12,
+			     10.0.21.13 : 10.0.21.13, 10.0.21.14 : 10.0.21.14,
+			     10.0.21.15 : 10.0.21.15, 10.0.21.16 : 10.0.21.16,
+			     10.0.21.17 : 10.0.21.17, 10.0.21.18 : 10.0.21.18,
+			     10.0.21.19 : 10.0.21.19, 10.0.21.20 : 10.0.21.20,
+			     10.0.21.21 : 10.0.21.21, 10.0.21.22 : 10.0.21.22,
+			     10.0.21.23 : 10.0.21.23, 10.0.21.24 : 10.0.21.24,
+			     10.0.21.25 : 10.0.21.25, 10.0.21.26 : 10.0.21.26,
+			     10.0.21.27 : 10.0.21.27, 10.0.21.28 : 10.0.21.28,
+			     10.0.21.29 : 10.0.21.29, 10.0.21.30 : 10.0.21.30,
+			     10.0.21.31 : 10.0.21.31, 10.0.22.1 : 10.0.22.1,
+			     10.0.22.2 : 10.0.22.2, 10.0.22.3 : 10.0.22.3,
+			     10.0.22.4 : 10.0.22.4, 10.0.22.5 : 10.0.22.5,
+			     10.0.22.6 : 10.0.22.6, 10.0.22.7 : 10.0.22.7,
+			     10.0.22.8 : 10.0.22.8, 10.0.22.9 : 10.0.22.9,
+			     10.0.22.10 : 10.0.22.10, 10.0.22.11 : 10.0.22.11,
+			     10.0.22.12 : 10.0.22.12, 10.0.22.13 : 10.0.22.13,
+			     10.0.22.14 : 10.0.22.14, 10.0.22.15 : 10.0.22.15,
+			     10.0.22.16 : 10.0.22.16, 10.0.22.17 : 10.0.22.17,
+			     10.0.22.18 : 10.0.22.18, 10.0.22.19 : 10.0.22.19,
+			     10.0.22.20 : 10.0.22.20, 10.0.22.21 : 10.0.22.21,
+			     10.0.22.22 : 10.0.22.22, 10.0.22.23 : 10.0.22.23,
+			     10.0.22.24 : 10.0.22.24, 10.0.22.25 : 10.0.22.25,
+			     10.0.22.26 : 10.0.22.26, 10.0.22.27 : 10.0.22.27,
+			     10.0.22.28 : 10.0.22.28, 10.0.22.29 : 10.0.22.29,
+			     10.0.22.30 : 10.0.22.30, 10.0.22.31 : 10.0.22.31,
+			     10.0.23.1 : 10.0.23.1, 10.0.23.2 : 10.0.23.2,
+			     10.0.23.3 : 10.0.23.3, 10.0.23.4 : 10.0.23.4,
+			     10.0.23.5 : 10.0.23.5, 10.0.23.6 : 10.0.23.6,
+			     10.0.23.7 : 10.0.23.7, 10.0.23.8 : 10.0.23.8,
+			     10.0.23.9 : 10.0.23.9, 10.0.23.10 : 10.0.23.10,
+			     10.0.23.11 : 10.0.23.11, 10.0.23.12 : 10.0.23.12,
+			     10.0.23.13 : 10.0.23.13, 10.0.23.14 : 10.0.23.14,
+			     10.0.23.15 : 10.0.23.15, 10.0.23.16 : 10.0.23.16,
+			     10.0.23.17 : 10.0.23.17, 10.0.23.18 : 10.0.23.18,
+			     10.0.23.19 : 10.0.23.19, 10.0.23.20 : 10.0.23.20,
+			     10.0.23.21 : 10.0.23.21, 10.0.23.22 : 10.0.23.22,
+			     10.0.23.23 : 10.0.23.23, 10.0.23.24 : 10.0.23.24,
+			     10.0.23.25 : 10.0.23.25, 10.0.23.26 : 10.0.23.26,
+			     10.0.23.27 : 10.0.23.27, 10.0.23.28 : 10.0.23.28,
+			     10.0.23.29 : 10.0.23.29, 10.0.23.30 : 10.0.23.30,
+			     10.0.23.31 : 10.0.23.31, 10.0.24.1 : 10.0.24.1,
+			     10.0.24.2 : 10.0.24.2, 10.0.24.3 : 10.0.24.3,
+			     10.0.24.4 : 10.0.24.4, 10.0.24.5 : 10.0.24.5,
+			     10.0.24.6 : 10.0.24.6, 10.0.24.7 : 10.0.24.7,
+			     10.0.24.8 : 10.0.24.8, 10.0.24.9 : 10.0.24.9,
+			     10.0.24.10 : 10.0.24.10, 10.0.24.11 : 10.0.24.11,
+			     10.0.24.12 : 10.0.24.12, 10.0.24.13 : 10.0.24.13,
+			     10.0.24.14 : 10.0.24.14, 10.0.24.15 : 10.0.24.15,
+			     10.0.24.16 : 10.0.24.16, 10.0.24.17 : 10.0.24.17,
+			     10.0.24.18 : 10.0.24.18, 10.0.24.19 : 10.0.24.19,
+			     10.0.24.20 : 10.0.24.20, 10.0.24.21 : 10.0.24.21,
+			     10.0.24.22 : 10.0.24.22, 10.0.24.23 : 10.0.24.23,
+			     10.0.24.24 : 10.0.24.24, 10.0.24.25 : 10.0.24.25,
+			     10.0.24.26 : 10.0.24.26, 10.0.24.27 : 10.0.24.27,
+			     10.0.24.28 : 10.0.24.28, 10.0.24.29 : 10.0.24.29,
+			     10.0.24.30 : 10.0.24.30, 10.0.24.31 : 10.0.24.31,
+			     10.0.25.1 : 10.0.25.1, 10.0.25.2 : 10.0.25.2,
+			     10.0.25.3 : 10.0.25.3, 10.0.25.4 : 10.0.25.4,
+			     10.0.25.5 : 10.0.25.5, 10.0.25.6 : 10.0.25.6,
+			     10.0.25.7 : 10.0.25.7, 10.0.25.8 : 10.0.25.8,
+			     10.0.25.9 : 10.0.25.9, 10.0.25.10 : 10.0.25.10,
+			     10.0.25.11 : 10.0.25.11, 10.0.25.12 : 10.0.25.12,
+			     10.0.25.13 : 10.0.25.13, 10.0.25.14 : 10.0.25.14,
+			     10.0.25.15 : 10.0.25.15, 10.0.25.16 : 10.0.25.16,
+			     10.0.25.17 : 10.0.25.17, 10.0.25.18 : 10.0.25.18,
+			     10.0.25.19 : 10.0.25.19, 10.0.25.20 : 10.0.25.20,
+			     10.0.25.21 : 10.0.25.21, 10.0.25.22 : 10.0.25.22,
+			     10.0.25.23 : 10.0.25.23, 10.0.25.24 : 10.0.25.24,
+			     10.0.25.25 : 10.0.25.25, 10.0.25.26 : 10.0.25.26,
+			     10.0.25.27 : 10.0.25.27, 10.0.25.28 : 10.0.25.28,
+			     10.0.25.29 : 10.0.25.29, 10.0.25.30 : 10.0.25.30,
+			     10.0.25.31 : 10.0.25.31, 10.0.26.1 : 10.0.26.1,
+			     10.0.26.2 : 10.0.26.2, 10.0.26.3 : 10.0.26.3,
+			     10.0.26.4 : 10.0.26.4, 10.0.26.5 : 10.0.26.5,
+			     10.0.26.6 : 10.0.26.6, 10.0.26.7 : 10.0.26.7,
+			     10.0.26.8 : 10.0.26.8, 10.0.26.9 : 10.0.26.9,
+			     10.0.26.10 : 10.0.26.10, 10.0.26.11 : 10.0.26.11,
+			     10.0.26.12 : 10.0.26.12, 10.0.26.13 : 10.0.26.13,
+			     10.0.26.14 : 10.0.26.14, 10.0.26.15 : 10.0.26.15,
+			     10.0.26.16 : 10.0.26.16, 10.0.26.17 : 10.0.26.17,
+			     10.0.26.18 : 10.0.26.18, 10.0.26.19 : 10.0.26.19,
+			     10.0.26.20 : 10.0.26.20, 10.0.26.21 : 10.0.26.21,
+			     10.0.26.22 : 10.0.26.22, 10.0.26.23 : 10.0.26.23,
+			     10.0.26.24 : 10.0.26.24, 10.0.26.25 : 10.0.26.25,
+			     10.0.26.26 : 10.0.26.26, 10.0.26.27 : 10.0.26.27,
+			     10.0.26.28 : 10.0.26.28, 10.0.26.29 : 10.0.26.29,
+			     10.0.26.30 : 10.0.26.30, 10.0.26.31 : 10.0.26.31,
+			     10.0.27.1 : 10.0.27.1, 10.0.27.2 : 10.0.27.2,
+			     10.0.27.3 : 10.0.27.3, 10.0.27.4 : 10.0.27.4,
+			     10.0.27.5 : 10.0.27.5, 10.0.27.6 : 10.0.27.6,
+			     10.0.27.7 : 10.0.27.7, 10.0.27.8 : 10.0.27.8,
+			     10.0.27.9 : 10.0.27.9, 10.0.27.10 : 10.0.27.10,
+			     10.0.27.11 : 10.0.27.11, 10.0.27.12 : 10.0.27.12,
+			     10.0.27.13 : 10.0.27.13, 10.0.27.14 : 10.0.27.14,
+			     10.0.27.15 : 10.0.27.15, 10.0.27.16 : 10.0.27.16,
+			     10.0.27.17 : 10.0.27.17, 10.0.27.18 : 10.0.27.18,
+			     10.0.27.19 : 10.0.27.19, 10.0.27.20 : 10.0.27.20,
+			     10.0.27.21 : 10.0.27.21, 10.0.27.22 : 10.0.27.22,
+			     10.0.27.23 : 10.0.27.23, 10.0.27.24 : 10.0.27.24,
+			     10.0.27.25 : 10.0.27.25, 10.0.27.26 : 10.0.27.26,
+			     10.0.27.27 : 10.0.27.27, 10.0.27.28 : 10.0.27.28,
+			     10.0.27.29 : 10.0.27.29, 10.0.27.30 : 10.0.27.30,
+			     10.0.27.31 : 10.0.27.31, 10.0.28.1 : 10.0.28.1,
+			     10.0.28.2 : 10.0.28.2, 10.0.28.3 : 10.0.28.3,
+			     10.0.28.4 : 10.0.28.4, 10.0.28.5 : 10.0.28.5,
+			     10.0.28.6 : 10.0.28.6, 10.0.28.7 : 10.0.28.7,
+			     10.0.28.8 : 10.0.28.8, 10.0.28.9 : 10.0.28.9,
+			     10.0.28.10 : 10.0.28.10, 10.0.28.11 : 10.0.28.11,
+			     10.0.28.12 : 10.0.28.12, 10.0.28.13 : 10.0.28.13,
+			     10.0.28.14 : 10.0.28.14, 10.0.28.15 : 10.0.28.15,
+			     10.0.28.16 : 10.0.28.16, 10.0.28.17 : 10.0.28.17,
+			     10.0.28.18 : 10.0.28.18, 10.0.28.19 : 10.0.28.19,
+			     10.0.28.20 : 10.0.28.20, 10.0.28.21 : 10.0.28.21,
+			     10.0.28.22 : 10.0.28.22, 10.0.28.23 : 10.0.28.23,
+			     10.0.28.24 : 10.0.28.24, 10.0.28.25 : 10.0.28.25,
+			     10.0.28.26 : 10.0.28.26, 10.0.28.27 : 10.0.28.27,
+			     10.0.28.28 : 10.0.28.28, 10.0.28.29 : 10.0.28.29,
+			     10.0.28.30 : 10.0.28.30, 10.0.28.31 : 10.0.28.31,
+			     10.0.29.1 : 10.0.29.1, 10.0.29.2 : 10.0.29.2,
+			     10.0.29.3 : 10.0.29.3, 10.0.29.4 : 10.0.29.4,
+			     10.0.29.5 : 10.0.29.5, 10.0.29.6 : 10.0.29.6,
+			     10.0.29.7 : 10.0.29.7, 10.0.29.8 : 10.0.29.8,
+			     10.0.29.9 : 10.0.29.9, 10.0.29.10 : 10.0.29.10,
+			     10.0.29.11 : 10.0.29.11, 10.0.29.12 : 10.0.29.12,
+			     10.0.29.13 : 10.0.29.13, 10.0.29.14 : 10.0.29.14,
+			     10.0.29.15 : 10.0.29.15, 10.0.29.16 : 10.0.29.16,
+			     10.0.29.17 : 10.0.29.17, 10.0.29.18 : 10.0.29.18,
+			     10.0.29.19 : 10.0.29.19, 10.0.29.20 : 10.0.29.20,
+			     10.0.29.21 : 10.0.29.21, 10.0.29.22 : 10.0.29.22,
+			     10.0.29.23 : 10.0.29.23, 10.0.29.24 : 10.0.29.24,
+			     10.0.29.25 : 10.0.29.25, 10.0.29.26 : 10.0.29.26,
+			     10.0.29.27 : 10.0.29.27, 10.0.29.28 : 10.0.29.28,
+			     10.0.29.29 : 10.0.29.29, 10.0.29.30 : 10.0.29.30,
+			     10.0.29.31 : 10.0.29.31, 10.0.30.1 : 10.0.30.1,
+			     10.0.30.2 : 10.0.30.2, 10.0.30.3 : 10.0.30.3,
+			     10.0.30.4 : 10.0.30.4, 10.0.30.5 : 10.0.30.5,
+			     10.0.30.6 : 10.0.30.6, 10.0.30.7 : 10.0.30.7,
+			     10.0.30.8 : 10.0.30.8, 10.0.30.9 : 10.0.30.9,
+			     10.0.30.10 : 10.0.30.10, 10.0.30.11 : 10.0.30.11,
+			     10.0.30.12 : 10.0.30.12, 10.0.30.13 : 10.0.30.13,
+			     10.0.30.14 : 10.0.30.14, 10.0.30.15 : 10.0.30.15,
+			     10.0.30.16 : 10.0.30.16, 10.0.30.17 : 10.0.30.17,
+			     10.0.30.18 : 10.0.30.18, 10.0.30.19 : 10.0.30.19,
+			     10.0.30.20 : 10.0.30.20, 10.0.30.21 : 10.0.30.21,
+			     10.0.30.22 : 10.0.30.22, 10.0.30.23 : 10.0.30.23,
+			     10.0.30.24 : 10.0.30.24, 10.0.30.25 : 10.0.30.25,
+			     10.0.30.26 : 10.0.30.26, 10.0.30.27 : 10.0.30.27,
+			     10.0.30.28 : 10.0.30.28, 10.0.30.29 : 10.0.30.29,
+			     10.0.30.30 : 10.0.30.30, 10.0.30.31 : 10.0.30.31,
+			     10.0.31.1 : 10.0.31.1, 10.0.31.2 : 10.0.31.2,
+			     10.0.31.3 : 10.0.31.3, 10.0.31.4 : 10.0.31.4,
+			     10.0.31.5 : 10.0.31.5, 10.0.31.6 : 10.0.31.6,
+			     10.0.31.7 : 10.0.31.7, 10.0.31.8 : 10.0.31.8,
+			     10.0.31.9 : 10.0.31.9, 10.0.31.10 : 10.0.31.10,
+			     10.0.31.11 : 10.0.31.11, 10.0.31.12 : 10.0.31.12,
+			     10.0.31.13 : 10.0.31.13, 10.0.31.14 : 10.0.31.14,
+			     10.0.31.15 : 10.0.31.15, 10.0.31.16 : 10.0.31.16,
+			     10.0.31.17 : 10.0.31.17, 10.0.31.18 : 10.0.31.18,
+			     10.0.31.19 : 10.0.31.19, 10.0.31.20 : 10.0.31.20,
+			     10.0.31.21 : 10.0.31.21, 10.0.31.22 : 10.0.31.22,
+			     10.0.31.23 : 10.0.31.23, 10.0.31.24 : 10.0.31.24,
+			     10.0.31.25 : 10.0.31.25, 10.0.31.26 : 10.0.31.26,
+			     10.0.31.27 : 10.0.31.27, 10.0.31.28 : 10.0.31.28,
+			     10.0.31.29 : 10.0.31.29, 10.0.31.30 : 10.0.31.30,
+			     10.0.31.31 : 10.0.31.31 }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0004interval_map_create_once_0.nodump
diff --git a/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft
new file mode 100644
index 0000000..ab992c4
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0005interval_map_add_many_elements_0.nft
@@ -0,0 +1,8 @@
+table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		flags interval
+		elements = { 10.1.1.0/24 : 10.0.1.1, 10.1.2.0/24 : 10.0.1.2,
+			     10.2.1.0/24 : 10.0.2.1, 10.2.2.0/24 : 10.0.2.2 }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft
new file mode 100644
index 0000000..1f5343f
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0006interval_map_overlap_0.nft
@@ -0,0 +1,7 @@
+table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		flags interval
+		elements = { 10.0.1.0/24 : 10.0.0.1, 10.0.2.0/24 : 10.0.0.2 }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft
new file mode 100644
index 0000000..878e7c0
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0007named_ifname_dtype_0.nft
@@ -0,0 +1,11 @@
+table inet t {
+	map m1 {
+		type ifname : ipv4_addr
+		elements = { "eth0" : 1.1.1.1 }
+	}
+
+	chain c {
+		ip daddr set iifname map @m1
+		ip daddr set oifname map @m1
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft
new file mode 100644
index 0000000..a470a34
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0008interval_map_delete_0.nft
@@ -0,0 +1,15 @@
+table ip filter {
+	map m {
+		type ipv4_addr : mark
+		flags interval
+		elements = { 127.0.0.2 : 0x00000002, 127.0.0.3 : 0x00000003 }
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+		meta mark set ip daddr map @m
+		meta mark 0x00000002 counter packets 0 bytes 0 accept
+		meta mark 0x00000003 counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft
new file mode 100644
index 0000000..c37574a
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft
@@ -0,0 +1,13 @@
+table inet filter {
+	chain ssh_input {
+	}
+
+	chain wan_input {
+		tcp dport vmap { 22 : jump ssh_input }
+	}
+
+	chain prerouting {
+		type filter hook prerouting priority raw; policy accept;
+		iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft
new file mode 100644
index 0000000..2f796b5
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft
@@ -0,0 +1,11 @@
+table inet x {
+	map z {
+		type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
+		elements = { 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 }
+	}
+
+	chain y {
+		type nat hook prerouting priority dstnat; policy accept;
+		dnat ip to ip saddr . ip protocol . tcp dport map @z
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.nft b/tests/shell/testcases/maps/dumps/0011vmap_0.nft
new file mode 100644
index 0000000..4a72b5e
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0011vmap_0.nft
@@ -0,0 +1,19 @@
+table inet filter {
+	map portmap {
+		type inet_service : verdict
+		counter
+		elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop }
+	}
+
+	chain ssh_input {
+	}
+
+	chain wan_input {
+		tcp dport vmap @portmap
+	}
+
+	chain prerouting {
+		type filter hook prerouting priority raw; policy accept;
+		iif vmap { "lo" : jump wan_input }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0012map_0.nft b/tests/shell/testcases/maps/dumps/0012map_0.nft
new file mode 100644
index 0000000..895490c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0012map_0.nft
@@ -0,0 +1,25 @@
+table ip x {
+	map z {
+		type ifname : verdict
+		elements = { "lo" : accept,
+			     "eth0" : drop,
+			     "eth1" : drop }
+	}
+
+	map w {
+		typeof ip saddr . meta mark : verdict
+		flags interval
+		counter
+		elements = { 127.0.0.1-127.0.0.4 . 0x00123434-0x00b00122 counter packets 0 bytes 0 : accept }
+	}
+
+	chain y {
+		iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
+	}
+
+	chain k {
+		type filter hook input priority filter + 1; policy accept;
+		meta mark set 0x00123434
+		ip saddr . meta mark vmap @w
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft
new file mode 100644
index 0000000..1455877
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0013map_0.nft
@@ -0,0 +1,13 @@
+table ip filter {
+	map forwport {
+		type ipv4_addr . inet_proto . inet_service : verdict
+		flags interval
+		counter
+		elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+		iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0014destroy_0.nft b/tests/shell/testcases/maps/dumps/0014destroy_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0014destroy_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/maps/dumps/0016map_leak_0.nft b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0016map_leak_0.nft
diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft
new file mode 100644
index 0000000..796dd72
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.nft
@@ -0,0 +1,11 @@
+table ip x {
+	map y {
+		typeof ip saddr : meta mark
+		elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 }
+	}
+
+	map z {
+		typeof ip saddr : meta mark
+		elements = { 1.1.1.1 : 0x00000002, * : 0x00000003 }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0018map_leak_timeout_0.nft
diff --git a/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft
new file mode 100644
index 0000000..23aca0a
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/anon_objmap_concat.nft
@@ -0,0 +1,16 @@
+table inet filter {
+	ct helper sip-5060u {
+		type "sip" protocol udp
+		l3proto ip
+	}
+
+	ct helper sip-5060t {
+		type "sip" protocol tcp
+		l3proto ip
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+		ct helper set ip protocol . th dport map { udp . 10000-20000 : "sip-5060u", tcp . 10000-20000 : "sip-5060t" }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft
new file mode 100644
index 0000000..5009560
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/anonymous_snat_map_0.nft
@@ -0,0 +1,5 @@
+table ip nat {
+	chain postrouting {
+		snat to ip saddr map { 1.1.1.1 : 2.2.2.2 }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/different_map_types_1.nft b/tests/shell/testcases/maps/dumps/different_map_types_1.nft
new file mode 100644
index 0000000..3c18b5c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/different_map_types_1.nft
@@ -0,0 +1,5 @@
+table ip filter {
+	chain output {
+		type filter hook output priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft
new file mode 100644
index 0000000..37c48bf
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/map_catchall_double_deactivate.nft
@@ -0,0 +1,4 @@
+table ip test {
+	chain testchain {
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/map_with_flags_0.nft b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft
new file mode 100644
index 0000000..c96b1ed
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/map_with_flags_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		flags timeout
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/named_snat_map_0.nft b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft
new file mode 100644
index 0000000..a7c5751
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/named_snat_map_0.nft
@@ -0,0 +1,10 @@
+table ip nat {
+	map m {
+		type ipv4_addr : ipv4_addr
+		elements = { 1.1.1.1 : 2.2.2.2 }
+	}
+
+	chain postrouting {
+		snat to ip saddr map @m
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.nft b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
new file mode 100644
index 0000000..c8493b3
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
@@ -0,0 +1,129 @@
+table ip ipfoo {
+	map t1 {
+		typeof numgen inc mod 2 : ip daddr
+	}
+
+	map t2 {
+		typeof numgen inc mod 2 : ip daddr . tcp dport
+	}
+
+	map x {
+		type ipv4_addr : ipv4_addr
+	}
+
+	map y {
+		type ipv4_addr : ipv4_addr . inet_service
+		elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
+	}
+
+	map z {
+		type ipv4_addr . inet_service : ipv4_addr . inet_service
+		elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		iifname != "foobar" accept
+		dnat to ip daddr map @x
+		ip saddr 10.1.1.1 dnat to 10.2.3.4
+		ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+		meta l4proto tcp dnat ip to ip saddr map @y
+		dnat ip to ip saddr . tcp dport map @z
+		dnat to numgen inc mod 2 map @t1
+		meta l4proto tcp dnat ip to numgen inc mod 2 map @t2
+	}
+}
+table ip6 ip6foo {
+	map t1 {
+		typeof numgen inc mod 2 : ip6 daddr
+	}
+
+	map t2 {
+		typeof numgen inc mod 2 : ip6 daddr . tcp dport
+	}
+
+	map x {
+		type ipv6_addr : ipv6_addr
+	}
+
+	map y {
+		type ipv6_addr : ipv6_addr . inet_service
+	}
+
+	map z {
+		type ipv6_addr . inet_service : ipv6_addr . inet_service
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		iifname != "foobar" accept
+		dnat to ip6 daddr map @x
+		ip6 saddr dead::1 dnat to feed::1
+		ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+		meta l4proto tcp dnat ip6 to ip6 saddr map @y
+		dnat ip6 to ip6 saddr . tcp dport map @z
+		dnat to numgen inc mod 2 map @t1
+		meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2
+	}
+}
+table inet inetfoo {
+	map t1v4 {
+		typeof numgen inc mod 2 : ip daddr
+	}
+
+	map t2v4 {
+		typeof numgen inc mod 2 : ip daddr . tcp dport
+	}
+
+	map t1v6 {
+		typeof numgen inc mod 2 : ip6 daddr
+	}
+
+	map t2v6 {
+		typeof numgen inc mod 2 : ip6 daddr . tcp dport
+	}
+
+	map x4 {
+		type ipv4_addr : ipv4_addr
+	}
+
+	map y4 {
+		type ipv4_addr : ipv4_addr . inet_service
+	}
+
+	map z4 {
+		type ipv4_addr . inet_service : ipv4_addr . inet_service
+		elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+	}
+
+	map x6 {
+		type ipv6_addr : ipv6_addr
+	}
+
+	map y6 {
+		type ipv6_addr : ipv6_addr . inet_service
+	}
+
+	map z6 {
+		type ipv6_addr . inet_service : ipv6_addr . inet_service
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		iifname != "foobar" accept
+		dnat ip to ip daddr map @x4
+		ip saddr 10.1.1.1 dnat ip to 10.2.3.4
+		ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242
+		meta l4proto tcp dnat ip to ip saddr map @y4
+		dnat ip to ip saddr . tcp dport map @z4
+		dnat ip to numgen inc mod 2 map @t1v4
+		meta l4proto tcp dnat ip to numgen inc mod 2 map @t2v4
+		dnat ip6 to ip6 daddr map @x6
+		ip6 saddr dead::1 dnat ip6 to feed::1
+		ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242
+		meta l4proto tcp dnat ip6 to ip6 saddr map @y6
+		dnat ip6 to ip6 saddr . tcp dport map @z6
+		dnat ip6 to numgen inc mod 2 map @t1v6
+		meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2v6
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_integer_0.nft b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft
new file mode 100644
index 0000000..19c24fe
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_integer_0.nft
@@ -0,0 +1,20 @@
+table inet t {
+	map m1 {
+		typeof udp length . @ih,32,32 : verdict
+		flags interval
+		elements = { 20-80 . 0x14 : accept,
+			     1-10 . 0xa : drop }
+	}
+
+	map m2 {
+		typeof udp length . @ih,32,32 : verdict
+		elements = { 30 . 0x1e : drop,
+			     20 . 0x24 : accept }
+	}
+
+	chain c {
+		udp length . @nh,32,32 vmap @m1
+		udp length . @nh,32,32 vmap @m2
+		udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft
new file mode 100644
index 0000000..a5c0a60
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_0.nft
@@ -0,0 +1,36 @@
+table inet t {
+	map m1 {
+		typeof osf name : ct mark
+		elements = { "Linux" : 0x00000001 }
+	}
+
+	map m2 {
+		typeof vlan id : meta mark
+		elements = { 1 : 0x00000001, 4095 : 0x00004095 }
+	}
+
+	map m3 {
+		typeof ip saddr . ip daddr : meta mark
+		elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001,
+			     2.3.4.5 . 6.7.8.9 : 0x00000002 }
+	}
+
+	map m4 {
+		typeof iifname . ip protocol . th dport : verdict
+		elements = { "eth0" . tcp . 22 : accept }
+	}
+
+	map m5 {
+		typeof ipsec in reqid . iifname : verdict
+		elements = { 23 . "eth0" : accept }
+	}
+
+	chain c {
+		ct mark set osf name map @m1
+		meta mark set vlan id map @m2
+		meta mark set ip saddr . ip daddr map @m3
+		iifname . ip protocol . th dport vmap @m4
+		iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
+		ipsec in reqid . iifname vmap @m5
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft
new file mode 100644
index 0000000..9134673
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.nft
@@ -0,0 +1,22 @@
+table ip dynset {
+	map dynmark {
+		typeof ip daddr : meta mark
+		size 64
+		counter
+		timeout 5m
+	}
+
+	chain test_ping {
+		ip saddr @dynmark counter packets 0 bytes 0 comment "should not increment"
+		ip saddr != @dynmark add @dynmark { ip saddr : 0x00000001 } counter packets 1 bytes 84
+		ip saddr @dynmark counter packets 1 bytes 84 comment "should increment"
+		ip saddr @dynmark delete @dynmark { ip saddr : 0x00000001 }
+		ip saddr @dynmark counter packets 0 bytes 0 comment "delete should be instant but might fail under memory pressure"
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+		add @dynmark { 10.2.3.4 timeout 1s : 0x00000002 } comment "also check timeout-gc"
+		meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft
new file mode 100644
index 0000000..1ca98d8
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft
@@ -0,0 +1,11 @@
+table netdev t {
+	map m {
+		typeof ether saddr . vlan id : meta mark
+		size 1234
+		flags dynamic,timeout
+	}
+
+	chain c {
+		ether type != 8021q update @m { ether daddr . 123 timeout 1m : 0x0000002a } counter packets 0 bytes 0 return
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
new file mode 100644
index 0000000..f8b574f
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
@@ -0,0 +1,13 @@
+table ip foo {
+	map pinned {
+		typeof ip saddr . ct original proto-dst : ip daddr . tcp dport
+		size 65535
+		flags dynamic,timeout
+		timeout 6m
+	}
+
+	chain pr {
+		update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
+		update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft
new file mode 100644
index 0000000..698219c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft
@@ -0,0 +1,21 @@
+table ip kube-nfproxy-v4 {
+	map sticky-set-svc-M53CN2XYVUHRQ7UB {
+		type ipv4_addr : mark
+		size 65535
+		timeout 6m
+	}
+
+	map sticky-set-svc-153CN2XYVUHRQ7UB {
+		typeof ip daddr : meta mark
+		size 65535
+		timeout 1m
+	}
+
+	chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 {
+		update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 }
+	}
+
+	chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 {
+		update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x00000003 }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_raw_0.nft b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft
new file mode 100644
index 0000000..476169f
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_raw_0.nft
@@ -0,0 +1,13 @@
+table ip x {
+	map y {
+		typeof ip saddr . @ih,32,32 : verdict
+		elements = { 1.1.1.1 . 0x14 : accept,
+			     7.7.7.7 . 0x86 : accept,
+			     7.7.7.8 . 0x97 : drop }
+	}
+
+	chain y {
+		ip saddr . @nh,32,32 vmap @y
+		ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop }
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft
new file mode 100644
index 0000000..beb5ffb
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/vmap_mark_bitwise_0.nft
@@ -0,0 +1,26 @@
+table ip x {
+	counter c_o0_0 {
+		packets 0 bytes 0
+	}
+
+	map sctm_o0 {
+		type mark : verdict
+		elements = { 0x00000000 : jump sctm_o0_0, 0x00000001 : jump sctm_o0_1 }
+	}
+
+	map sctm_o1 {
+		type mark : counter
+		elements = { 0x00000000 : "c_o0_0" }
+	}
+
+	chain sctm_o0_0 {
+	}
+
+	chain sctm_o0_1 {
+	}
+
+	chain SET_ctmark_RPLYroute {
+		meta mark >> 8 & 0xf vmap @sctm_o0
+		counter name meta mark >> 8 & 0xf map @sctm_o1
+	}
+}
diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.nft b/tests/shell/testcases/maps/dumps/vmap_timeout.nft
new file mode 100644
index 0000000..095f894
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/vmap_timeout.nft
@@ -0,0 +1,36 @@
+table inet filter {
+	map portmap {
+		type inet_service : verdict
+		flags timeout
+		gc-interval 10s
+		elements = { 22 : jump ssh_input }
+	}
+
+	map portaddrmap {
+		typeof ip daddr . th dport : verdict
+		flags timeout
+		gc-interval 10s
+		elements = { 1.2.3.4 . 22 : jump ssh_input }
+	}
+
+	chain ssh_input {
+	}
+
+	chain log_and_drop {
+		drop
+	}
+
+	chain other_input {
+		goto log_and_drop
+	}
+
+	chain wan_input {
+		ip daddr . tcp dport vmap @portaddrmap
+		tcp dport vmap @portmap
+	}
+
+	chain prerouting {
+		type filter hook prerouting priority raw; policy accept;
+		iif vmap { "lo" : jump wan_input }
+	}
+}
diff --git a/tests/shell/testcases/maps/map_catchall_double_deactivate b/tests/shell/testcases/maps/map_catchall_double_deactivate
new file mode 100755
index 0000000..651c08a
--- /dev/null
+++ b/tests/shell/testcases/maps/map_catchall_double_deactivate
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
+$NFT "add table ip test ;
+     add map ip test testmap { type ipv4_addr : verdict; };
+     add chain ip test testchain;
+     add element ip test testmap { * : jump testchain }" || exit 1
+
+$NFT "flush map ip test testmap; delete map ip test testmap; delete map ip test testmap" 2>/dev/null && exit 1
+$NFT "flush map ip test testmap; delete map ip test testmap; delete element ip test testmap { * : jump testchain }" 2>/dev/null && exit 1
+
+$NFT "flush map ip test testmap; delete map ip test testmap" || exit 1
diff --git a/tests/shell/testcases/maps/map_with_flags_0 b/tests/shell/testcases/maps/map_with_flags_0
new file mode 100755
index 0000000..68bd80d
--- /dev/null
+++ b/tests/shell/testcases/maps/map_with_flags_0
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table x
+$NFT add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; }
diff --git a/tests/shell/testcases/maps/named_snat_map_0 b/tests/shell/testcases/maps/named_snat_map_0
new file mode 100755
index 0000000..addb9f7
--- /dev/null
+++ b/tests/shell/testcases/maps/named_snat_map_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# nameds map can be addedd to a snat rule
+
+set -e
+$NFT add table nat
+$NFT add chain nat postrouting
+$NFT add map nat m { type ipv4_addr : ipv4_addr\; }
+$NFT add element nat m {1.1.1.1: 2.2.2.2}
+$NFT add rule nat postrouting snat ip saddr map @m
diff --git a/tests/shell/testcases/maps/nat_addr_port b/tests/shell/testcases/maps/nat_addr_port
new file mode 100755
index 0000000..2804d48
--- /dev/null
+++ b/tests/shell/testcases/maps/nat_addr_port
@@ -0,0 +1,207 @@
+#!/bin/bash
+
+# skeleton
+$NFT -f /dev/stdin <<EOF || exit 1
+table ip ipfoo {
+	map t1 {
+		typeof numgen inc mod 2 : ip daddr;
+	}
+
+	map t2 {
+		typeof numgen inc mod 2 : ip daddr . tcp dport
+	}
+
+	map x {
+		type ipv4_addr : ipv4_addr
+	}
+	map y {
+		type ipv4_addr : ipv4_addr . inet_service
+		elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
+	}
+	map z {
+		type ipv4_addr . inet_service : ipv4_addr . inet_service
+		elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta iifname != "foobar" accept
+		dnat to ip daddr map @x
+		ip saddr 10.1.1.1 dnat to 10.2.3.4
+		ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+		meta l4proto tcp dnat ip addr . port to ip saddr map @y
+		meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z
+		dnat ip to numgen inc mod 2 map @t1
+		meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2
+	}
+}
+EOF
+
+# should fail: rule has no test for l4 protocol
+$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1
+
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1
+
+# skeleton 6
+$NFT -f /dev/stdin <<EOF || exit 1
+table ip6 ip6foo {
+	map t1 {
+		typeof numgen inc mod 2 : ip6 daddr;
+	}
+
+	map t2 {
+		typeof numgen inc mod 2 : ip6 daddr . tcp dport
+	}
+
+	map x {
+		type ipv6_addr : ipv6_addr
+	}
+	map y {
+		type ipv6_addr : ipv6_addr . inet_service
+	}
+	map z {
+		type ipv6_addr . inet_service : ipv6_addr . inet_service
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta iifname != "foobar" accept
+		dnat to ip6 daddr map @x
+		ip6 saddr dead::1 dnat to feed::1
+		ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+		meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y
+		meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z
+		dnat ip6 to numgen inc mod 2 map @t1
+		meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2
+	}
+}
+EOF
+
+# should fail: rule has no test for l4 protocol
+$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
+
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1
+
+# skeleton inet
+$NFT -f /dev/stdin <<EOF || exit 1
+table inet inetfoo {
+	map t1v4 {
+		typeof numgen inc mod 2 : ip daddr
+	}
+
+	map t2v4 {
+		typeof numgen inc mod 2 : ip daddr . tcp dport;
+	}
+
+	map t1v6 {
+		typeof numgen inc mod 2 : ip6 daddr;
+	}
+
+	map t2v6 {
+		typeof numgen inc mod 2 : ip6 daddr . tcp dport
+	}
+
+	map x4 {
+		type ipv4_addr : ipv4_addr
+	}
+	map y4 {
+		type ipv4_addr : ipv4_addr . inet_service
+	}
+	map z4 {
+		type ipv4_addr . inet_service : ipv4_addr . inet_service
+		elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+	}
+	map x6 {
+		type ipv6_addr : ipv6_addr
+	}
+	map y6 {
+		type ipv6_addr : ipv6_addr . inet_service
+	}
+	map z6 {
+		type ipv6_addr . inet_service : ipv6_addr . inet_service
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta iifname != "foobar" accept
+		dnat ip to ip daddr map @x4
+		ip saddr 10.1.1.1 dnat to 10.2.3.4
+		ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+		meta l4proto tcp dnat ip addr . port to ip saddr map @y4
+		meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z4
+		dnat ip to numgen inc mod 2 map @t1v4
+		meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4
+		dnat ip6 to ip6 daddr map @x6
+		ip6 saddr dead::1 dnat to feed::1
+		ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+		meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y6
+		meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z6
+		dnat ip6 to numgen inc mod 2 map @t1v6
+		meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6
+	}
+}
+EOF
+
+# should fail: map has wrong family: 4->6
+$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1
+
+# should fail: map has wrong family: 6->4
+$NFT add rule 'inet inetfoo c dnat to ip6 daddr map @x4' && exit 1
+
+# should fail: rule has no test for l4 protocol
+$NFT add rule 'inet inetfoo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
+
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'inet inetfoo c dnat to ip daddr map @y4' && exit 1
+
+# should fail: rule has test for l4 protocol, but map has wrong family: 4->6
+$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip daddr map @y6' && exit 1
+
+# should fail: rule has test for l4 protocol, but map has wrong family: 6->4
+$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip6 daddr map @y4' && exit 1
+
+# fail: inet_service, but expect ipv4_addr
+$NFT -f /dev/stdin <<EOF && exit 1
+table inet inetfoo {
+	map a {
+		type ipv4_addr : inet_service
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto tcp dnat ip to ip saddr map @a
+	}
+}
+EOF
+
+# fail: maps to inet_service . inet_service, not addr . service
+$NFT -f /dev/stdin <<EOF && exit 1
+table inet inetfoo {
+	map b {
+		type ipv4_addr : inet_service . inet_service
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto tcp dnat ip to ip saddr map @a
+	}
+}
+EOF
+
+# fail: only accept exactly two sub-expressions: 'addr . service'
+$NFT -f /dev/stdin <<EOF && exit 1
+table inet inetfoo {
+	map b {
+		type ipv4_addr : inet_addr . inet_service . inet_service
+	}
+
+	chain c {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto tcp dnat ip to ip saddr map @a
+	}
+}
+EOF
+
+exit 0
diff --git a/tests/shell/testcases/maps/typeof_integer_0 b/tests/shell/testcases/maps/typeof_integer_0
new file mode 100755
index 0000000..0deff5e
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_integer_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+EXPECTED="table inet t {
+	map m1 {
+		typeof udp length . @ih,32,32 : verdict
+		flags interval
+		elements = { 20-80 . 0x14 : accept, 1-10 . 0xa : drop }
+	}
+
+	map m2 {
+		typeof udp length . @ih,32,32 : verdict
+		elements = { 20 . 0x24 : accept, 30 . 0x1e : drop }
+	}
+
+	chain c {
+		udp length . @nh,32,32 vmap @m1
+		udp length . @nh,32,32 vmap @m2
+		udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+	}
+}"
+
+$NFT add element inet t m1 { 90-100 . 40 : drop }
+$NFT delete element inet t m2 { 20 . 20 : accept }
+
+set -e
+$NFT -f - <<< $EXPECTED
+
diff --git a/tests/shell/testcases/maps/typeof_maps_0 b/tests/shell/testcases/maps/typeof_maps_0
new file mode 100755
index 0000000..98517fd
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_maps_0
@@ -0,0 +1,101 @@
+#!/bin/bash
+
+# support for strings and integers in named maps.
+# without typeof, this is 'type string' and 'type integer',
+# but neither could be used because it lacks size information.
+
+set -e
+
+die() {
+	printf '%s\n' "$*"
+	exit 1
+}
+
+INPUT_OSF_CT="
+		ct mark set osf name map @m1"
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+	INPUT_OSF_CT=
+fi
+
+INPUT="table inet t {
+	map m1 {
+		typeof osf name : ct mark
+		elements = { Linux : 0x00000001 }
+	}
+
+	map m2 {
+		typeof vlan id : mark
+		elements = { 1 : 0x1,
+			     4095 : 0x4095 }
+	}
+
+	map m3 {
+		typeof ip saddr . ip daddr : meta mark
+		elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001,
+			     2.3.4.5 . 6.7.8.9 : 0x00000002 }
+	}
+
+	map m4 {
+		typeof        iifname . ip protocol . th dport : verdict
+		elements = { eth0 . tcp . 22 : accept }
+	}
+
+	map m5 {
+		typeof ipsec in reqid . meta iifname : verdict
+		elements = { 23 . eth0 : accept }
+	}
+
+	chain c {$INPUT_OSF_CT
+		ether type vlan meta mark set vlan id map @m2
+		meta mark set ip saddr . ip daddr map @m3
+		iifname . ip protocol . th dport vmap @m4
+		iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop }
+		ipsec in reqid . meta iifname vmap @m5
+	}
+}"
+
+EXPECTED="table inet t {
+	map m1 {
+		typeof osf name : ct mark
+		elements = { \"Linux\" : 0x00000001 }
+	}
+
+	map m2 {
+		typeof vlan id : meta mark
+		elements = { 1 : 0x00000001, 4095 : 0x00004095 }
+	}
+
+	map m3 {
+		typeof ip saddr . ip daddr : meta mark
+		elements = { 1.2.3.4 . 5.6.7.8 : 0x00000001,
+			     2.3.4.5 . 6.7.8.9 : 0x00000002 }
+	}
+
+	map m4 {
+		typeof iifname . ip protocol . th dport : verdict
+		elements = { \"eth0\" . tcp . 22 : accept }
+	}
+
+	map m5 {
+		typeof ipsec in reqid . iifname : verdict
+		elements = { 23 . \"eth0\" : accept }
+	}
+
+	chain c {$INPUT_OSF_CT
+		meta mark set vlan id map @m2
+		meta mark set ip saddr . ip daddr map @m3
+		iifname . ip protocol . th dport vmap @m4
+		iifname . ip protocol . th dport vmap { \"eth0\" . tcp . 22 : accept, \"eth1\" . udp . 67 : drop }
+		ipsec in reqid . iifname vmap @m5
+	}
+}"
+
+$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<"
+
+$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<"
+
+
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+    echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
+    exit 77
+fi
diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete
new file mode 100755
index 0000000..5e2f8ec
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_maps_add_delete
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+CONDMATCH="ip saddr @dynmark"
+NCONDMATCH="ip saddr != @dynmark"
+
+# use reduced feature set
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+	CONDMATCH=""
+	NCONDMATCH=""
+fi
+
+EXPECTED="table ip dynset {
+	map dynmark {
+		typeof ip daddr : meta mark
+		counter
+		size 64
+		timeout 5m
+	}
+
+	chain test_ping {
+		$CONDMATCH counter comment \"should not increment\"
+		$NCONDMATCH add @dynmark { ip saddr : 0x1 } counter
+		$CONDMATCH counter comment \"should increment\"
+		$CONDMATCH delete @dynmark { ip saddr : 0x1 }
+		$CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\"
+	}
+
+	chain input {
+		type filter hook input priority 0; policy accept;
+
+		add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\"
+		meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
+	}
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
+$NFT list ruleset
+
+ip link set lo up
+ping -c 1 127.0.0.42
+
+$NFT get element ip dynset dynmark { 10.2.3.4 }
+
+# wait so that 10.2.3.4 times out.
+sleep 2
+
+set +e
+$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1
+
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+	echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped."
+	exit 77
+fi
diff --git a/tests/shell/testcases/maps/typeof_maps_concat b/tests/shell/testcases/maps/typeof_maps_concat
new file mode 100755
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_maps_concat
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0
new file mode 100755
index 0000000..2a52ea0
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# check update statement does print both concatentations (key and data).
+
+EXPECTED="table ip foo {
+ map pinned {
+	typeof ip saddr . ct original proto-dst : ip daddr . tcp dport
+	size 65535
+	flags dynamic,timeout
+        timeout 6m
+  }
+  chain pr {
+     update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
+     meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
+  }
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/maps/typeof_maps_update_0 b/tests/shell/testcases/maps/typeof_maps_update_0
new file mode 100755
index 0000000..c233b13
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_maps_update_0
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# check update statement doesn't print "invalid dtype" on the data element.
+
+EXPECTED="table ip kube-nfproxy-v4 {
+ map sticky-set-svc-M53CN2XYVUHRQ7UB {
+  type ipv4_addr : mark
+  size 65535
+  timeout 6m
+ }
+
+ map sticky-set-svc-153CN2XYVUHRQ7UB {
+  typeof ip daddr : meta mark
+  size 65535
+  timeout 1m
+ }
+
+ chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 {
+  update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2 }
+ }
+ chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 {
+  update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x3 }
+ }
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
+
diff --git a/tests/shell/testcases/maps/typeof_raw_0 b/tests/shell/testcases/maps/typeof_raw_0
new file mode 100755
index 0000000..bcd2c6d
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_raw_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+EXPECTED="table ip x {
+	map y {
+		typeof ip saddr . @ih,32,32: verdict
+		elements = { 1.1.1.1 . 0x14 : accept, 2.2.2.2 . 0x1e : drop }
+	}
+
+	chain y {
+		ip saddr . @nh,32,32 vmap @y
+		ip saddr . @nh,32,32 vmap { 4.4.4.4 . 0x34 : accept, 5.5.5.5 . 0x45 : drop}
+	}
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
+$NFT add element ip x y { 7.7.7.7 . 0x86 : accept, 7.7.7.8 . 0x97 : drop }
+$NFT delete element ip x y { 2.2.2.2 . 0x1e : drop }
diff --git a/tests/shell/testcases/maps/vmap_mark_bitwise_0 b/tests/shell/testcases/maps/vmap_mark_bitwise_0
new file mode 100755
index 0000000..0d93355
--- /dev/null
+++ b/tests/shell/testcases/maps/vmap_mark_bitwise_0
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain sctm_o0_0 {
+	}
+
+	chain sctm_o0_1 {
+	}
+
+	map sctm_o0 {
+		type mark : verdict
+		elements = {
+			0x0 : jump sctm_o0_0,
+			0x1 : jump sctm_o0_1,
+		}
+	}
+
+	counter c_o0_0 {}
+
+	map sctm_o1 {
+		type mark : counter
+		elements = {
+			0x0 : \"c_o0_0\",
+		}
+	}
+
+	chain SET_ctmark_RPLYroute {
+		meta mark >> 8 & 0xf vmap @sctm_o0
+	}
+
+	chain SET_ctmark_RPLYroute {
+		counter name meta mark >> 8 & 0xf map @sctm_o1
+	}
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/maps/vmap_timeout b/tests/shell/testcases/maps/vmap_timeout
new file mode 100755
index 0000000..0cd965f
--- /dev/null
+++ b/tests/shell/testcases/maps/vmap_timeout
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+
+set -e
+
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+$NFT -f $dumpfile
+
+port=23
+for i in $(seq 1 100) ; do
+	timeout=$((RANDOM%5))
+	timeout=$((timeout+1))
+	j=1
+
+	batched="{ $port timeout 3s : jump other_input "
+	batched_addr="{ 10.0.$((i%256)).$j . $port timeout ${timeout}s : jump other_input "
+	port=$((port + 1))
+	for j in $(seq 2 400); do
+		timeout=$((RANDOM%5))
+		timeout=$((timeout+1))
+
+		batched="$batched, $port timeout ${timeout}s : jump other_input "
+		batched_addr="$batched_addr, 10.0.$((i%256)).$((j%256)) . $port timeout ${timeout}s : jump other_input "
+		port=$((port + 1))
+	done
+
+	fail_addr="$batched_addr, 1.2.3.4 . 23 timeout 5m : jump other_input,
+	                          1.2.3.4 . 23 timeout 3m : jump other_input }"
+	fail="$batched, 23 timeout 1m : jump other_input, 23 : jump other_input }"
+
+	batched="$batched }"
+	batched_addr="$batched_addr }"
+
+	if [ $i -gt 90 ]; then
+		# must fail, we create and $fail/$fail_addr contain one element twice.
+		$NFT create element inet filter portmap "$fail" && exit 111
+		$NFT create element inet filter portaddrmap "$fail_addr" && exit 112
+	fi
+
+	$NFT add element inet filter portmap "$batched"
+	$NFT add element inet filter portaddrmap "$batched_addr"
+done
+
+if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then
+	echo "Partial test due to NFT_TEST_HAVE_catchall_element=n."
+else
+	$NFT add element inet filter portaddrmap { "* timeout 2s : drop" }
+	$NFT add element inet filter portmap { "* timeout 3s : drop" }
+fi
+
+# wait for elements to time out
+sleep 5
diff --git a/tests/shell/testcases/netns/0001nft-f_0 b/tests/shell/testcases/netns/0001nft-f_0
new file mode 100755
index 0000000..a591f2c
--- /dev/null
+++ b/tests/shell/testcases/netns/0001nft-f_0
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# test a kernel netns loading a simple ruleset
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+	echo "E: no ip binary" >&2
+	exit 1
+fi
+
+RULESET="table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 1.1.0.0 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table ip6 t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table inet t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table bridge t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}
+table arp t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}"
+
+# netns
+NETNS_NAME=$(basename "$0")
+$IP netns add $NETNS_NAME
+if [ $? -ne 0 ] ; then
+	echo "E: unable to create netns" >&2
+	exit 1
+fi
+
+$IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load ruleset in netns" >&2
+	$IP netns del $NETNS_NAME
+	exit 1
+fi
+
+KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+$IP netns del $NETNS_NAME
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+        $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+        exit 1
+fi
+exit 0
diff --git a/tests/shell/testcases/netns/0002loosecommands_0 b/tests/shell/testcases/netns/0002loosecommands_0
new file mode 100755
index 0000000..231f1fb
--- /dev/null
+++ b/tests/shell/testcases/netns/0002loosecommands_0
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# test a kernel netns loading a simple ruleset
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+	echo "E: no ip binary" >&2
+	exit 1
+fi
+
+function netns_exec()
+{
+	# $1: netns_name $2: command
+	$IP netns exec $1 $2
+	if [ $? -ne 0 ] ; then
+		echo "E: failed to execute command in netns $1: $2" >&2
+		$IP netns del $1
+		exit 1
+	fi
+}
+
+NETNS_NAME=$(basename "$0")
+$IP netns add $NETNS_NAME
+if [ $? -ne 0 ] ; then
+	echo "E: unable to create netns" >&2
+	exit 1
+fi
+
+netns_exec $NETNS_NAME "$NFT add table ip t"
+netns_exec $NETNS_NAME "$NFT add chain ip t c"
+netns_exec $NETNS_NAME "$NFT add chain ip t other"
+netns_exec $NETNS_NAME "$NFT add set ip t s { type ipv4_addr; }"
+netns_exec $NETNS_NAME "$NFT add element ip t s {1.1.0.0 }"
+netns_exec $NETNS_NAME "$NFT add rule ip t c ct state new"
+netns_exec $NETNS_NAME "$NFT add rule ip t c udp dport { 12345, 54321 }"
+netns_exec $NETNS_NAME "$NFT add rule ip t c ip saddr @s drop"
+netns_exec $NETNS_NAME "$NFT add rule ip t c jump other"
+
+RULESET="table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 1.1.0.0 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}"
+
+KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+$IP netns del $NETNS_NAME
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+        $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+        exit 1
+fi
diff --git a/tests/shell/testcases/netns/0003many_0 b/tests/shell/testcases/netns/0003many_0
new file mode 100755
index 0000000..afe9117
--- /dev/null
+++ b/tests/shell/testcases/netns/0003many_0
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# test using many netns
+
+# arbitry value of 'many'
+HOWMANY=20
+
+IP=$(which ip)
+if [ ! -x "$IP" ] ; then
+	echo "E: no ip binary" >&2
+	exit 1
+fi
+
+RULESET="table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 1.1.0.0 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table ip6 t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table inet t {
+	set s {
+		type ipv6_addr
+		elements = { fe00::1 }
+	}
+
+	chain c {
+		ct state new
+		udp dport { 12345, 54321 }
+		ip6 saddr @s drop
+		jump other
+	}
+
+	chain other {
+	}
+}
+table bridge t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}
+table arp t {
+	chain c {
+		jump other
+	}
+
+	chain other {
+		accept
+	}
+}"
+
+function test_netns()
+{
+	local NETNS_NAME=$1
+	$IP netns add $NETNS_NAME
+	if [ $? -ne 0 ] ; then
+		echo "E: unable to create netns" >&2
+		exit 1
+	fi
+
+	$IP netns exec $NETNS_NAME $NFT -f - <<< "$RULESET"
+	if [ $? -ne 0 ] ; then
+		echo "E: unable to load ruleset in netns" >&2
+		$IP netns del $NETNS_NAME
+		exit 1
+	fi
+
+	KERNEL_RULESET="$($IP netns exec $NETNS_NAME $NFT list ruleset)"
+	if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+		echo "E: ruleset in netns $NETNS_NAME differs from the loaded" >&2
+	        $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+		$IP netns del $NETNS_NAME
+	        exit 1
+	fi
+
+	$IP netns del $NETNS_NAME
+}
+
+for i in $(seq 1 $HOWMANY) ; do
+	NETNS_NAME="$netns${i}_$(basename "$0")"
+	test_netns $NETNS_NAME
+done
+
+exit 0
diff --git a/tests/shell/testcases/netns/dumps/0001nft-f_0.nft b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/netns/dumps/0001nft-f_0.nft
diff --git a/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/netns/dumps/0002loosecommands_0.nft
diff --git a/tests/shell/testcases/netns/dumps/0003many_0.nft b/tests/shell/testcases/netns/dumps/0003many_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/netns/dumps/0003many_0.nft
diff --git a/tests/shell/testcases/nft-f/0001define_slash_0 b/tests/shell/testcases/nft-f/0001define_slash_0
new file mode 100755
index 0000000..93c4811
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0001define_slash_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# tests for commit 85d6803 (parser_bison: initializer_expr must use rhs_expr)
+
+RULESET="
+define net = 1.1.1.1/24
+"
+
+set -e
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0002rollback_rule_0 b/tests/shell/testcases/nft-f/0002rollback_rule_0
new file mode 100755
index 0000000..8a9ca84
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0002rollback_rule_0
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# test a kernel rollback operation
+# fail reason: rule
+
+GOOD_RULESET="table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}"
+
+BAD_RULESET="flush ruleset
+table ip t2 {
+	chain c2 {
+		this is an invalid rule
+	}
+}"
+
+$NFT -f - <<< "$GOOD_RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load good ruleset" >&2
+	exit 1
+fi
+
+$NFT -f - <<< "$BAD_RULESET" 2>/dev/null
+if [ $? -eq 0 ]	; then
+	echo "E: bogus ruleset loaded?" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/nft-f/0003rollback_jump_0 b/tests/shell/testcases/nft-f/0003rollback_jump_0
new file mode 100755
index 0000000..6fb6f4e
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0003rollback_jump_0
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# test a kernel rollback operation
+# fail reason: invalid jump
+
+GOOD_RULESET="table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}"
+
+BAD_RULESET="flush ruleset
+table ip t2 {
+	chain c2 {
+		jump other
+	}
+}"
+
+$NFT -f - <<< "$GOOD_RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load good ruleset" >&2
+	exit 1
+fi
+
+$NFT -f - <<< "$BAD_RULESET" 2>/dev/null
+if [ $? -eq 0 ]	; then
+	echo "E: bogus ruleset loaded?" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/nft-f/0004rollback_set_0 b/tests/shell/testcases/nft-f/0004rollback_set_0
new file mode 100755
index 0000000..bcc55df
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0004rollback_set_0
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# test a kernel rollback operation
+# fail reason: invalid set
+
+GOOD_RULESET="table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}"
+
+BAD_RULESET="flush ruleset
+table ip t2 {
+	set s2 {
+		type invalid
+	}
+}"
+
+$NFT -f - <<< "$GOOD_RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load good ruleset" >&2
+	exit 1
+fi
+
+$NFT -f - <<< "$BAD_RULESET" 2>/dev/null
+if [ $? -eq 0 ]	; then
+	echo "E: bogus ruleset loaded?" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/nft-f/0005rollback_map_0 b/tests/shell/testcases/nft-f/0005rollback_map_0
new file mode 100755
index 0000000..913595d
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0005rollback_map_0
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# test a kernel rollback operation
+# fail reason: invalid map
+
+GOOD_RULESET="table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}"
+
+BAD_RULESET="flush ruleset
+table ip t2 {
+	chain c2 {
+		tcp dport map { 22222: jump other, 11111: jump invalid }
+	}
+
+	chain other {
+	}
+}"
+
+$NFT -f - <<< "$GOOD_RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load good ruleset" >&2
+	exit 1
+fi
+
+$NFT -f - <<< "$BAD_RULESET" 2>/dev/null
+if [ $? -eq 0 ]	; then
+	echo "E: bogus ruleset loaded?" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/nft-f/0006action_object_0 b/tests/shell/testcases/nft-f/0006action_object_0
new file mode 100755
index 0000000..ddee661
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0006action_object_0
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# test loading a ruleset with the 'action object' pattern
+
+set -e
+
+FAMILIES="ip ip6 inet arp bridge"
+
+generate1()
+{
+	local family=$1
+	echo "
+	add table $family t
+	add chain $family t c
+	add rule $family t c accept
+	add set $family t s {type inet_service;}
+	add element $family t s {8080}
+	insert rule $family t c meta l4proto tcp tcp dport @s accept
+	add rule $family t c meta l4proto tcp tcp dport {9090, 8080}
+	add map $family t m {type inet_service:verdict;}
+	add element $family t m {10080:drop}
+	insert rule $family t c meta l4proto tcp tcp dport vmap @m
+	add rule $family t c meta l4proto udp udp sport vmap {1111:accept, 2222:drop}
+	"
+}
+
+generate2()
+{
+	local family=$1
+	echo "
+	flush chain $family t c
+	delete element $family t m {10080:drop}
+	delete element $family t s {8080}
+	delete chain $family t c
+	delete table $family t
+	"
+}
+
+RULESET=$(for family in $FAMILIES ; do
+	generate1 $family
+done)
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load ruleset 1" >&2
+	exit 1
+fi
+
+RULESET=$(for family in $FAMILIES ; do
+	generate2 $family
+done)
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+	echo "E: unable to load ruleset 2" >&2
+	exit 1
+fi
+
+exit 0
diff --git a/tests/shell/testcases/nft-f/0007action_object_set_segfault_1 b/tests/shell/testcases/nft-f/0007action_object_set_segfault_1
new file mode 100755
index 0000000..6cbd386
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0007action_object_set_segfault_1
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# test for a segfault if bad syntax was used in set declaration
+# and the set is referenced in the same batch
+
+RULESET="
+add table t
+add chain t c
+add set t s {type ipv4_addr\;}
+add rule t c ip saddr @s
+"
+
+$NFT -f - <<< "$RULESET" 2>/dev/null && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0
new file mode 100755
index 0000000..2631aed
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0008split_tables_0
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+	chain ssh {
+		type filter hook input priority 0; policy accept;
+		tcp dport 22 accept;
+	}
+}
+
+table inet filter {
+	chain input {
+		type filter hook input priority 1; policy accept;
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/nft-f/0009variable_0 b/tests/shell/testcases/nft-f/0009variable_0
new file mode 100755
index 0000000..e073d86
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0009variable_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="define concat-set-variable = { 10.10.10.10 . 25, 10.10.10.10 . 143 }
+
+table inet forward {
+	set concat-set-variable {
+		type ipv4_addr . inet_service
+		elements = \$concat-set-variable
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0010variable_0 b/tests/shell/testcases/nft-f/0010variable_0
new file mode 100755
index 0000000..69c80c7
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0010variable_0
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="define whitelist_v4 = { 1.1.1.1 }
+
+table inet filter {
+	set whitelist_v4 { type ipv4_addr; }
+}
+add element inet filter whitelist_v4 \$whitelist_v4
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0011manydefines_0 b/tests/shell/testcases/nft-f/0011manydefines_0
new file mode 100755
index 0000000..aac0670
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0011manydefines_0
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# tests many defines in a single nft -f run
+
+HOWMANY=20000
+
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	HOWMANY=2000
+fi
+
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate1()
+{
+	for ((i=0; i<=HOWMANY; i++)) ; do
+		echo "define data_${i} = ${i}"
+	done
+}
+
+generate2()
+{
+	for ((i=0; i<=HOWMANY; i++)) ; do
+		echo "iifname \$data_${i}"
+	done
+}
+
+echo " $(generate1)
+table t {
+	chain c {
+		$(generate2)
+	}
+}" > $tmpfile
+
+set -e
+$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 20000 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/nft-f/0012different_defines_0 b/tests/shell/testcases/nft-f/0012different_defines_0
new file mode 100755
index 0000000..fe22858
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0012different_defines_0
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# tests different spots, datatypes and usages for nft defines
+
+RULESET="
+define d_iifname = whatever
+define d_oifname = \$d_iifname
+define d_iif = lo
+define d_oif = \$d_iif
+define d_mark = 123
+define d_state = new,established,related
+define d_ipv4 = 10.0.0.0
+define d_ipv4_2 = 10.0.0.2
+define d_ipv6 = fe0::1
+define d_ipv6_2 = fe0::2
+define d_ports = 100-222
+define d_qnum = 0
+define d_qnumr = 1-42
+
+table inet t {
+	chain c {
+		iifname \$d_iifname oifname \$d_oifname iif \$d_iif oif \$d_oif
+		iifname { \$d_iifname , \$d_oifname } iif { \$d_iif , \$d_oif } meta mark \$d_mark
+		ct state \$d_state
+		ct state != \$d_state
+		ip saddr \$d_ipv4 ip daddr \$d_ipv4_2 ip saddr \$d_ipv4
+		ip6 daddr \$d_ipv6 ip6 saddr \$d_ipv6_2
+		ip saddr vmap { \$d_ipv4 : drop , \$d_ipv4_2 : accept }
+		ip6 daddr vmap { \$d_ipv6 : drop , \$d_ipv6_2 : accept }
+		ip6 saddr . ip6 nexthdr { \$d_ipv6 . udp, \$d_ipv6_2 . tcp }
+		ip daddr . meta iif vmap { \$d_ipv4 . \$d_iif : accept }
+		tcp dport \$d_ports
+		udp dport vmap { \$d_ports : accept }
+		tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnum bypass
+		tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue num \$d_qnumr
+		tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass,fanout num \$d_qnumr
+		tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue to symhash mod 2
+		tcp dport 1 tcp sport 1 meta oifname \"foobar\" queue flags bypass to jhash tcp dport . tcp sport mod 4
+	}
+}"
+
+set -e
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0013defines_1 b/tests/shell/testcases/nft-f/0013defines_1
new file mode 100755
index 0000000..b633088
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0013defines_1
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Tests use of variable before definition.
+
+set -e
+
+RULESET="
+define var2 = \$var1
+define var1 = lo
+
+table ip t {
+	chain c {
+		iif \$var2
+	}
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0014defines_1 b/tests/shell/testcases/nft-f/0014defines_1
new file mode 100755
index 0000000..35f2536
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0014defines_1
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Tests redefinition of an existing variable.
+
+set -e
+
+RULESET="
+define var1 = lo
+define var1 = lo
+
+table ip t {
+	chain c {
+		iif \$var1
+	}
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0015defines_1 b/tests/shell/testcases/nft-f/0015defines_1
new file mode 100755
index 0000000..935cb45
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0015defines_1
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Tests recursive definition of a variable.
+
+set -e
+
+RULESET="
+define var1 = \$var1
+
+table ip t {
+	chain c {
+		iif \$var1
+	}
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0016redefines_1 b/tests/shell/testcases/nft-f/0016redefines_1
new file mode 100755
index 0000000..1f59f6b
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0016redefines_1
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+table ip x {
+        chain y {
+                define unused = 4.4.4.4
+                define address = { 1.1.1.1, 2.2.2.2 }
+                ip saddr \$address
+                redefine address = { 3.3.3.3, 4.4.4.4 }
+                ip saddr \$address
+                undefine unused
+        }
+}"
+
+EXPECTED="table ip x {
+	chain y {
+		ip saddr { 1.1.1.1, 2.2.2.2 }
+		ip saddr { 3.3.3.3, 4.4.4.4 }
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
+
+GET="$($NFT list ruleset)"
+
+if [ "$EXPECTED" != "$GET" ] ; then
+        $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+        exit 1
+fi
+
+exit 0
diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
new file mode 100755
index 0000000..cfb7895
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_cttimeout)
+
+EXPECTED='table ip filter {
+	ct timeout cttime{
+		protocol tcp
+		l3proto ip
+		policy = { established : 123, close : 12 }
+	}
+
+	chain c {
+		ct timeout set "cttime"
+	}
+}'
+
+set -e
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
new file mode 100755
index 0000000..4f9872f
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+EXPECTED='table ip filter {
+	ct expectation ctexpect{
+		protocol tcp
+		dport 9876
+		timeout 1m
+		size 12
+		l3proto ip
+	}
+
+	chain c {
+		ct expectation set "ctexpect"
+	}
+}'
+
+set -e
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/nft-f/0018jump_variable_0 b/tests/shell/testcases/nft-f/0018jump_variable_0
new file mode 100755
index 0000000..003a1bd
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0018jump_variable_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Tests use of variables in jump statements
+
+set -e
+
+RULESET="
+define dest = ber
+
+table ip foo {
+	chain bar {
+		jump \$dest
+	}
+
+	chain ber {
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0019jump_variable_1 b/tests/shell/testcases/nft-f/0019jump_variable_1
new file mode 100755
index 0000000..bda861c
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0019jump_variable_1
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Tests use of variables in jump statements
+
+set -e
+
+RULESET="
+define dest = { 1024 }
+
+table ip foo {
+	chain bar {
+		jump \$dest
+	}
+
+	chain ber {
+	}
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0020jump_variable_1 b/tests/shell/testcases/nft-f/0020jump_variable_1
new file mode 100755
index 0000000..f753058
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0020jump_variable_1
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Tests use of variables in jump statements
+
+set -e
+
+RULESET="
+define dest = *
+
+table ip foo {
+	chain bar {
+		jump \$dest
+	}
+
+	chain ber {
+	}
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0021list_ruleset_0 b/tests/shell/testcases/nft-f/0021list_ruleset_0
new file mode 100755
index 0000000..37729b4
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0021list_ruleset_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Tests use of variables in jump statements
+
+set -e
+
+RULESET="table filter {
+ chain prerouting {
+  type filter hook prerouting priority -50
+ }
+}
+list  ruleset
+"
+
+exec $NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0022variables_0 b/tests/shell/testcases/nft-f/0022variables_0
new file mode 100755
index 0000000..ee17a62
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0022variables_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+RULESET="define test1 = @y
+
+table ip x {
+	set y {
+		type ipv4_addr
+		flags dynamic,timeout
+	}
+
+	chain z {
+		type filter hook input priority filter; policy accept;
+		add \$test1 { ip saddr }
+		update \$test1 { ip saddr timeout 30s }
+		ip saddr \$test1
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0023check_1 b/tests/shell/testcases/nft-f/0023check_1
new file mode 100755
index 0000000..42793b6
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0023check_1
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+RULESET="table ip foo {
+	chain bar {
+		type filter hook prerouting priority 0;
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
+
+$NFT -c add rule foo bar fib saddr . oif type local && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0024priority_0 b/tests/shell/testcases/nft-f/0024priority_0
new file mode 100755
index 0000000..586f5c3
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0024priority_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+RULESET="
+table inet statelessnat {
+    chain prerouting {
+        type filter hook prerouting priority -100;
+        ip daddr set numgen inc mod 16 map { 0-7 : 10.0.1.1, 8- 15 : 10.0.1.2 }
+    }
+    chain postrouting {
+        type filter hook postrouting priority 100
+    }
+}"
+
+exec $NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0025empty_dynset_0 b/tests/shell/testcases/nft-f/0025empty_dynset_0
new file mode 100755
index 0000000..fbdb579
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0025empty_dynset_0
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip foo {
+	        set inflows {
+                type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service
+                flags dynamic
+                elements = { 10.1.0.3 . 39466 . \"veth1\" . 10.3.0.99 . 5201 counter packets 0 bytes 0 }
+        }
+
+        set inflows6 {
+                type ipv6_addr . inet_service . ifname . ipv6_addr . inet_service
+                flags dynamic
+        }
+
+        set inflows_ratelimit {
+                type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service
+                flags dynamic
+                elements = { 10.1.0.3 . 39466 . \"veth1\" . 10.3.0.99 . 5201 limit rate 1/second counter packets 0 bytes 0 }
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
+
+# inflows_ratelimit will be dumped without 'limit rate .. counter' on old kernels.
+if [ "$NFT_TEST_HAVE_set_with_two_expressions" = n ]; then
+	echo "Partial test due to NFT_TEST_HAVE_set_with_two_expressions=n."
+	exit 77
+fi
diff --git a/tests/shell/testcases/nft-f/0026listing_0 b/tests/shell/testcases/nft-f/0026listing_0
new file mode 100755
index 0000000..0f2f27c
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0026listing_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# This is like "flush ruleset" except only flushes THIS ruleset, not ALL rulesets.
+# In particular, it leaves the dynamic sshguard/fail2ban deny lists untouched.
+RULESET="add table A
+delete table A
+table A {
+    chain B {
+        tcp dport {1,2} accept
+    }
+}
+list ruleset"
+
+exec $NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0027split_chains_0 b/tests/shell/testcases/nft-f/0027split_chains_0
new file mode 100755
index 0000000..de1e5a0
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0027split_chains_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+       chain x {
+       }
+}
+table inet filter {
+       chain input {
+	       type filter hook input priority filter; policy accept;
+	       jump x
+       }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 0
+exit 1
diff --git a/tests/shell/testcases/nft-f/0028variable_cmdline_0 b/tests/shell/testcases/nft-f/0028variable_cmdline_0
new file mode 100755
index 0000000..a2bbd5d
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0028variable_cmdline_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+
+RULESET="table inet filter {
+	set whitelist_v4 { type ipv4_addr; }
+}
+add element inet filter whitelist_v4 \$whitelist_v4
+"
+
+# this is intentional: exercise error path
+$NFT --define whitelist_v4="{ wrong }" -f - <<< "$RULESET"
+$NFT --define whitelist_v4="{ 1.1.1.1, \$wrong }" -f - <<< "$RULESET"
+
+set -e
+
+$NFT --define whitelist_v4="{ 1.1.1.1, 2.2.2.2 }" -f - <<< "$RULESET"
+$NFT --define x={5.5.5.5} --define whitelist_v4="{ 3.3.3.3, 4.4.4.4, \$x }" -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0029split_file_0 b/tests/shell/testcases/nft-f/0029split_file_0
new file mode 100755
index 0000000..0cc547a
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0029split_file_0
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+	set whitelist_v4 {
+		type ipv4_addr;
+	}
+
+	chain prerouting {
+		type filter hook prerouting priority filter;
+	}
+}
+"
+
+$NFT -f - <<< "$RULESET"
+
+RULESET="table inet filter {
+	chain prerouting {
+		ip daddr @whitelist_v4
+	}
+}
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0030variable_reuse_0 b/tests/shell/testcases/nft-f/0030variable_reuse_0
new file mode 100755
index 0000000..8afc54a
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0030variable_reuse_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="define test = { 1.1.1.1 }
+
+table ip x {
+        set y {
+                type ipv4_addr
+                elements = { 2.2.2.2, \$test }
+        }
+
+        set z {
+                type ipv4_addr
+                elements = { 3.3.3.3, \$test }
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0031vmap_string_0 b/tests/shell/testcases/nft-f/0031vmap_string_0
new file mode 100755
index 0000000..2af846a
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0031vmap_string_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Tests parse of corrupted verdicts
+
+set -e
+
+RULESET="
+table ip foo {
+	map bar {
+		type ipv4_addr : verdict
+		elements = {
+			192.168.0.1 : ber
+		}
+	}
+
+	chain ber {
+	}
+}"
+
+$NFT -f - <<< "$RULESET" && exit 1
+exit 0
diff --git a/tests/shell/testcases/nft-f/0032pknock_0 b/tests/shell/testcases/nft-f/0032pknock_0
new file mode 100755
index 0000000..94fc840
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0032pknock_0
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+RULESET="define guarded_ports = {ssh}
+
+table inet portknock {
+        set clients_ipv4 {
+                type ipv4_addr
+                flags timeout
+        }
+
+        set candidates_ipv4 {
+                type ipv4_addr . inet_service
+                flags timeout
+        }
+
+        chain input {
+                type filter hook input priority -10; policy accept;
+
+                tcp dport 10001 add @candidates_ipv4 {ip  saddr . 10002 timeout 1s}
+                tcp dport 10002 ip  saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip  saddr . 10003 timeout 1s}
+                tcp dport 10003 ip  saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip  saddr . 10004 timeout 1s}
+                tcp dport 10004 ip  saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip  saddr . 10005 timeout 1s}
+                tcp dport 10005 ip  saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip  saddr timeout 600s} log prefix \"Successful portknock: \"
+
+                tcp dport \$guarded_ports ip  saddr @clients_ipv4 counter accept
+                tcp dport \$guarded_ports ct state established,related counter accept
+
+                tcp dport \$guarded_ports reject with tcp reset
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft
new file mode 100644
index 0000000..3fad909
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft
@@ -0,0 +1,16 @@
+table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft
new file mode 100644
index 0000000..3fad909
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft
@@ -0,0 +1,16 @@
+table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft
new file mode 100644
index 0000000..3fad909
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft
@@ -0,0 +1,16 @@
+table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft
new file mode 100644
index 0000000..3fad909
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft
@@ -0,0 +1,16 @@
+table ip t {
+	set t {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+
+	chain c {
+		ct state new
+		tcp dport { 22222, 33333 }
+		ip saddr @t drop
+		jump other
+	}
+
+	chain other {
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft
new file mode 100644
index 0000000..d7e7808
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft
@@ -0,0 +1,10 @@
+table inet filter {
+	chain ssh {
+		type filter hook input priority filter; policy accept;
+		tcp dport 22 accept
+	}
+
+	chain input {
+		type filter hook input priority filter + 1; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft
new file mode 100644
index 0000000..7f59a27
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft
@@ -0,0 +1,7 @@
+table inet forward {
+	set concat-set-variable {
+		type ipv4_addr . inet_service
+		elements = { 10.10.10.10 . 25,
+			     10.10.10.10 . 143 }
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft
new file mode 100644
index 0000000..1f3d05e
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft
@@ -0,0 +1,6 @@
+table inet filter {
+	set whitelist_v4 {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump
diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
new file mode 100644
index 0000000..4734b2f
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
@@ -0,0 +1,21 @@
+table inet t {
+	chain c {
+		iifname "whatever" oifname "whatever" iif "lo" oif "lo"
+		iifname { "whatever" } iif { "lo" } meta mark 0x0000007b
+		ct state established,related,new
+		ct state != established | related | new
+		ip saddr 10.0.0.0 ip daddr 10.0.0.2 ip saddr 10.0.0.0
+		ip6 daddr fe0::1 ip6 saddr fe0::2
+		ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept }
+		ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept }
+		ip6 saddr . ip6 nexthdr { fe0::2 . tcp, fe0::1 . udp }
+		ip daddr . iif vmap { 10.0.0.0 . "lo" : accept }
+		tcp dport 100-222
+		udp dport vmap { 100-222 : accept }
+		tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to 0
+		tcp sport 1 tcp dport 1 oifname "foobar" queue to 1-42
+		tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass,fanout to 1-42
+		tcp sport 1 tcp dport 1 oifname "foobar" queue to symhash mod 2
+		tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to jhash tcp dport . tcp sport mod 4
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0013defines_1.nft b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0014defines_1.nft b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0015defines_1.nft b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft
new file mode 100644
index 0000000..65b7f49
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft
@@ -0,0 +1,6 @@
+table ip x {
+	chain y {
+		ip saddr { 1.1.1.1, 2.2.2.2 }
+		ip saddr { 3.3.3.3, 4.4.4.4 }
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
new file mode 100644
index 0000000..c5d9649
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
@@ -0,0 +1,11 @@
+table ip filter {
+	ct timeout cttime {
+		protocol tcp
+		l3proto ip
+		policy = { established : 2m3s, close : 12s }
+	}
+
+	chain c {
+		ct timeout set "cttime"
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft
new file mode 100644
index 0000000..396185e
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft
@@ -0,0 +1,13 @@
+table ip filter {
+	ct expectation ctexpect {
+		protocol tcp
+		dport 9876
+		timeout 1m
+		size 12
+		l3proto ip
+	}
+
+	chain c {
+		ct expectation set "ctexpect"
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft
new file mode 100644
index 0000000..0ddaf07
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft
@@ -0,0 +1,8 @@
+table ip foo {
+	chain bar {
+		jump ber
+	}
+
+	chain ber {
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft
new file mode 100644
index 0000000..b2cd401
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft
@@ -0,0 +1,5 @@
+table ip filter {
+	chain prerouting {
+		type filter hook prerouting priority -50; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft
new file mode 100644
index 0000000..d30f4d5
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft
@@ -0,0 +1,14 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+	}
+
+	chain z {
+		type filter hook input priority filter; policy accept;
+		add @y { ip saddr }
+		update @y { ip saddr timeout 30s }
+		ip saddr @y
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0023check_1.nft b/tests/shell/testcases/nft-f/dumps/0023check_1.nft
new file mode 100644
index 0000000..04b9e70
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0023check_1.nft
@@ -0,0 +1,5 @@
+table ip foo {
+	chain bar {
+		type filter hook prerouting priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0024priority_0.nft b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft
new file mode 100644
index 0000000..cd7fc50
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft
@@ -0,0 +1,10 @@
+table inet statelessnat {
+	chain prerouting {
+		type filter hook prerouting priority dstnat; policy accept;
+		ip daddr set numgen inc mod 16 map { 0-7 : 10.0.1.1, 8-15 : 10.0.1.2 }
+	}
+
+	chain postrouting {
+		type filter hook postrouting priority srcnat; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft
new file mode 100644
index 0000000..33b9e4f
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft
@@ -0,0 +1,18 @@
+table ip foo {
+	set inflows {
+		type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service
+		flags dynamic
+		elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 counter packets 0 bytes 0 }
+	}
+
+	set inflows6 {
+		type ipv6_addr . inet_service . ifname . ipv6_addr . inet_service
+		flags dynamic
+	}
+
+	set inflows_ratelimit {
+		type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service
+		flags dynamic
+		elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 limit rate 1/second burst 5 packets counter packets 0 bytes 0 }
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0026listing_0.nft b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft
new file mode 100644
index 0000000..fd0bb68
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft
@@ -0,0 +1,5 @@
+table ip A {
+	chain B {
+		tcp dport { 1, 2 } accept
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft
new file mode 100644
index 0000000..39198be
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft
@@ -0,0 +1,9 @@
+table inet filter {
+	chain x {
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+		jump x
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft
new file mode 100644
index 0000000..aa08112
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft
@@ -0,0 +1,8 @@
+table inet filter {
+	set whitelist_v4 {
+		type ipv4_addr
+		elements = { 1.1.1.1, 2.2.2.2,
+			     3.3.3.3, 4.4.4.4,
+			     5.5.5.5 }
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft
new file mode 100644
index 0000000..32d5c0e
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft
@@ -0,0 +1,10 @@
+table inet filter {
+	set whitelist_v4 {
+		type ipv4_addr
+	}
+
+	chain prerouting {
+		type filter hook prerouting priority filter; policy accept;
+		ip daddr @whitelist_v4
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft
new file mode 100644
index 0000000..635901f
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft
@@ -0,0 +1,11 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		elements = { 1.1.1.1, 2.2.2.2 }
+	}
+
+	set z {
+		type ipv4_addr
+		elements = { 1.1.1.1, 3.3.3.3 }
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft
diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft
new file mode 100644
index 0000000..f29dfb2
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft
@@ -0,0 +1,25 @@
+table inet portknock {
+	set clients_ipv4 {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+	}
+
+	set candidates_ipv4 {
+		type ipv4_addr . inet_service
+		size 65535
+		flags dynamic,timeout
+	}
+
+	chain input {
+		type filter hook input priority filter - 10; policy accept;
+		tcp dport 10001 add @candidates_ipv4 { ip saddr . 10002 timeout 1s }
+		tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10003 timeout 1s }
+		tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10004 timeout 1s }
+		tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10005 timeout 1s }
+		tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 { ip saddr timeout 10m } log prefix "Successful portknock: "
+		tcp dport 22 ip saddr @clients_ipv4 counter packets 0 bytes 0 accept
+		tcp dport 22 ct state established,related counter packets 0 bytes 0 accept
+		tcp dport 22 reject with tcp reset
+	}
+}
diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft
new file mode 100644
index 0000000..480b694
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft
@@ -0,0 +1,239 @@
+table inet filter {
+	map if_input {
+		type ifname : verdict
+		elements = { "eth0" : jump public_input,
+			     "eth1" : jump home_input,
+			     "eth2.10" : jump home_input,
+			     "eth2.20" : jump home_input }
+	}
+
+	map if_forward {
+		type ifname : verdict
+		elements = { "eth0" : jump public_forward,
+			     "eth1" : jump trusted_forward,
+			     "eth2.10" : jump voip_forward,
+			     "eth2.20" : jump guest_forward }
+	}
+
+	map if_output {
+		type ifname : verdict
+		elements = { "eth0" : jump public_output,
+			     "eth1" : jump home_output,
+			     "eth2.10" : jump home_output,
+			     "eth2.20" : jump home_output }
+	}
+
+	set ipv4_blacklist {
+		type ipv4_addr
+		flags interval
+		auto-merge
+	}
+
+	set ipv6_blacklist {
+		type ipv6_addr
+		flags interval
+		auto-merge
+	}
+
+	set limit_src_ip {
+		type ipv4_addr
+		size 1024
+		flags dynamic,timeout
+	}
+
+	set limit_src_ip6 {
+		type ipv6_addr
+		size 1024
+		flags dynamic,timeout
+	}
+
+	chain PREROUTING_RAW {
+		type filter hook prerouting priority raw; policy accept;
+		meta l4proto != { icmp, tcp, udp, ipv6-icmp } counter packets 0 bytes 0 drop
+		tcp flags syn jump {
+			tcp option maxseg size 1-500 counter packets 0 bytes 0 drop
+			tcp sport 0 counter packets 0 bytes 0 drop
+		}
+		rt type 0 counter packets 0 bytes 0 drop
+	}
+
+	chain PREROUTING_MANGLE {
+		type filter hook prerouting priority mangle; policy accept;
+		ct state vmap { invalid : jump ct_invalid_pre, related : jump rpfilter, new : jump ct_new_pre, untracked : jump ct_untracked_pre }
+	}
+
+	chain ct_invalid_pre {
+		counter packets 0 bytes 0 drop
+	}
+
+	chain ct_untracked_pre {
+		icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return
+		counter packets 0 bytes 0 drop
+	}
+
+	chain ct_new_pre {
+		jump rpfilter
+		tcp flags != syn / fin,syn,rst,ack counter packets 0 bytes 0 drop
+		iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 }
+	}
+
+	chain rpfilter {
+		ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 return
+		ip6 saddr :: ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return
+		fib saddr . iif oif 0 counter packets 0 bytes 0 drop
+	}
+
+	chain blacklist_input_ipv4 {
+		ip saddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } counter packets 0 bytes 0 drop
+		ip saddr @ipv4_blacklist counter packets 0 bytes 0 drop
+	}
+
+	chain blacklist_input_ipv6 {
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return
+		udp sport 547 ip6 saddr fe80::/64 return
+		ip6 saddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } counter packets 0 bytes 0 drop
+		ip6 saddr @ipv6_blacklist counter packets 0 bytes 0 drop
+	}
+
+	chain INPUT {
+		type filter hook input priority filter; policy drop;
+		iif "lo" accept
+		ct state established,related accept
+		iifname vmap @if_input
+		log prefix "NFT REJECT IN " flags ip options flags ether limit rate 5/second burst 10 packets reject
+	}
+
+	chain public_input {
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept
+		udp sport 547 udp dport 546 ip6 saddr fe80::/64 accept
+		fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop
+		counter packets 0 bytes 0 drop
+	}
+
+	chain home_input {
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept
+		icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept
+		udp sport 68 udp dport 67 accept
+		udp sport 546 udp dport 547 iifname { "eth1", "eth2.10", "eth2.20" } accept
+		fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop
+		icmp type echo-request accept
+		icmpv6 type echo-request accept
+		tcp dport 22 iifname "eth1" accept
+		meta l4proto { tcp, udp } th dport 53 jump {
+			ip6 saddr != { fd00::/8, fe80::/64 } counter packets 0 bytes 0 reject with icmpv6 port-unreachable
+			accept
+		}
+		udp dport 123 accept
+		tcp dport 8443 accept
+	}
+
+	chain FORWARD_MANGLE {
+		type filter hook forward priority mangle; policy accept;
+		oifname "eth0" jump {
+			ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 }
+			tcp flags syn / syn,rst tcp option maxseg size set rt mtu
+		}
+	}
+
+	chain blacklist_output_ipv4 {
+		ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } goto log_blacklist
+		ip daddr @ipv4_blacklist goto log_blacklist
+	}
+
+	chain blacklist_output_ipv6 {
+		icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16 } return
+		udp dport 547 ip6 daddr ff02::1:2 return
+		ip6 daddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } goto log_blacklist
+		ip6 daddr @ipv6_blacklist goto log_blacklist
+	}
+
+	chain log_blacklist {
+		log prefix "NFT BLACKLIST " flags ip options flags ether limit rate 5/minute burst 10 packets drop
+		counter packets 0 bytes 0 drop
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+		ct state established,related accept
+		fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop
+		iifname vmap @if_forward
+		log prefix "NFT REJECT FWD " flags ip options flags ether limit rate 5/second burst 10 packets reject
+	}
+
+	chain public_forward {
+		udp dport { 5060, 7078-7097 } oifname "eth2.10" jump {
+			ip6 saddr { 2001:db8::1-2001:db8::2 } accept
+			meta nfproto ipv6 log prefix "NFT DROP SIP " flags ip options flags ether limit rate 5/second burst 10 packets drop
+		}
+		counter packets 0 bytes 0 drop
+	}
+
+	chain trusted_forward {
+		oifname "eth0" accept
+		icmp type echo-request accept
+		icmpv6 type echo-request accept
+		ip daddr { 192.168.3.30, 192.168.4.40 } tcp dport vmap { 22 : accept, 80 : drop, 443 : accept }
+		ip daddr 192.168.2.20 jump {
+			tcp dport { 80, 443, 515, 631, 9100 } accept
+			udp dport 161 accept
+		}
+	}
+
+	chain voip_forward {
+		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname "eth0" accept
+		ip6 daddr { 2001:db8::1-2001:db8::2 } jump {
+			udp dport { 3478, 5060 } accept
+			udp sport 7078-7097 accept
+			tcp dport 5061 accept
+		}
+		tcp dport 587 ip daddr 10.0.0.1 accept
+		tcp dport 80 oifname "eth0" counter packets 0 bytes 0 reject
+	}
+
+	chain guest_forward {
+		oifname "eth0" accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority filter; policy drop;
+		oif "lo" accept
+		ct state vmap { invalid : jump ct_invalid_out, established : accept, related : accept, untracked : jump ct_untracked_out }
+		oifname vmap @if_output
+		log prefix "NFT REJECT OUT " flags ip options flags ether limit rate 5/second burst 10 packets reject
+	}
+
+	chain ct_invalid_out {
+		counter packets 0 bytes 0 drop
+	}
+
+	chain ct_untracked_out {
+		icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return
+		counter packets 0 bytes 0 drop
+	}
+
+	chain public_output {
+		ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 }
+		icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept
+		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept
+		icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept
+		udp dport 547 ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept
+		udp dport { 53, 123 } accept
+		tcp dport { 443, 587, 853 } accept
+	}
+
+	chain home_output {
+		icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept
+		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept
+		icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept
+		udp sport 547 udp dport 546 ip6 saddr fe80::/64 oifname { "eth1", "eth2.10", "eth2.20" } accept
+		udp sport 67 udp dport 68 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept
+		tcp dport 22 ip daddr 192.168.1.10 accept
+	}
+
+	chain POSTROUTING_SRCNAT {
+		type nat hook postrouting priority srcnat; policy accept;
+		ip saddr { 192.168.1.0-192.168.4.255 } oifname "eth0" masquerade
+	}
+}
diff --git a/tests/shell/testcases/nft-f/sample-ruleset b/tests/shell/testcases/nft-f/sample-ruleset
new file mode 100755
index 0000000..763e41a
--- /dev/null
+++ b/tests/shell/testcases/nft-f/sample-ruleset
@@ -0,0 +1,262 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_chain_binding)
+
+$NFT -f /dev/stdin <<"EOF"
+define public_if = eth0
+define trusted_if = eth1
+define voip_if = eth2.10
+define guest_if = eth2.20
+define home_if = { $trusted_if, $voip_if, $guest_if }
+define home_ipv6_if = { $trusted_if, $voip_if, $guest_if }
+
+define masq_ip = { 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 }
+define masq_if = $public_if
+
+define host1_ip = 192.168.1.10
+define host2_ip = 192.168.2.20
+define host3_ip = 192.168.3.30
+define host4_ip = 192.168.4.40
+
+define proxy_port = 8443
+
+define private_ip = { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
+define private_ip6 = { fe80::/64, fd00::/8 }
+define bogons_ip = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 }
+define bogons_ip6 = { ::/3, 2001:0002::/48, 2001:0003::/32, 2001:10::/28, 2001:20::/28, 2001::/32, 2001:db8::/32, 2002::/16, 3000::/4, 4000::/2, 8000::/1 }
+
+define sip_whitelist_ip6 = { 2001:db8::1/128, 2001:db8::2/128 }
+define smtps_whitelist_ip = 10.0.0.1
+define protocol_whitelist = { tcp, udp, icmp, ipv6-icmp }
+
+table inet filter {
+	map if_input {
+		type ifname : verdict;
+		elements = { $public_if : jump public_input, $trusted_if : jump home_input, $voip_if : jump home_input, $guest_if : jump home_input }
+	}
+	map if_forward {
+		type ifname : verdict;
+		elements = { $public_if : jump public_forward, $trusted_if : jump trusted_forward, $voip_if : jump voip_forward, $guest_if : jump guest_forward }
+	}
+	map if_output {
+		type ifname : verdict;
+		elements = { $public_if : jump public_output, $trusted_if : jump home_output, $voip_if : jump home_output, $guest_if : jump home_output }
+	}
+
+	set ipv4_blacklist { type ipv4_addr; flags interval; auto-merge; }
+	set ipv6_blacklist { type ipv6_addr; flags interval; auto-merge; }
+	set limit_src_ip { type ipv4_addr; flags dynamic, timeout; size 1024; }
+	set limit_src_ip6 { type ipv6_addr; flags dynamic, timeout; size 1024; }
+
+	chain PREROUTING_RAW {
+		type filter hook prerouting priority raw;
+
+		meta l4proto != $protocol_whitelist counter drop
+		tcp flags syn jump {
+			tcp option maxseg size 1-500 counter drop
+			tcp sport 0 counter drop
+		}
+		rt type 0 counter drop
+	}
+
+	chain PREROUTING_MANGLE {
+		type filter hook prerouting priority mangle;
+
+		ct state vmap { invalid : jump ct_invalid_pre, untracked : jump ct_untracked_pre, new : jump ct_new_pre, related : jump rpfilter }
+	}
+	chain ct_invalid_pre {
+		counter drop
+	}
+	chain ct_untracked_pre {
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return
+		counter drop
+	}
+	chain ct_new_pre {
+		jump rpfilter
+
+		tcp flags & (fin|syn|rst|ack) != syn counter drop
+
+		iifname $public_if meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 }
+	}
+	chain rpfilter {
+		ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport bootpc udp dport bootps return
+		ip6 saddr ::/128 ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return
+
+		fib saddr . iif oif eq 0 counter drop
+	}
+	chain blacklist_input_ipv4{
+		ip saddr $bogons_ip counter drop
+		ip saddr @ipv4_blacklist counter drop
+	}
+	chain blacklist_input_ipv6{
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return
+		udp sport dhcpv6-server ip6 saddr fe80::/64 return
+
+		ip6 saddr $bogons_ip6 counter drop
+		ip6 saddr @ipv6_blacklist counter drop
+	}
+
+	chain INPUT {
+		type filter hook input priority filter; policy drop;
+
+		iif lo accept
+
+		ct state established,related accept
+
+		iifname vmap @if_input
+
+		log prefix "NFT REJECT IN " flags ether flags ip options limit rate 5/second burst 10 packets reject
+	}
+	chain public_input {
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept
+
+		udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 accept
+		fib daddr type { broadcast, multicast, anycast } counter drop
+
+		counter drop
+	}
+	chain home_input {
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept
+		icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept
+
+		udp sport bootpc udp dport bootps accept
+		udp sport dhcpv6-client udp dport dhcpv6-server iifname $home_ipv6_if accept
+
+		fib daddr type { broadcast, multicast, anycast } counter drop
+
+		icmp type echo-request accept
+		icmpv6 type echo-request accept
+
+		tcp dport ssh iifname $trusted_if accept
+
+		meta l4proto { tcp, udp } th dport domain jump {
+			ip6 saddr != $private_ip6 counter reject
+			accept
+		}
+
+		udp dport ntp accept
+
+		tcp dport $proxy_port accept
+	}
+
+	chain FORWARD_MANGLE {
+		type filter hook forward priority mangle;
+
+		oifname $public_if jump {
+			ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 }
+			tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu
+		}
+	}
+	chain blacklist_output_ipv4 {
+		ip daddr $bogons_ip goto log_blacklist
+		ip daddr @ipv4_blacklist goto log_blacklist
+	}
+	chain blacklist_output_ipv6 {
+		icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2/128, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1/128, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16/128 } return
+		udp dport dhcpv6-server ip6 daddr ff02::1:2 return
+
+		ip6 daddr $bogons_ip6 goto log_blacklist
+		ip6 daddr @ipv6_blacklist goto log_blacklist
+	}
+	chain log_blacklist {
+		log prefix "NFT BLACKLIST " flags ether flags ip options limit rate 5/minute burst 10 packets drop
+		counter drop
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+
+		ct state established,related accept
+
+		fib daddr type { broadcast, multicast, anycast } counter drop
+
+		iifname vmap @if_forward
+
+		log prefix "NFT REJECT FWD " flags ether flags ip options limit rate 5/second burst 10 packets reject
+	}
+	chain public_forward {
+		udp dport { 5060, 7078-7097 } oifname $voip_if jump {
+			ip6 saddr $sip_whitelist_ip6 accept
+			meta nfproto ipv6 log prefix "NFT DROP SIP " flags ether flags ip options limit rate 5/second burst 10 packets drop
+		}
+
+		counter drop
+	}
+	chain trusted_forward {
+		oifname $public_if accept
+
+		icmp type echo-request accept
+		icmpv6 type echo-request accept
+
+		ip daddr { $host3_ip, $host4_ip } tcp dport vmap { ssh : accept, https : accept, http : drop }
+
+		ip daddr $host2_ip jump {
+			tcp dport { http, https, printer, ipp, 9100 } accept
+			udp dport snmp accept
+		}
+	}
+	chain voip_forward {
+		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname $public_if accept
+
+		ip6 daddr $sip_whitelist_ip6 jump {
+			udp dport { 3478, 5060 } accept
+			udp sport { 7078-7097 } accept
+			tcp dport 5061 accept
+		}
+
+		tcp dport 587 ip daddr $smtps_whitelist_ip accept
+		tcp dport http oifname $public_if counter reject
+	}
+	chain guest_forward {
+		oifname $public_if accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority filter; policy drop;
+
+		oif lo accept
+
+		ct state vmap { established : accept, related : accept, invalid : jump ct_invalid_out, untracked : jump ct_untracked_out }
+
+		oifname vmap @if_output
+
+		log prefix "NFT REJECT OUT " flags ether flags ip options limit rate 5/second burst 10 packets reject
+	}
+	chain ct_invalid_out {
+		counter drop
+	}
+	chain ct_untracked_out {
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, mld2-listener-report } return
+		counter drop
+	}
+	chain public_output {
+		ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 }
+
+		icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept
+		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept
+		icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept
+
+		udp dport dhcpv6-server ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept
+
+		udp dport { domain, ntp } accept
+		tcp dport { https, 587, domain-s } accept
+	}
+	chain home_output {
+		icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request } accept
+		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept
+		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept
+		icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept
+
+		udp sport dhcpv6-server udp dport dhcpv6-client ip6 saddr fe80::/64 oifname $home_ipv6_if accept
+		udp sport bootps udp dport bootpc ip saddr $private_ip accept
+		tcp dport ssh ip daddr $host1_ip accept
+	}
+
+	chain POSTROUTING_SRCNAT {
+		type nat hook postrouting priority srcnat;
+
+		meta nfproto ipv4 ip saddr $masq_ip oifname $masq_if masquerade
+	}
+}
+EOF
diff --git a/tests/shell/testcases/nft-i/0001define_0 b/tests/shell/testcases/nft-i/0001define_0
new file mode 100755
index 0000000..62e1b6d
--- /dev/null
+++ b/tests/shell/testcases/nft-i/0001define_0
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+# test if using defines in interactive nft sessions works
+
+$NFT -i >/dev/null <<EOF
+add table inet t
+add chain inet t c
+define ports = { 22, 443 }
+add rule inet t c tcp dport \$ports accept
+add rule inet t c udp dport \$ports accept
+EOF
+
+$NFT -i >/dev/null <<EOF
+define port = 22
+flush chain inet t c
+redefine port = 443
+delete chain inet t c
+undefine port
+delete table inet t
+EOF
diff --git a/tests/shell/testcases/nft-i/dumps/0001define_0.nft b/tests/shell/testcases/nft-i/dumps/0001define_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/nft-i/dumps/0001define_0.nft
diff --git a/tests/shell/testcases/optimizations/dependency_kill b/tests/shell/testcases/optimizations/dependency_kill
new file mode 100755
index 0000000..904eecf
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dependency_kill
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table bridge foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+	}
+}
+table ip foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+	}
+}
+table ip6 foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+	}
+}
+table netdev foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+	}
+}
+table inet foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+		meta nfproto ipv4 udp dport 67
+		meta nfproto ipv6 udp dport 67
+	}
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/dumps/dependency_kill.nft b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft
new file mode 100644
index 0000000..1781f7b
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/dependency_kill.nft
@@ -0,0 +1,42 @@
+table bridge foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+	}
+}
+table ip foo {
+	chain bar {
+		udp dport 67
+		meta protocol ip6 udp dport 67
+		udp dport 67
+		ether type ip6 udp dport 67
+	}
+}
+table ip6 foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		udp dport 67
+		ether type ip udp dport 67
+		udp dport 67
+	}
+}
+table netdev foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+	}
+}
+table inet foo {
+	chain bar {
+		meta protocol ip udp dport 67
+		meta protocol ip6 udp dport 67
+		ether type ip udp dport 67
+		ether type ip6 udp dport 67
+		meta nfproto ipv4 udp dport 67
+		meta nfproto ipv6 udp dport 67
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft
new file mode 100644
index 0000000..48d18a6
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft
@@ -0,0 +1,40 @@
+table ip test1 {
+	chain y {
+		oif "lo" accept
+		dnat to ip saddr map { 4.4.4.4 : 1.1.1.1, 5.5.5.5 : 2.2.2.2 }
+	}
+}
+table ip test2 {
+	chain y {
+		oif "lo" accept
+		dnat ip to tcp dport map { 80 : 1.1.1.1 . 8001, 81 : 2.2.2.2 . 9001 }
+		ip saddr { 10.141.11.0/24, 10.141.13.0/24 } masquerade
+	}
+}
+table ip test3 {
+	chain y {
+		oif "lo" accept
+		snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 }
+		oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 }
+		tcp dport { 8888, 9999 } redirect
+	}
+}
+table ip test4 {
+	chain y {
+		oif "lo" accept
+		dnat ip to ip daddr . tcp dport map { 1.1.1.1 . 80 : 4.4.4.4 . 8000, 2.2.2.2 . 81 : 3.3.3.3 . 9000 }
+		redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
+		tcp dport 85 redirect
+	}
+}
+table inet nat {
+	chain prerouting {
+		oif "lo" accept
+		dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 }
+	}
+
+	chain postrouting {
+		oif "lo" accept
+		snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 }
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_reject.nft b/tests/shell/testcases/optimizations/dumps/merge_reject.nft
new file mode 100644
index 0000000..c29ad6d
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_reject.nft
@@ -0,0 +1,13 @@
+table ip x {
+	chain y {
+		ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop
+		meta l4proto . ip daddr . tcp dport { tcp . 172.30.238.117 . 8080, tcp . 172.30.33.71 . 3306, tcp . 172.30.254.251 . 3306 } counter packets 0 bytes 0 reject
+		ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
+	}
+}
+table ip6 x {
+	chain y {
+		meta l4proto . ip6 daddr . tcp dport { tcp . aaaa::3 . 8080, tcp . aaaa::2 . 3306, tcp . aaaa::4 . 3306 } counter packets 0 bytes 0 reject
+		ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft
new file mode 100644
index 0000000..b56ea3e
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_stmts.nft
@@ -0,0 +1,5 @@
+table ip x {
+	chain y {
+		ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft
new file mode 100644
index 0000000..f56cea1
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat.nft
@@ -0,0 +1,18 @@
+table ip x {
+	chain y {
+		iifname . ip saddr . ip daddr { "eth1" . 1.1.1.1 . 2.2.2.3, "eth1" . 1.1.1.2 . 2.2.2.4, "eth1" . 1.1.1.2 . 2.2.3.0/24, "eth1" . 1.1.1.2 . 2.2.4.0-2.2.4.10, "eth2" . 1.1.1.3 . 2.2.2.5 } accept
+		ip protocol . th dport { tcp . 22, udp . 67 }
+	}
+
+	chain c1 {
+		udp dport . iifname { 51820 . "foo", 514 . "bar", 67 . "bar" } accept
+	}
+
+	chain c2 {
+		udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar" } accept
+	}
+
+	chain c3 {
+		udp dport . iifname { 100 . "foo", 51820 . "foo", 514 . "bar", 67 . "bar", 100 . "test", 51820 . "test" } accept
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft
new file mode 100644
index 0000000..780aa09
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_concat_vmap.nft
@@ -0,0 +1,9 @@
+table ip x {
+	chain x {
+		meta pkttype . udp dport vmap { broadcast . 547 : accept, broadcast . 67 : accept, multicast . 1900 : drop }
+	}
+
+	chain y {
+		ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop, 4.4.4.4 . 5.5.5.5 : accept }
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft
new file mode 100644
index 0000000..8ecbd92
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_stmts_vmap.nft
@@ -0,0 +1,13 @@
+table ip x {
+	chain y {
+		ct state vmap { invalid : drop, established : accept, related : accept }
+	}
+
+	chain z {
+		tcp dport vmap { 1 : accept, 2-3 : drop, 4 : accept }
+	}
+
+	chain w {
+		ip saddr vmap { 1.1.1.1 counter packets 0 bytes 0 : accept, 1.1.1.2 counter packets 0 bytes 0 : drop }
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft
new file mode 100644
index 0000000..1884711
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_vmap_raw.nft
@@ -0,0 +1,31 @@
+table inet x {
+	chain nat_dns_dnstc {
+		meta l4proto udp redirect to :5300
+		drop
+	}
+
+	chain nat_dns_this_5301 {
+		meta l4proto udp redirect to :5301
+		drop
+	}
+
+	chain nat_dns_saturn_5301 {
+		meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5301
+		drop
+	}
+
+	chain nat_dns_saturn_5302 {
+		meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5302
+		drop
+	}
+
+	chain nat_dns_saturn_5303 {
+		meta nfproto ipv4 meta l4proto udp dnat ip to 240.0.1.2:5303
+		drop
+	}
+
+	chain nat_dns_acme {
+		udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0xe31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0xe31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0xe32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0xe38353439353637323038363633390e : goto nat_dns_saturn_5303 }
+		drop
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
new file mode 100644
index 0000000..c981acf
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
@@ -0,0 +1,20 @@
+table ip x {
+	set s {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+	}
+
+	chain filter_in_tcp {
+	}
+
+	chain filter_in_udp {
+	}
+
+	chain y {
+		update @s { ip saddr limit rate 12/minute burst 30 packets } accept
+		tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept }
+		meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp }
+		log
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/not_mergeable.nft b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft
new file mode 100644
index 0000000..02b8920
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/not_mergeable.nft
@@ -0,0 +1,19 @@
+table ip x {
+	chain t1 {
+	}
+
+	chain t2 {
+	}
+
+	chain t3 {
+	}
+
+	chain t4 {
+	}
+
+	chain y {
+		counter packets 0 bytes 0 jump t1
+		counter packets 0 bytes 0 jump t2
+		ip version vmap { 4 : jump t3, 6 : jump t4 }
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/ruleset.nft b/tests/shell/testcases/optimizations/dumps/ruleset.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/ruleset.nft
diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
new file mode 100644
index 0000000..3f70303
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
@@ -0,0 +1,16 @@
+table ip test {
+	chain test {
+		ip saddr 127.0.0.1 accept
+		iif "lo" accept
+		tcp dport != 22 drop
+		ip saddr 127.0.0.0/8 accept
+		ip saddr 127.0.0.1-192.168.7.3 accept
+		tcp sport 1-1023 drop
+		ip daddr { 192.168.7.1, 192.168.7.5 } accept
+		tcp dport { 80, 443 } accept
+		ip daddr . tcp dport { 192.168.0.1 . 22 } accept
+		meta mark set ip daddr map { 192.168.0.1 : 0x00000001 }
+		ct state { established, related } accept
+		meta mark { 0x0000000a counter packets 0 bytes 0 }
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
new file mode 100644
index 0000000..ecc5691
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
@@ -0,0 +1,38 @@
+table ip test {
+	chain test {
+		# Test cases where anon set can be removed:
+		ip saddr { 127.0.0.1 } accept
+		iif { "lo" } accept
+
+		# negation, can change to != 22.
+		tcp dport != { 22 } drop
+
+		# single prefix, can remove anon set.
+		ip saddr { 127.0.0.0/8 } accept
+
+		# range, can remove anon set.
+		ip saddr { 127.0.0.1-192.168.7.3 } accept
+		tcp sport { 1-1023 } drop
+
+		# Test cases where anon set must be kept.
+
+		# 2 elements, cannot remove the anon set.
+		ip daddr { 192.168.7.1, 192.168.7.5 } accept
+		tcp dport { 80, 443 } accept
+
+		# single element, but concatenation which is not
+		# supported outside of set/map context at this time.
+		ip daddr . tcp dport { 192.168.0.1 . 22 } accept
+
+		# single element, but a map.
+		meta mark set ip daddr map { 192.168.0.1 : 1 }
+
+		# 2 elements.  This could be converted because
+		# ct state cannot be both established and related
+		# at the same time, but this needs extra work.
+		ct state { established, related } accept
+
+		# with stateful statement
+		meta mark { 0x0000000a counter }
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/skip_merge.nft b/tests/shell/testcases/optimizations/dumps/skip_merge.nft
new file mode 100644
index 0000000..9c10b74
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/skip_merge.nft
@@ -0,0 +1,23 @@
+table inet filter {
+	set udp_accepted {
+		type inet_service
+		elements = { 500, 4500 }
+	}
+
+	set tcp_accepted {
+		type inet_service
+		elements = { 80, 443 }
+	}
+
+	chain udp_input {
+		udp dport 1-128 accept
+		udp dport @udp_accepted accept
+		udp dport 53 accept
+	}
+
+	chain tcp_input {
+		tcp dport { 1-128, 8888-9999 } accept
+		tcp dport @tcp_accepted accept
+		tcp dport 1024-65535 accept
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft
new file mode 100644
index 0000000..6df3865
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/skip_non_eq.nft
@@ -0,0 +1,6 @@
+table inet x {
+	chain y {
+		iifname "eth0" oifname != "eth0" counter packets 0 bytes 0 accept
+		iifname "eth0" oifname "eth0" counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft
new file mode 100644
index 0000000..f24855e
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft
@@ -0,0 +1,18 @@
+table inet x {
+	set GEOIP_CC_wan-lan_120 {
+		type ipv4_addr
+		flags interval
+		elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128,
+			     1.32.207.0/24, 1.32.216.118-1.32.216.255,
+			     1.32.219.0-1.32.222.255, 1.32.226.0/23,
+			     1.32.231.0/24, 1.32.233.0/24,
+			     1.32.238.0/23, 1.32.240.0/24,
+			     223.223.220.0/22, 223.255.254.0/24 }
+	}
+
+	chain y {
+		ip saddr 1.2.3.4 tcp dport 80 meta mark set 0x0000000a accept
+		ip saddr 1.2.3.4 tcp dport 81 meta mark set 0x0000000b accept
+		ip saddr . tcp dport { 1.2.3.5 . 81, 1.2.3.5 . 82 } accept
+	}
+}
diff --git a/tests/shell/testcases/optimizations/dumps/variables.nft b/tests/shell/testcases/optimizations/dumps/variables.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/variables.nft
diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat
new file mode 100755
index 0000000..3a57d94
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_nat
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip test1 {
+        chain y {
+                oif lo accept
+                ip saddr 4.4.4.4 dnat to 1.1.1.1
+                ip saddr 5.5.5.5 dnat to 2.2.2.2
+        }
+}"
+
+$NFT -o -f - <<< $RULESET
+
+RULESET="table ip test2 {
+        chain y {
+                oif lo accept
+                tcp dport 80 dnat to 1.1.1.1:8001
+                tcp dport 81 dnat to 2.2.2.2:9001
+                ip saddr 10.141.11.0/24 masquerade
+                ip saddr 10.141.13.0/24 masquerade
+        }
+}"
+
+$NFT -o -f - <<< $RULESET
+
+RULESET="table ip test3 {
+        chain y {
+                oif lo accept
+                ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3
+                ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4
+                oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 }
+                tcp dport 8888 redirect
+                tcp dport 9999 redirect
+        }
+}"
+
+$NFT -o -f - <<< $RULESET
+
+RULESET="table ip test4 {
+        chain y {
+                oif lo accept
+                ip daddr 1.1.1.1 tcp dport 80 dnat to 4.4.4.4:8000
+                ip daddr 2.2.2.2 tcp dport 81 dnat to 3.3.3.3:9000
+                tcp dport 83 redirect to :8083
+                tcp dport 84 redirect to :8084
+                tcp dport 85 redirect
+        }
+}"
+
+$NFT -o -f - <<< $RULESET
+
+RULESET="table inet nat {
+	chain prerouting {
+		oif lo accept
+		iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22
+		iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443
+		iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80
+	}
+	chain postrouting {
+		oif lo accept
+		ip daddr 72.2.3.66 snat to 10.2.2.2
+		ip daddr 72.2.3.67 snat to 10.2.3.3
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_reject b/tests/shell/testcases/optimizations/merge_reject
new file mode 100755
index 0000000..c0ef9ca
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_reject
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain y {
+		meta l4proto tcp ip daddr 172.30.33.70 tcp dport 3306 counter packets 0 bytes 0 drop
+		meta l4proto tcp ip daddr 172.30.33.71 tcp dport 3306 counter packets 0 bytes 0 reject
+		meta l4proto tcp ip daddr 172.30.238.117 tcp dport 8080 counter packets 0 bytes 0 reject
+		meta l4proto tcp ip daddr 172.30.254.251 tcp dport 3306 counter packets 0 bytes 0 reject
+		meta l4proto tcp ip daddr 172.30.254.252 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
+
+RULESET="table ip6 x {
+	chain y {
+		meta l4proto tcp ip6 daddr aaaa::2 tcp dport 3306 counter packets 0 bytes 0 reject
+		meta l4proto tcp ip6 daddr aaaa::3 tcp dport 8080 counter packets 0 bytes 0 reject
+		meta l4proto tcp ip6 daddr aaaa::4 tcp dport 3306 counter packets 0 bytes 0 reject
+		meta l4proto tcp ip6 daddr aaaa::5 tcp dport 3306 counter packets 0 bytes 0 reject with tcp reset
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_stmts b/tests/shell/testcases/optimizations/merge_stmts
new file mode 100755
index 0000000..ec7a9dd
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_stmts
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain y {
+		ip daddr 192.168.0.1 counter accept comment "test1"
+		ip daddr 192.168.0.2 counter accept comment "test2"
+		ip daddr 192.168.0.3 counter accept comment "test3"
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat b/tests/shell/testcases/optimizations/merge_stmts_concat
new file mode 100755
index 0000000..9679d86
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_stmts_concat
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain y {
+		meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
+		meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept
+		meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept
+		meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept
+		meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept
+		ip protocol . th dport { tcp . 22, udp . 67 }
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
+
+RULESET="table ip x {
+	chain c1 {
+		udp dport 51820 iifname "foo" accept
+		udp dport { 67, 514 } iifname "bar" accept
+	}
+
+	chain c2 {
+		udp dport { 51820, 100 } iifname "foo" accept
+		udp dport { 67, 514 } iifname "bar" accept
+	}
+
+	chain c3 {
+		udp dport { 51820, 100 } iifname { "foo", "test" } accept
+		udp dport { 67, 514 } iifname "bar" accept
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_stmts_concat_vmap b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
new file mode 100755
index 0000000..657d0ae
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_stmts_concat_vmap
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain x {
+		meta pkttype broadcast udp dport { 67, 547 } accept
+		meta pkttype multicast udp dport 1900 drop
+	}
+	chain y {
+		ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
+		ip saddr 4.4.4.4 ip daddr 5.5.5.5 accept
+		ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_stmts_vmap b/tests/shell/testcases/optimizations/merge_stmts_vmap
new file mode 100755
index 0000000..6e0f076
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_stmts_vmap
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain y {
+		ct state invalid drop
+		ct state established,related accept
+	}
+	chain z {
+		tcp dport { 1 } accept
+		tcp dport 2-3 drop
+		tcp dport 4 accept
+	}
+	chain w {
+		ip saddr 1.1.1.1 counter accept
+		ip saddr 1.1.1.2 counter drop
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_vmap_raw b/tests/shell/testcases/optimizations/merge_vmap_raw
new file mode 100755
index 0000000..f3dc072
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_vmap_raw
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet x {
+	chain nat_dns_dnstc     { meta l4proto udp redirect to :5300 ; drop ; }
+        chain nat_dns_this_5301 { meta l4proto udp redirect to :5301 ; drop ; }
+        chain nat_dns_saturn_5301  { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5301 ; drop ; }
+        chain nat_dns_saturn_5302  { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5302 ; drop ; }
+        chain nat_dns_saturn_5303  { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5303 ; drop ; }
+
+        chain nat_dns_acme {
+                udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 \
+                        goto nat_dns_dnstc
+
+                udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e \
+                        goto nat_dns_this_5301
+
+                udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e \
+                        goto nat_dns_saturn_5301
+
+                udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e \
+                        goto nat_dns_saturn_5302
+
+                udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e \
+                        goto nat_dns_saturn_5303
+
+                drop
+        }
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_vmaps b/tests/shell/testcases/optimizations/merge_vmaps
new file mode 100755
index 0000000..e2e4be1
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_vmaps
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	set s {
+		type ipv4_addr
+		flags dynamic
+	}
+	chain filter_in_tcp {
+	}
+	chain filter_in_udp {
+	}
+	chain y {
+	        update @s { ip saddr limit rate 12/minute burst 30 packets } accept
+		tcp dport vmap {
+			80 : accept,
+			81 : accept,
+			443 : accept,
+		}
+		tcp dport vmap {
+			8000-8100 : accept,
+			24000-25000 : accept,
+		}
+		meta l4proto tcp goto filter_in_tcp
+		meta l4proto udp goto filter_in_udp
+		log
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/not_mergeable b/tests/shell/testcases/optimizations/not_mergeable
new file mode 100755
index 0000000..ddb2f0f
--- /dev/null
+++ b/tests/shell/testcases/optimizations/not_mergeable
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain t1 {
+	}
+	chain t2 {
+	}
+	chain t3 {
+	}
+	chain t4 {
+	}
+	chain y {
+		counter jump t1
+		counter jump t2
+		ip version 4 jump t3
+		ip version 6 jump t4
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/ruleset b/tests/shell/testcases/optimizations/ruleset
new file mode 100755
index 0000000..ef2652d
--- /dev/null
+++ b/tests/shell/testcases/optimizations/ruleset
@@ -0,0 +1,168 @@
+#!/bin/bash
+
+RULESET="table inet uni {
+	chain gtfo {
+		reject with icmpx type host-unreachable
+		drop
+	}
+
+	chain filter_in_tcp {
+		tcp dport vmap {
+			   80 : accept,
+			   81 : accept,
+			  443 : accept,
+			  931 : accept,
+			 5001 : accept,
+			 5201 : accept,
+		}
+		tcp dport vmap {
+			 6800-6999  : accept,
+			33434-33499 : accept,
+		}
+
+		drop
+	}
+
+	chain filter_in_udp {
+		udp dport vmap {
+			   53 : accept,
+			  123 : accept,
+			  846 : accept,
+			  849 : accept,
+			 5001 : accept,
+			 5201 : accept,
+		}
+		udp dport vmap {
+			 5300-5399  : accept,
+			 6800-6999  : accept,
+			33434-33499 : accept,
+		}
+
+		drop
+	}
+
+	chain filter_in {
+		type filter hook input priority 0; policy drop;
+
+		ct state vmap {
+			invalid     : drop,
+			established : accept,
+			related     : accept,
+			untracked   : accept,
+		}
+
+		ct status vmap {
+			dnat : accept,
+			snat : accept,
+		}
+
+		iif lo  accept
+
+		meta iifgroup {100-199}  accept
+
+		meta l4proto tcp  goto filter_in_tcp
+		meta l4proto udp  goto filter_in_udp
+
+		icmp type vmap {
+			echo-request : accept,
+		}
+		ip6 nexthdr icmpv6 icmpv6 type vmap {
+			echo-request : accept,
+		}
+	}
+
+	chain filter_fwd_ifgroup {
+		meta iifgroup . oifgroup vmap {
+		          100 .  10 : accept,
+		          100 . 100 : accept,
+		          100 . 101 : accept,
+		          101 . 101 : accept,
+		}
+		goto gtfo
+	}
+
+	chain filter_fwd {
+		type filter hook forward priority 0; policy drop;
+
+		fib daddr type broadcast  drop
+
+		ct state vmap {
+			invalid     : drop,
+			established : accept,
+			related     : accept,
+			untracked   : accept,
+		}
+
+		ct status vmap {
+			dnat : accept,
+			snat : accept,
+		}
+
+		meta iifgroup {100-199}  goto filter_fwd_ifgroup
+	}
+
+	chain nat_fwd_tun {
+		meta l4proto tcp redirect to :15
+		udp dport 53 redirect to :13
+		goto gtfo
+	}
+
+	chain nat_dns_dnstc     { meta l4proto udp redirect to :5300 ; drop ; }
+	chain nat_dns_this_5301 { meta l4proto udp redirect to :5301 ; drop ; }
+	chain nat_dns_moon_5301  { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5301 ; drop ; }
+	chain nat_dns_moon_5302  { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5302 ; drop ; }
+	chain nat_dns_moon_5303  { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5303 ; drop ; }
+
+	chain nat_dns_acme {
+		udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 \
+			goto nat_dns_dnstc
+
+		udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e \
+			goto nat_dns_this_5301
+
+		udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e \
+			goto nat_dns_moon_5301
+
+		udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e \
+			goto nat_dns_moon_5302
+
+		udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e \
+			goto nat_dns_moon_5303
+
+		drop
+	}
+
+	chain nat_prerouting {
+		type nat hook prerouting priority -100; policy accept;
+
+		iifgroup 10 udp dport 53 goto nat_dns_acme
+		iifgroup 10 accept
+
+		ip  daddr 198.19.0.0/16  goto nat_fwd_tun
+		ip6 daddr fc00::/8       goto nat_fwd_tun
+
+		tcp dport 53 redirect to :25302
+		udp dport 53 redirect to :25302
+	}
+
+	chain nat_output {
+		type nat hook output priority -100; policy accept;
+
+		ip  daddr 198.19.0.0/16  goto nat_fwd_tun
+		ip6 daddr fc00::/8       goto nat_fwd_tun
+	}
+
+	chain nat_postrouting {
+		type nat hook postrouting priority 100; policy accept;
+
+		oif != lo masquerade
+	}
+
+	chain mangle_forward {
+		type filter hook forward priority -150; policy accept;
+
+		tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu
+	}
+}"
+
+$NFT -o -c -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/single_anon_set b/tests/shell/testcases/optimizations/single_anon_set
new file mode 100755
index 0000000..7275e36
--- /dev/null
+++ b/tests/shell/testcases/optimizations/single_anon_set
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+# Input file contains rules with anon sets that contain
+# one element, plus extra rule with two elements (that should be
+# left alone).
+
+# Dump file has the simplified rules where anon sets have been
+# replaced by equality tests where possible.
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile".input
diff --git a/tests/shell/testcases/optimizations/skip_merge b/tests/shell/testcases/optimizations/skip_merge
new file mode 100755
index 0000000..8af976c
--- /dev/null
+++ b/tests/shell/testcases/optimizations/skip_merge
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+    set udp_accepted {
+        type inet_service;
+        elements = {
+            isakmp, ipsec-nat-t
+        }
+    }
+
+    set tcp_accepted {
+        type inet_service;
+        elements = {
+            http, https
+        }
+    }
+
+    chain udp_input {
+        udp dport 1-128 accept
+        udp dport @udp_accepted accept
+        udp dport domain accept
+    }
+
+    chain tcp_input {
+        tcp dport 1-128 accept
+        tcp dport 8888-9999 accept
+        tcp dport @tcp_accepted accept
+        tcp dport 1024-65535 accept
+    }
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/skip_non_eq b/tests/shell/testcases/optimizations/skip_non_eq
new file mode 100755
index 0000000..431ed0a
--- /dev/null
+++ b/tests/shell/testcases/optimizations/skip_non_eq
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet x {
+	chain y {
+		iifname "eth0" oifname != "eth0" counter packets 0 bytes 0 accept
+		iifname "eth0" oifname "eth0" counter packets 0 bytes 0 accept
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/skip_unsupported b/tests/shell/testcases/optimizations/skip_unsupported
new file mode 100755
index 0000000..6baa828
--- /dev/null
+++ b/tests/shell/testcases/optimizations/skip_unsupported
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet x {
+	set GEOIP_CC_wan-lan_120 {
+		type ipv4_addr
+		flags interval
+		elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128,
+			     1.32.207.0/24, 1.32.216.118-1.32.216.255,
+			     1.32.219.0-1.32.222.255, 1.32.226.0/23,
+			     1.32.231.0/24, 1.32.233.0/24,
+			     1.32.238.0/23, 1.32.240.0/24,
+			     223.223.220.0/22, 223.255.254.0/24 }
+	}
+
+	chain y {
+		ip saddr 1.2.3.4 tcp dport 80 meta mark set 10 accept
+		ip saddr 1.2.3.4 tcp dport 81 meta mark set 11 accept
+		ip saddr 1.2.3.5 tcp dport 81 accept comment \"test\"
+		ip saddr 1.2.3.5 tcp dport 82 accept
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables
new file mode 100755
index 0000000..fa98606
--- /dev/null
+++ b/tests/shell/testcases/optimizations/variables
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+RULESET="define addrv4_vpnnet = 10.1.0.0/16
+
+table ip nat {
+    chain postrouting {
+        type nat hook postrouting priority 0; policy accept;
+
+        ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\"
+    }
+}"
+
+$NFT -c -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optionals/comments_0 b/tests/shell/testcases/optionals/comments_0
new file mode 100755
index 0000000..ab85936
--- /dev/null
+++ b/tests/shell/testcases/optionals/comments_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# comments are shown
+
+$NFT add table test
+$NFT add chain test test
+$NFT add rule test test tcp dport 22 counter accept comment test_comment
+$NFT -a list table test | grep 'accept comment \"test_comment\"' >/dev/null
diff --git a/tests/shell/testcases/optionals/comments_chain_0 b/tests/shell/testcases/optionals/comments_chain_0
new file mode 100755
index 0000000..fba961c
--- /dev/null
+++ b/tests/shell/testcases/optionals/comments_chain_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+EXPECTED='table ip test_table {
+	chain test_chain {
+		comment "test"
+	}
+}
+'
+
+set -e
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/optionals/comments_handles_0 b/tests/shell/testcases/optionals/comments_handles_0
new file mode 100755
index 0000000..a01df1d
--- /dev/null
+++ b/tests/shell/testcases/optionals/comments_handles_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# handles and comments mix well
+
+$NFT add table test
+$NFT add chain test test
+$NFT add rule test test tcp dport 22 counter accept comment test_comment
+set -e
+$NFT -a list table test | grep 'accept comment \"test_comment\" # handle '[[:digit:]]$ >/dev/null
+$NFT list table test | grep 'accept comment \"test_comment\"' | grep -v '# handle '[[:digit:]]$ >/dev/null
diff --git a/tests/shell/testcases/optionals/comments_objects_0 b/tests/shell/testcases/optionals/comments_objects_0
new file mode 100755
index 0000000..7437c77
--- /dev/null
+++ b/tests/shell/testcases/optionals/comments_objects_0
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+EXPECTED='table ip filter {
+	quota q {
+		over 1200 bytes
+		comment "test1"
+	}
+
+	counter c {
+		packets 0 bytes 0
+		comment "test2"
+	}
+
+	ct helper h {
+		type "sip" protocol tcp
+		l3proto ip
+		comment "test3"
+	}
+
+	ct expectation e {
+		protocol tcp
+		dport 666
+		timeout 100ms
+		size 96
+		l3proto ip
+		comment "test4"
+	}
+
+	limit l {
+		rate 400/hour
+		comment "test5"
+	}
+
+	synproxy s {
+		mss 1460
+		wscale 2
+		comment "test6"
+	}
+}
+'
+
+set -e
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/optionals/comments_objects_dup_0 b/tests/shell/testcases/optionals/comments_objects_dup_0
new file mode 100755
index 0000000..79d975a
--- /dev/null
+++ b/tests/shell/testcases/optionals/comments_objects_dup_0
@@ -0,0 +1,97 @@
+#!/bin/bash
+
+EXPECTED='table ip filter {
+	quota q {
+		over 1200 bytes
+		comment "test1"
+		comment "test1"
+	}
+}
+'
+
+$NFT -f - <<< "$EXPECTED"
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+EXPECTED='table ip filter {
+	counter c {
+		packets 0 bytes 0
+		comment "test2"
+		comment "test2"
+	}
+}
+'
+
+$NFT -f - <<< "$EXPECTED"
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+EXPECTED='table ip filter {
+	ct helper h {
+		type "sip" protocol tcp
+		l3proto ip
+		comment "test3"
+		comment "test3"
+	}
+}
+'
+
+$NFT -f - <<< "$EXPECTED"
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+EXPECTED='table ip filter {
+	ct expectation e {
+		protocol tcp
+		dport 666
+		timeout 100ms
+		size 96
+		l3proto ip
+		comment "test4"
+		comment "test4"
+	}
+}
+'
+
+$NFT -f - <<< "$EXPECTED"
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+EXPECTED='table ip filter {
+	limit l {
+		rate 400/hour
+		comment "test5"
+		comment "test5"
+	}
+}
+'
+
+$NFT -f - <<< "$EXPECTED"
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+EXPECTED='table ip filter {
+	synproxy s {
+		mss 1460
+		wscale 2
+		comment "test6"
+		comment "test6"
+	}
+}
+'
+
+$NFT -f - <<< "$EXPECTED"
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
diff --git a/tests/shell/testcases/optionals/comments_table_0 b/tests/shell/testcases/optionals/comments_table_0
new file mode 100755
index 0000000..a0dfd74
--- /dev/null
+++ b/tests/shell/testcases/optionals/comments_table_0
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# comments are shown
+
+$NFT add table test { comment \"test_comment\"\; }
diff --git a/tests/shell/testcases/optionals/delete_object_handles_0 b/tests/shell/testcases/optionals/delete_object_handles_0
new file mode 100755
index 0000000..9b65e67
--- /dev/null
+++ b/tests/shell/testcases/optionals/delete_object_handles_0
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+$NFT add table test-ip
+$NFT add counter test-ip https-traffic
+$NFT add quota test-ip https-quota 25 mbytes
+$NFT add map test-ip ports { type inet_service : quota \; }
+$NFT add table ip6 test-ip6
+$NFT add quota ip6 test-ip6 http-quota over 25 mbytes
+$NFT add counter ip6 test-ip6 http-traffic
+$NFT add quota ip6 test-ip6 ssh-quota 10 mbytes
+
+counter_handle=$($NFT -a list ruleset | awk '/https-traffic/{print $NF}')
+quota_handle=$($NFT -a list ruleset | awk '/ssh-quota/{print $NF}')
+$NFT delete counter test-ip handle $counter_handle
+$NFT delete quota ip6 test-ip6 handle $quota_handle
+
+EXPECTED="table ip test-ip {
+	quota https-quota {
+		25 mbytes
+	}
+
+	map ports {
+		type inet_service : quota
+	}
+}
+table ip6 test-ip6 {
+	quota http-quota {
+		over 25 mbytes
+	}
+
+	counter http-traffic {
+		packets 0 bytes 0
+	}
+}"
+
+GET="$($NFT list ruleset)"
+
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/optionals/dumps/comments_0.nft b/tests/shell/testcases/optionals/dumps/comments_0.nft
new file mode 100644
index 0000000..f47e0d5
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_0.nft
@@ -0,0 +1,5 @@
+table ip test {
+	chain test {
+		tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment"
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/comments_chain_0.nft b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft
new file mode 100644
index 0000000..be3d8f3
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_chain_0.nft
@@ -0,0 +1,5 @@
+table ip test_table {
+	chain test_chain {
+		comment "test"
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft
new file mode 100644
index 0000000..f47e0d5
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft
@@ -0,0 +1,5 @@
+table ip test {
+	chain test {
+		tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment"
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft
new file mode 100644
index 0000000..b760ced
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_objects_0.nft
@@ -0,0 +1,37 @@
+table ip filter {
+	quota q {
+		comment "test1"
+		over 1200 bytes
+	}
+
+	counter c {
+		comment "test2"
+		packets 0 bytes 0
+	}
+
+	ct helper h {
+		comment "test3"
+		type "sip" protocol tcp
+		l3proto ip
+	}
+
+	ct expectation e {
+		comment "test4"
+		protocol tcp
+		dport 666
+		timeout 100ms
+		size 96
+		l3proto ip
+	}
+
+	limit l {
+		comment "test5"
+		rate 400/hour
+	}
+
+	synproxy s {
+		comment "test6"
+		mss 1460
+		wscale 2
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_objects_dup_0.nft
diff --git a/tests/shell/testcases/optionals/dumps/comments_table_0.nft b/tests/shell/testcases/optionals/dumps/comments_table_0.nft
new file mode 100644
index 0000000..32ae3c2
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/comments_table_0.nft
@@ -0,0 +1,3 @@
+table ip test {
+	comment "test_comment"
+}
diff --git a/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft
new file mode 100644
index 0000000..aac03cc
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/delete_object_handles_0.nft
@@ -0,0 +1,18 @@
+table ip test-ip {
+	quota https-quota {
+		25 mbytes
+	}
+
+	map ports {
+		type inet_service : quota
+	}
+}
+table ip6 test-ip6 {
+	quota http-quota {
+		over 25 mbytes
+	}
+
+	counter http-traffic {
+		packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/handles_0.nft b/tests/shell/testcases/optionals/dumps/handles_0.nft
new file mode 100644
index 0000000..085c6cf
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/handles_0.nft
@@ -0,0 +1,5 @@
+table ip test {
+	chain test {
+		tcp dport 22 counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/handles_1.nft b/tests/shell/testcases/optionals/dumps/handles_1.nft
new file mode 100644
index 0000000..085c6cf
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/handles_1.nft
@@ -0,0 +1,5 @@
+table ip test {
+	chain test {
+		tcp dport 22 counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/log_prefix_0.nft b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft
new file mode 100644
index 0000000..8c11d69
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/log_prefix_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	chain y {
+		ct state invalid log prefix "invalid state match, logging:"
+	}
+}
diff --git a/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft
new file mode 100644
index 0000000..f391b63
--- /dev/null
+++ b/tests/shell/testcases/optionals/dumps/update_object_handles_0.nft
@@ -0,0 +1,9 @@
+table ip test-ip {
+	counter traffic-counter {
+		packets 0 bytes 0
+	}
+
+	quota traffic-quota {
+		50 mbytes
+	}
+}
diff --git a/tests/shell/testcases/optionals/handles_0 b/tests/shell/testcases/optionals/handles_0
new file mode 100755
index 0000000..80f3c5b
--- /dev/null
+++ b/tests/shell/testcases/optionals/handles_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# handles are shown last
+
+$NFT add table test
+$NFT add chain test test
+$NFT add rule test test tcp dport 22 counter accept
+$NFT -a list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null
diff --git a/tests/shell/testcases/optionals/handles_1 b/tests/shell/testcases/optionals/handles_1
new file mode 100755
index 0000000..c00abfe
--- /dev/null
+++ b/tests/shell/testcases/optionals/handles_1
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# handles are not shown if not asked for them
+
+$NFT add table test
+$NFT add chain test test
+$NFT add rule test test tcp dport 22 counter accept
+( $NFT list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null ) && exit 1
+
+exit 0
diff --git a/tests/shell/testcases/optionals/log_prefix_0 b/tests/shell/testcases/optionals/log_prefix_0
new file mode 100755
index 0000000..513a9e7
--- /dev/null
+++ b/tests/shell/testcases/optionals/log_prefix_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+TMP=$(mktemp)
+
+RULESET='define test = "state"
+define foo = "match, logging"
+
+table x {
+        chain y {
+                ct state invalid log prefix "invalid $test $foo:"
+        }
+}'
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0
new file mode 100755
index 0000000..8b12b8c
--- /dev/null
+++ b/tests/shell/testcases/optionals/update_object_handles_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+$NFT add table test-ip
+$NFT add counter test-ip traffic-counter
+$NFT add counter test-ip traffic-counter
+$NFT add quota test-ip traffic-quota 25 mbytes
+$NFT add quota test-ip traffic-quota 50 mbytes
+
+EXPECTED="table ip test-ip {
+	counter traffic-counter {
+		packets 0 bytes 0
+	}
+
+	quota traffic-quota {
+		50 mbytes
+	}
+}"
+
+GET="$($NFT list ruleset)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf
new file mode 100755
index 0000000..c07e8d6
--- /dev/null
+++ b/tests/shell/testcases/owner/0001-flowtable-uaf
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner)
+
+set -e
+
+$NFT -f - <<EOF
+table t {
+ flags owner
+ flowtable f {
+  hook ingress priority 0
+  devices = { lo }
+ }
+}
+EOF
+
+# trigger uaf.
+$NFT -f - <<EOF
+table t {
+ flags owner
+ flowtable f {
+  hook ingress priority 0
+  devices = { lo }
+ }
+}
+EOF
diff --git a/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/owner/dumps/0001-flowtable-uaf.nft
diff --git a/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/packetpath/dumps/vlan_8021ad_tag.nodump
diff --git a/tests/shell/testcases/packetpath/vlan_8021ad_tag b/tests/shell/testcases/packetpath/vlan_8021ad_tag
new file mode 100755
index 0000000..379a571
--- /dev/null
+++ b/tests/shell/testcases/packetpath/vlan_8021ad_tag
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+rnd=$(mktemp -u XXXXXXXX)
+ns1="nft1ifname-$rnd"
+ns2="nft2ifname-$rnd"
+
+cleanup()
+{
+	ip netns del "$ns1"
+	ip netns del "$ns2"
+}
+
+trap cleanup EXIT
+
+set -e
+
+ip netns add "$ns1"
+ip netns add "$ns2"
+ip -net "$ns1" link set lo up
+ip -net "$ns2" link set lo up
+
+ip link add veth0 netns $ns1 type veth peer name veth0 netns $ns2
+
+ip -net "$ns1" link set veth0 addr da:d3:00:01:02:03
+
+ip -net "$ns1" link add vlan123 link veth0 type vlan id 123 proto 802.1ad
+ip -net "$ns2" link add vlan123 link veth0 type vlan id 123 proto 802.1ad
+
+
+for dev in veth0 vlan123; do
+	ip -net "$ns1" link set $dev up
+	ip -net "$ns2" link set $dev up
+done
+
+ip -net "$ns1" addr add 10.1.1.1/24 dev vlan123
+ip -net "$ns2" addr add 10.1.1.2/24 dev vlan123
+
+ip netns exec "$ns2" $NFT -f /dev/stdin <<"EOF"
+table netdev t {
+	chain c {
+		type filter hook ingress device veth0 priority filter;
+		ether saddr da:d3:00:01:02:03 ether type 8021ad vlan id 123 ip daddr 10.1.1.2 icmp type echo-request counter
+	}
+}
+EOF
+
+ip netns exec "$ns1" ping -c 1 10.1.1.2
+
+ip netns exec "$ns2" $NFT list ruleset
+ip netns exec "$ns2" $NFT list chain netdev t c | grep 'counter packets 1 bytes 84'
diff --git a/tests/shell/testcases/parsing/describe b/tests/shell/testcases/parsing/describe
new file mode 100755
index 0000000..2ee072e
--- /dev/null
+++ b/tests/shell/testcases/parsing/describe
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+errmsg='Error: unknown ip option type/field'
+
+str=$($NFT describe ip option rr value 2>&1 | head -n 1)
+
+[ "$str" = "$errmsg" ] && exit 0
diff --git a/tests/shell/testcases/parsing/dumps/describe.nft b/tests/shell/testcases/parsing/dumps/describe.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/parsing/dumps/describe.nft
diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft
new file mode 100644
index 0000000..1583275
--- /dev/null
+++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft
@@ -0,0 +1,561 @@
+table ip firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table ip6 firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table inet firewalld {
+	chain raw_PREROUTING {
+		type filter hook prerouting priority raw + 10; policy accept;
+		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+		meta nfproto ipv6 fib saddr . iif oif missing drop
+		jump raw_PREROUTING_ZONES_SOURCE
+		jump raw_PREROUTING_ZONES
+	}
+
+	chain raw_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain raw_PREROUTING_ZONES {
+		iifname "enp0s25" goto raw_PRE_home
+		goto raw_PRE_public
+	}
+
+	chain mangle_PREROUTING {
+		type filter hook prerouting priority mangle + 10; policy accept;
+		jump mangle_PREROUTING_ZONES_SOURCE
+		jump mangle_PREROUTING_ZONES
+	}
+
+	chain mangle_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain mangle_PREROUTING_ZONES {
+		iifname "enp0s25" goto mangle_PRE_home
+		goto mangle_PRE_public
+	}
+
+	chain filter_INPUT {
+		type filter hook input priority filter + 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_INPUT_ZONES_SOURCE
+		jump filter_INPUT_ZONES
+		ct state invalid drop
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_FORWARD {
+		type filter hook forward priority filter + 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_FORWARD_IN_ZONES_SOURCE
+		jump filter_FORWARD_IN_ZONES
+		jump filter_FORWARD_OUT_ZONES_SOURCE
+		jump filter_FORWARD_OUT_ZONES
+		ct state invalid drop
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_INPUT_ZONES_SOURCE {
+	}
+
+	chain filter_INPUT_ZONES {
+		iifname "enp0s25" goto filter_IN_home
+		goto filter_IN_public
+	}
+
+	chain filter_FORWARD_IN_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_IN_ZONES {
+		iifname "enp0s25" goto filter_FWDI_home
+		goto filter_FWDI_public
+	}
+
+	chain filter_FORWARD_OUT_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_OUT_ZONES {
+		oifname "enp0s25" goto filter_FWDO_home
+		goto filter_FWDO_public
+	}
+
+	chain raw_PRE_public {
+		jump raw_PRE_public_log
+		jump raw_PRE_public_deny
+		jump raw_PRE_public_allow
+	}
+
+	chain raw_PRE_public_log {
+	}
+
+	chain raw_PRE_public_deny {
+	}
+
+	chain raw_PRE_public_allow {
+	}
+
+	chain filter_IN_public {
+		jump filter_IN_public_log
+		jump filter_IN_public_deny
+		jump filter_IN_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_public_log {
+	}
+
+	chain filter_IN_public_deny {
+	}
+
+	chain filter_IN_public_allow {
+		tcp dport 22 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+	}
+
+	chain filter_FWDI_public {
+		jump filter_FWDI_public_log
+		jump filter_FWDI_public_deny
+		jump filter_FWDI_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_public_log {
+	}
+
+	chain filter_FWDI_public_deny {
+	}
+
+	chain filter_FWDI_public_allow {
+	}
+
+	chain mangle_PRE_public {
+		jump mangle_PRE_public_log
+		jump mangle_PRE_public_deny
+		jump mangle_PRE_public_allow
+	}
+
+	chain mangle_PRE_public_log {
+	}
+
+	chain mangle_PRE_public_deny {
+	}
+
+	chain mangle_PRE_public_allow {
+	}
+
+	chain filter_FWDO_public {
+		jump filter_FWDO_public_log
+		jump filter_FWDO_public_deny
+		jump filter_FWDO_public_allow
+	}
+
+	chain filter_FWDO_public_log {
+	}
+
+	chain filter_FWDO_public_deny {
+	}
+
+	chain filter_FWDO_public_allow {
+	}
+
+	chain raw_PRE_home {
+		jump raw_PRE_home_log
+		jump raw_PRE_home_deny
+		jump raw_PRE_home_allow
+	}
+
+	chain raw_PRE_home_log {
+	}
+
+	chain raw_PRE_home_deny {
+	}
+
+	chain raw_PRE_home_allow {
+		udp dport 137 ct helper "netbios-ns"
+	}
+
+	chain filter_IN_home {
+		jump filter_IN_home_log
+		jump filter_IN_home_deny
+		jump filter_IN_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_home_log {
+	}
+
+	chain filter_IN_home_deny {
+	}
+
+	chain filter_IN_home_allow {
+		tcp dport 22 ct state new,untracked accept
+		ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+		ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+		udp dport 1714-1764 ct state new,untracked accept
+		tcp dport 1714-1764 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+		udp dport 137 ct state new,untracked accept
+		udp dport 138 ct state new,untracked accept
+		tcp dport 139 ct state new,untracked accept
+		tcp dport 445 ct state new,untracked accept
+	}
+
+	chain filter_FWDI_home {
+		jump filter_FWDI_home_log
+		jump filter_FWDI_home_deny
+		jump filter_FWDI_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_home_log {
+	}
+
+	chain filter_FWDI_home_deny {
+	}
+
+	chain filter_FWDI_home_allow {
+	}
+
+	chain mangle_PRE_home {
+		jump mangle_PRE_home_log
+		jump mangle_PRE_home_deny
+		jump mangle_PRE_home_allow
+	}
+
+	chain mangle_PRE_home_log {
+	}
+
+	chain mangle_PRE_home_deny {
+	}
+
+	chain mangle_PRE_home_allow {
+	}
+
+	chain filter_FWDO_home {
+		jump filter_FWDO_home_log
+		jump filter_FWDO_home_deny
+		jump filter_FWDO_home_allow
+	}
+
+	chain filter_FWDO_home_log {
+	}
+
+	chain filter_FWDO_home_deny {
+	}
+
+	chain filter_FWDO_home_allow {
+	}
+
+	chain raw_PRE_work {
+		jump raw_PRE_work_log
+		jump raw_PRE_work_deny
+		jump raw_PRE_work_allow
+	}
+
+	chain raw_PRE_work_log {
+	}
+
+	chain raw_PRE_work_deny {
+	}
+
+	chain raw_PRE_work_allow {
+	}
+
+	chain filter_IN_work {
+		jump filter_IN_work_log
+		jump filter_IN_work_deny
+		jump filter_IN_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_work_log {
+	}
+
+	chain filter_IN_work_deny {
+	}
+
+	chain filter_IN_work_allow {
+		tcp dport 22 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+	}
+
+	chain filter_FWDI_work {
+		jump filter_FWDI_work_log
+		jump filter_FWDI_work_deny
+		jump filter_FWDI_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_work_log {
+	}
+
+	chain filter_FWDI_work_deny {
+	}
+
+	chain filter_FWDI_work_allow {
+	}
+
+	chain mangle_PRE_work {
+		jump mangle_PRE_work_log
+		jump mangle_PRE_work_deny
+		jump mangle_PRE_work_allow
+	}
+
+	chain mangle_PRE_work_log {
+	}
+
+	chain mangle_PRE_work_deny {
+	}
+
+	chain mangle_PRE_work_allow {
+	}
+
+	chain filter_FWDO_work {
+		jump filter_FWDO_work_log
+		jump filter_FWDO_work_deny
+		jump filter_FWDO_work_allow
+	}
+
+	chain filter_FWDO_work_log {
+	}
+
+	chain filter_FWDO_work_deny {
+	}
+
+	chain filter_FWDO_work_allow {
+	}
+}
diff --git a/tests/shell/testcases/parsing/dumps/log.nft b/tests/shell/testcases/parsing/dumps/log.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/parsing/dumps/log.nft
diff --git a/tests/shell/testcases/parsing/dumps/octal.nft b/tests/shell/testcases/parsing/dumps/octal.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/parsing/dumps/octal.nft
diff --git a/tests/shell/testcases/parsing/large_rule_pipe b/tests/shell/testcases/parsing/large_rule_pipe
new file mode 100755
index 0000000..fac0afa
--- /dev/null
+++ b/tests/shell/testcases/parsing/large_rule_pipe
@@ -0,0 +1,571 @@
+#!/bin/bash
+
+set -e
+
+RULESET="#!/sbin/nft -f
+flush ruleset;
+table ip firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority -90; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority 110; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table ip6 firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority -90; policy accept;
+		jump nat_PREROUTING_ZONES_SOURCE
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "enp0s25" goto nat_PRE_home
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority 110; policy accept;
+		jump nat_POSTROUTING_ZONES_SOURCE
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES_SOURCE {
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "enp0s25" goto nat_POST_home
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_PRE_home {
+		jump nat_PRE_home_log
+		jump nat_PRE_home_deny
+		jump nat_PRE_home_allow
+	}
+
+	chain nat_PRE_home_log {
+	}
+
+	chain nat_PRE_home_deny {
+	}
+
+	chain nat_PRE_home_allow {
+	}
+
+	chain nat_POST_home {
+		jump nat_POST_home_log
+		jump nat_POST_home_deny
+		jump nat_POST_home_allow
+	}
+
+	chain nat_POST_home_log {
+	}
+
+	chain nat_POST_home_deny {
+	}
+
+	chain nat_POST_home_allow {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+}
+table inet firewalld {
+	chain raw_PREROUTING {
+		type filter hook prerouting priority -290; policy accept;
+		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+		meta nfproto ipv6 fib saddr . iif oif missing drop
+		jump raw_PREROUTING_ZONES_SOURCE
+		jump raw_PREROUTING_ZONES
+	}
+
+	chain raw_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain raw_PREROUTING_ZONES {
+		iifname "enp0s25" goto raw_PRE_home
+		goto raw_PRE_public
+	}
+
+	chain mangle_PREROUTING {
+		type filter hook prerouting priority -140; policy accept;
+		jump mangle_PREROUTING_ZONES_SOURCE
+		jump mangle_PREROUTING_ZONES
+	}
+
+	chain mangle_PREROUTING_ZONES_SOURCE {
+	}
+
+	chain mangle_PREROUTING_ZONES {
+		iifname "enp0s25" goto mangle_PRE_home
+		goto mangle_PRE_public
+	}
+
+	chain filter_INPUT {
+		type filter hook input priority 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_INPUT_ZONES_SOURCE
+		jump filter_INPUT_ZONES
+		ct state invalid drop
+		reject with icmpx type admin-prohibited
+	}
+
+	chain filter_FORWARD {
+		type filter hook forward priority 10; policy accept;
+		ct state established,related accept
+		iifname "lo" accept
+		jump filter_FORWARD_IN_ZONES_SOURCE
+		jump filter_FORWARD_IN_ZONES
+		jump filter_FORWARD_OUT_ZONES_SOURCE
+		jump filter_FORWARD_OUT_ZONES
+		ct state invalid drop
+		reject with icmpx type admin-prohibited
+	}
+
+	chain filter_INPUT_ZONES_SOURCE {
+	}
+
+	chain filter_INPUT_ZONES {
+		iifname "enp0s25" goto filter_IN_home
+		goto filter_IN_public
+	}
+
+	chain filter_FORWARD_IN_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_IN_ZONES {
+		iifname "enp0s25" goto filter_FWDI_home
+		goto filter_FWDI_public
+	}
+
+	chain filter_FORWARD_OUT_ZONES_SOURCE {
+	}
+
+	chain filter_FORWARD_OUT_ZONES {
+		oifname "enp0s25" goto filter_FWDO_home
+		goto filter_FWDO_public
+	}
+
+	chain raw_PRE_public {
+		jump raw_PRE_public_log
+		jump raw_PRE_public_deny
+		jump raw_PRE_public_allow
+	}
+
+	chain raw_PRE_public_log {
+	}
+
+	chain raw_PRE_public_deny {
+	}
+
+	chain raw_PRE_public_allow {
+	}
+
+	chain filter_IN_public {
+		jump filter_IN_public_log
+		jump filter_IN_public_deny
+		jump filter_IN_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_public_log {
+	}
+
+	chain filter_IN_public_deny {
+	}
+
+	chain filter_IN_public_allow {
+		tcp dport ssh ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
+	}
+
+	chain filter_FWDI_public {
+		jump filter_FWDI_public_log
+		jump filter_FWDI_public_deny
+		jump filter_FWDI_public_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_public_log {
+	}
+
+	chain filter_FWDI_public_deny {
+	}
+
+	chain filter_FWDI_public_allow {
+	}
+
+	chain mangle_PRE_public {
+		jump mangle_PRE_public_log
+		jump mangle_PRE_public_deny
+		jump mangle_PRE_public_allow
+	}
+
+	chain mangle_PRE_public_log {
+	}
+
+	chain mangle_PRE_public_deny {
+	}
+
+	chain mangle_PRE_public_allow {
+	}
+
+	chain filter_FWDO_public {
+		jump filter_FWDO_public_log
+		jump filter_FWDO_public_deny
+		jump filter_FWDO_public_allow
+	}
+
+	chain filter_FWDO_public_log {
+	}
+
+	chain filter_FWDO_public_deny {
+	}
+
+	chain filter_FWDO_public_allow {
+	}
+
+	chain raw_PRE_home {
+		jump raw_PRE_home_log
+		jump raw_PRE_home_deny
+		jump raw_PRE_home_allow
+	}
+
+	chain raw_PRE_home_log {
+	}
+
+	chain raw_PRE_home_deny {
+	}
+
+	chain raw_PRE_home_allow {
+		udp dport netbios-ns ct helper "netbios-ns"
+	}
+
+	chain filter_IN_home {
+		jump filter_IN_home_log
+		jump filter_IN_home_deny
+		jump filter_IN_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_home_log {
+	}
+
+	chain filter_IN_home_deny {
+	}
+
+	chain filter_IN_home_allow {
+		tcp dport ssh ct state new,untracked accept
+		ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
+		ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
+		udp dport 1714-1764 ct state new,untracked accept
+		tcp dport 1714-1764 ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
+		udp dport netbios-ns ct state new,untracked accept
+		udp dport netbios-dgm ct state new,untracked accept
+		tcp dport netbios-ssn ct state new,untracked accept
+		tcp dport microsoft-ds ct state new,untracked accept
+	}
+
+	chain filter_FWDI_home {
+		jump filter_FWDI_home_log
+		jump filter_FWDI_home_deny
+		jump filter_FWDI_home_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_home_log {
+	}
+
+	chain filter_FWDI_home_deny {
+	}
+
+	chain filter_FWDI_home_allow {
+	}
+
+	chain mangle_PRE_home {
+		jump mangle_PRE_home_log
+		jump mangle_PRE_home_deny
+		jump mangle_PRE_home_allow
+	}
+
+	chain mangle_PRE_home_log {
+	}
+
+	chain mangle_PRE_home_deny {
+	}
+
+	chain mangle_PRE_home_allow {
+	}
+
+	chain filter_FWDO_home {
+		jump filter_FWDO_home_log
+		jump filter_FWDO_home_deny
+		jump filter_FWDO_home_allow
+	}
+
+	chain filter_FWDO_home_log {
+	}
+
+	chain filter_FWDO_home_deny {
+	}
+
+	chain filter_FWDO_home_allow {
+	}
+
+	chain raw_PRE_work {
+		jump raw_PRE_work_log
+		jump raw_PRE_work_deny
+		jump raw_PRE_work_allow
+	}
+
+	chain raw_PRE_work_log {
+	}
+
+	chain raw_PRE_work_deny {
+	}
+
+	chain raw_PRE_work_allow {
+	}
+
+	chain filter_IN_work {
+		jump filter_IN_work_log
+		jump filter_IN_work_deny
+		jump filter_IN_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_work_log {
+	}
+
+	chain filter_IN_work_deny {
+	}
+
+	chain filter_IN_work_allow {
+		tcp dport ssh ct state new,untracked accept
+		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
+	}
+
+	chain filter_FWDI_work {
+		jump filter_FWDI_work_log
+		jump filter_FWDI_work_deny
+		jump filter_FWDI_work_allow
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_work_log {
+	}
+
+	chain filter_FWDI_work_deny {
+	}
+
+	chain filter_FWDI_work_allow {
+	}
+
+	chain mangle_PRE_work {
+		jump mangle_PRE_work_log
+		jump mangle_PRE_work_deny
+		jump mangle_PRE_work_allow
+	}
+
+	chain mangle_PRE_work_log {
+	}
+
+	chain mangle_PRE_work_deny {
+	}
+
+	chain mangle_PRE_work_allow {
+	}
+
+	chain filter_FWDO_work {
+		jump filter_FWDO_work_log
+		jump filter_FWDO_work_deny
+		jump filter_FWDO_work_allow
+	}
+
+	chain filter_FWDO_work_log {
+	}
+
+	chain filter_FWDO_work_deny {
+	}
+
+	chain filter_FWDO_work_allow {
+	}
+}"
+
+( echo "flush ruleset;"; echo "${RULESET}" ) | nft -f -
+
+exit 0
diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log
new file mode 100755
index 0000000..0b89d58
--- /dev/null
+++ b/tests/shell/testcases/parsing/log
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+$NFT add table t || exit 1
+$NFT add chain t c || exit 1
+$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1
+$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1
+$NFT delete table t || exit 1
+
+exit 0
+
diff --git a/tests/shell/testcases/parsing/octal b/tests/shell/testcases/parsing/octal
new file mode 100755
index 0000000..09ac26e
--- /dev/null
+++ b/tests/shell/testcases/parsing/octal
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+$NFT add table t || exit 1
+$NFT add chain t c || exit 1
+$NFT add rule t c 'ip saddr 01 continue comment "0.0.0.1"' || exit 1
+$NFT add rule t c 'ip saddr 08 continue comment "error"' && {
+  echo "'"ip saddr 08"'" not rejected 1>&2
+  exit 1
+}
+$NFT delete table t || exit 1
+
+exit 0
+
diff --git a/tests/shell/testcases/rule_management/0001addinsertposition_0 b/tests/shell/testcases/rule_management/0001addinsertposition_0
new file mode 100755
index 0000000..237e9e3
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0001addinsertposition_0
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+
+RULESET="flush ruleset
+table ip t {
+	chain c {
+		accept
+		accept
+	}
+}"
+
+EXPECTED="table ip t {
+	chain c {
+		accept
+		drop
+		accept
+	}
+}"
+
+for arg in "position 2" "handle 2" "index 0"; do
+	$NFT -f - <<< "$RULESET"
+	$NFT add rule t c $arg drop || {
+		$NFT list ruleset
+		exit 1
+	}
+
+	GET="$($NFT list ruleset)"
+	if [ "$EXPECTED" != "$GET" ] ; then
+		$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+		exit 1
+	fi
+done
+
+for arg in "position 3" "handle 3" "index 1"; do
+	$NFT -f - <<< "$RULESET"
+	$NFT insert rule t c $arg drop
+
+	GET="$($NFT list ruleset)"
+	if [ "$EXPECTED" != "$GET" ] ; then
+		$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+		exit 1
+	fi
+done
+
+EXPECTED="table ip t {
+	chain c {
+		accept
+		accept
+		drop
+	}
+}"
+
+for arg in "position 3" "handle 3" "index 1"; do
+	$NFT -f - <<< "$RULESET"
+	$NFT add rule t c $arg drop
+
+	GET="$($NFT list ruleset)"
+	if [ "$EXPECTED" != "$GET" ] ; then
+		$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+		exit 1
+	fi
+done
+
+EXPECTED="table ip t {
+	chain c {
+		drop
+		accept
+		accept
+	}
+}"
+
+for arg in "position 2" "handle 2" "index 0"; do
+	$NFT -f - <<< "$RULESET"
+	$NFT insert rule t c $arg drop
+
+	GET="$($NFT list ruleset)"
+	if [ "$EXPECTED" != "$GET" ] ; then
+		$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+		exit 1
+	fi
+done
diff --git a/tests/shell/testcases/rule_management/0002addinsertlocation_1 b/tests/shell/testcases/rule_management/0002addinsertlocation_1
new file mode 100755
index 0000000..920032f
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0002addinsertlocation_1
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# test rule adding with invalid position/handle/index value
+
+RULESET="flush ruleset
+table ip t {
+	chain c {
+		accept
+		accept
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
+
+for cmd in add insert; do
+	for keyword in position handle index; do
+		$NFT $cmd rule t c $keyword 5 drop 2>/dev/null || continue
+
+		echo "E: invalid $keyword value allowed in $cmd command" >&2
+		exit 1
+	done
+done
+exit 0
diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0
new file mode 100755
index 0000000..c343d57
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0003insert_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+$NFT insert rule t c accept
+$NFT insert rule t c drop
+$NFT insert rule t c masquerade
+
+# check 'evaluate: un-break rule insert with intervals'
+
+$NFT insert rule t c tcp sport { 3478-3497, 16384-16387 }
diff --git a/tests/shell/testcases/rule_management/0004replace_0 b/tests/shell/testcases/rule_management/0004replace_0
new file mode 100755
index 0000000..c3329af
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0004replace_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+$NFT add rule t c accept	# should have handle 2
+$NFT replace rule t c handle 2 drop
diff --git a/tests/shell/testcases/rule_management/0005replace_1 b/tests/shell/testcases/rule_management/0005replace_1
new file mode 100755
index 0000000..d8d6447
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0005replace_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+# kernel should return ENOENT
+
+$NFT replace rule t c handle 2 drop 2>/dev/null || exit 0
+echo "E: missing kernel ENOENT" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0006replace_1 b/tests/shell/testcases/rule_management/0006replace_1
new file mode 100755
index 0000000..b728310
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0006replace_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+
+# position keyword with replace action is not allowed, this should fail
+$NFT replace rule t c position 2 drop 2>/dev/null || exit 0
+echo "E: allowed replace with position specification" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0007delete_0 b/tests/shell/testcases/rule_management/0007delete_0
new file mode 100755
index 0000000..11376cc
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0007delete_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+$NFT add rule t c accept	# should have handle 2
+$NFT add rule t c drop		# should have handle 3
+$NFT delete rule t c handle 2
diff --git a/tests/shell/testcases/rule_management/0008delete_1 b/tests/shell/testcases/rule_management/0008delete_1
new file mode 100755
index 0000000..d1900d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0008delete_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+
+# this should fail, we don't allow delete with position
+$NFT delete rule t c position 2 drop 2>/dev/null || exit 0
+echo "E: allowed position spec with delete action" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0009delete_1 b/tests/shell/testcases/rule_management/0009delete_1
new file mode 100755
index 0000000..8751fec
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0009delete_1
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# tests for Netfilter bug #965 and the related fix
+# (regarding rule management with a given position/handle spec)
+
+set -e
+$NFT add table t
+$NFT add chain t c
+
+# kernel ENOENT
+$NFT delete rule t c handle 3333 2>/dev/null || exit 0
+echo "E: missing kernel ENOENT" >&2
+exit 1
diff --git a/tests/shell/testcases/rule_management/0010replace_0 b/tests/shell/testcases/rule_management/0010replace_0
new file mode 100755
index 0000000..cd69a89
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0010replace_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# test for kernel commit ca08987885a147643817d02bf260bc4756ce8cd4
+# ("netfilter: nf_tables: deactivate expressions in rule replecement routine")
+
+set -e
+$NFT add table t
+$NFT add chain t c1
+$NFT add chain t c2
+$NFT add rule ip t c1 jump c2
+$NFT replace rule ip t c1 handle 3 accept
+$NFT flush ruleset
diff --git a/tests/shell/testcases/rule_management/0011reset_0 b/tests/shell/testcases/rule_management/0011reset_0
new file mode 100755
index 0000000..33eadd9
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0011reset_0
@@ -0,0 +1,170 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_rule)
+
+set -e
+
+echo "loading ruleset"
+$NFT -f - <<EOF
+table ip t {
+	set s {
+		type ipv4_addr
+		counter
+		elements = { 1.1.1.1 counter packets 1 bytes 11 }
+	}
+	chain c {
+		counter packets 1 bytes 11 update @s { ip saddr } accept
+		counter packets 2 bytes 12 drop
+	}
+
+	chain c2 {
+		counter packets 3 bytes 13 accept
+		counter packets 4 bytes 14 drop
+	}
+}
+table inet t {
+	chain c {
+		counter packets 5 bytes 15 accept
+		counter packets 6 bytes 16 drop
+	}
+}
+table ip t2 {
+	chain c2 {
+		counter packets 7 bytes 17 accept
+		counter packets 8 bytes 18 drop
+	}
+}
+EOF
+
+echo "resetting specific rule"
+handle=$($NFT -a list chain t c | sed -n 's/.*accept # handle \([0-9]*\)$/\1/p')
+$NFT reset rule t c handle $handle
+EXPECT='table ip t {
+	set s {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter
+		elements = { 1.1.1.1 counter packets 1 bytes 11 }
+	}
+
+	chain c {
+		counter packets 0 bytes 0 update @s { ip saddr } accept
+		counter packets 2 bytes 12 drop
+	}
+
+	chain c2 {
+		counter packets 3 bytes 13 accept
+		counter packets 4 bytes 14 drop
+	}
+}
+table inet t {
+	chain c {
+		counter packets 5 bytes 15 accept
+		counter packets 6 bytes 16 drop
+	}
+}
+table ip t2 {
+	chain c2 {
+		counter packets 7 bytes 17 accept
+		counter packets 8 bytes 18 drop
+	}
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT list ruleset)
+
+echo "resetting specific chain"
+EXPECT='table ip t {
+	set s {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter
+	}
+
+	chain c2 {
+		counter packets 3 bytes 13 accept
+		counter packets 4 bytes 14 drop
+	}
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules chain t c2)
+
+echo "resetting specific table"
+EXPECT='table ip t {
+	set s {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter
+	}
+
+	chain c {
+		counter packets 0 bytes 0 update @s { ip saddr } accept
+		counter packets 2 bytes 12 drop
+	}
+
+	chain c2 {
+		counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0 drop
+	}
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules table t)
+
+echo "resetting specific family"
+EXPECT='table ip t {
+	set s {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter
+	}
+
+	chain c {
+		counter packets 0 bytes 0 update @s { ip saddr } accept
+		counter packets 0 bytes 0 drop
+	}
+
+	chain c2 {
+		counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0 drop
+	}
+}
+table ip t2 {
+	chain c2 {
+		counter packets 7 bytes 17 accept
+		counter packets 8 bytes 18 drop
+	}
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules ip)
+
+echo "resetting whole ruleset"
+EXPECT='table ip t {
+	set s {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter
+	}
+
+	chain c {
+		counter packets 0 bytes 0 update @s { ip saddr } accept
+		counter packets 0 bytes 0 drop
+	}
+
+	chain c2 {
+		counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0 drop
+	}
+}
+table inet t {
+	chain c {
+		counter packets 5 bytes 15 accept
+		counter packets 6 bytes 16 drop
+	}
+}
+table ip t2 {
+	chain c2 {
+		counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0 drop
+	}
+}'
+$DIFF -u <(echo "$EXPECT") <($NFT reset rules)
diff --git a/tests/shell/testcases/rule_management/0012destroy_0 b/tests/shell/testcases/rule_management/0012destroy_0
new file mode 100755
index 0000000..a058150
--- /dev/null
+++ b/tests/shell/testcases/rule_management/0012destroy_0
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
+$NFT add table t
+$NFT add chain t c
+
+# pass for non-existent rule
+$NFT destroy rule t c handle 3333
+
+# successfully delete existing rule
+handle=$($NFT -a -e insert rule t c accept | \
+	sed -n 's/.*handle \([0-9]*\)$/\1/p')
+$NFT destroy rule t c handle "$handle"
diff --git a/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft
new file mode 100644
index 0000000..527d79d
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0001addinsertposition_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	chain c {
+		drop
+		accept
+		accept
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft
new file mode 100644
index 0000000..b76cd93
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0002addinsertlocation_1.nft
@@ -0,0 +1,6 @@
+table ip t {
+	chain c {
+		accept
+		accept
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft
new file mode 100644
index 0000000..b1875ab
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft
@@ -0,0 +1,8 @@
+table ip t {
+	chain c {
+		tcp sport { 3478-3497, 16384-16387 }
+		masquerade
+		drop
+		accept
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0004replace_0.nft b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft
new file mode 100644
index 0000000..e20952e
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0004replace_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+	chain c {
+		drop
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0005replace_1.nft b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0005replace_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0006replace_1.nft b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0006replace_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0007delete_0.nft b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft
new file mode 100644
index 0000000..e20952e
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0007delete_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+	chain c {
+		drop
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0008delete_1.nft b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0008delete_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0009delete_1.nft b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0009delete_1.nft
@@ -0,0 +1,4 @@
+table ip t {
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0010replace_0.nft b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0010replace_0.nft
diff --git a/tests/shell/testcases/rule_management/dumps/0011reset_0.nft b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft
new file mode 100644
index 0000000..3b4f5a1
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0011reset_0.nft
@@ -0,0 +1,31 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter
+		elements = { 1.1.1.1 counter packets 1 bytes 11 }
+	}
+
+	chain c {
+		counter packets 0 bytes 0 update @s { ip saddr } accept
+		counter packets 0 bytes 0 drop
+	}
+
+	chain c2 {
+		counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0 drop
+	}
+}
+table inet t {
+	chain c {
+		counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0 drop
+	}
+}
+table ip t2 {
+	chain c2 {
+		counter packets 0 bytes 0 accept
+		counter packets 0 bytes 0 drop
+	}
+}
diff --git a/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft
new file mode 100644
index 0000000..1e0d1d6
--- /dev/null
+++ b/tests/shell/testcases/rule_management/dumps/0012destroy_0.nft
@@ -0,0 +1,4 @@
+table ip t {
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/sets/0001named_interval_0 b/tests/shell/testcases/sets/0001named_interval_0
new file mode 100755
index 0000000..612eee0
--- /dev/null
+++ b/tests/shell/testcases/sets/0001named_interval_0
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# This is the most basic testscase:
+# * creating a valid interval set
+# * referencing it from a valid rule
+
+RULESET="
+table inet t {
+	set s1 {
+		type ipv4_addr
+		flags interval
+		elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 }
+	}
+	set s2 {
+		type ipv6_addr
+		flags interval
+		elements = { fe00::/64, fe11::-fe22::}
+	}
+	set s3 {
+		type inet_proto
+		flags interval
+		elements = { 10-20, 50-60}
+	}
+	set s4 {
+		type inet_service
+		flags interval
+		elements = {8080-8082, 0-1024, 10000-40000}
+	}
+	chain c {
+		ip saddr @s1 accept
+		ip6 daddr @s2 accept
+		ip protocol @s3 accept
+		ip6 nexthdr @s3 accept
+		tcp dport @s4 accept
+	}
+}"
+
+set -e
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0002named_interval_automerging_0 b/tests/shell/testcases/sets/0002named_interval_automerging_0
new file mode 100755
index 0000000..6889863
--- /dev/null
+++ b/tests/shell/testcases/sets/0002named_interval_automerging_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# This testscase checks the automerging of adjacent intervals
+
+set -e
+
+$NFT add table t
+$NFT add set t s { type ipv4_addr \; flags interval \; }
+$NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 }
+$NFT list ruleset | grep "192.168.0.0/23" >/dev/null || exit 0
+echo "E: automerging of adjacent intervals happened unexpectedly." >&2
+exit 1
diff --git a/tests/shell/testcases/sets/0003named_interval_missing_flag_0 b/tests/shell/testcases/sets/0003named_interval_missing_flag_0
new file mode 100755
index 0000000..e0b7f74
--- /dev/null
+++ b/tests/shell/testcases/sets/0003named_interval_missing_flag_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# This testscase checks the nft checking of flags in named intervals
+
+set -e
+$NFT add table t
+$NFT add set t s { type ipv4_addr \; }
+if $NFT add element t s { 192.168.0.0/24, 192.168.1.0/24 } 2>/dev/null ; then
+	echo "E: accepted interval in named set without proper flags" >&2
+	exit 1
+fi
+exit 0
diff --git a/tests/shell/testcases/sets/0004named_interval_shadow_0 b/tests/shell/testcases/sets/0004named_interval_shadow_0
new file mode 100755
index 0000000..827423d
--- /dev/null
+++ b/tests/shell/testcases/sets/0004named_interval_shadow_0
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# This testscase checks the nft checking of shadowed elements
+
+set -e
+$NFT add table inet t
+$NFT add set inet t s { type ipv6_addr \; flags interval \; }
+$NFT add element inet t s { fe00::/64 }
+if $NFT add element inet t s { fe00::/48 } 2>/dev/null ; then
+	echo "E: accepted shadowed element in named set" >&2
+	exit 1
+fi
+exit 0
diff --git a/tests/shell/testcases/sets/0005named_interval_shadow_0 b/tests/shell/testcases/sets/0005named_interval_shadow_0
new file mode 100755
index 0000000..14fcbdc
--- /dev/null
+++ b/tests/shell/testcases/sets/0005named_interval_shadow_0
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# This testscase checks the nft checking of shadowed elements
+
+set -e
+$NFT add table inet t
+$NFT add set inet t s { type ipv6_addr \; flags interval \; }
+$NFT add element inet t s { fe00::/48 }
+if $NFT add element inet t s { fe00::/64 } 2>/dev/null ; then
+	echo "E: accepted shadowed element in named set" >&2
+	exit 1
+fi
+exit 0
diff --git a/tests/shell/testcases/sets/0006create_set_0 b/tests/shell/testcases/sets/0006create_set_0
new file mode 100755
index 0000000..ca36cf7
--- /dev/null
+++ b/tests/shell/testcases/sets/0006create_set_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# This testscase checks for add and create set commands.
+
+set -e
+$NFT add table t
+$NFT add set t s { type ipv4_addr \; }
+if $NFT create set t s { type ipv4_addr \; } 2>/dev/null ; then
+	echo "E: accepted set creation that already exists" >&2
+	exit 1
+fi
+$NFT add set t s { type ipv4_addr \; }
+
+exit 0
diff --git a/tests/shell/testcases/sets/0007create_element_0 b/tests/shell/testcases/sets/0007create_element_0
new file mode 100755
index 0000000..47b3559
--- /dev/null
+++ b/tests/shell/testcases/sets/0007create_element_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# This testcase checks for add and create element commands.
+
+set -e
+$NFT add table t
+$NFT add set t s { type ipv4_addr \; }
+$NFT add element t s { 1.1.1.1 }
+if $NFT create element t s { 1.1.1.1 } 2>/dev/null ; then
+	echo "E: accepted element creation that already exists" >&2
+	exit 1
+fi
+$NFT add element t s { 1.1.1.1 }
+
+exit 0
diff --git a/tests/shell/testcases/sets/0008comments_interval_0 b/tests/shell/testcases/sets/0008comments_interval_0
new file mode 100755
index 0000000..98c709c
--- /dev/null
+++ b/tests/shell/testcases/sets/0008comments_interval_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# This test netfilter bug #1090
+# https://bugzilla.netfilter.org/show_bug.cgi?id=1090
+
+$NFT add table t
+$NFT add set t s {type ipv4_addr \; flags interval \;}
+$NFT add element t s { 1.1.1.1 comment "test" }
+if ! $NFT list ruleset | grep test >/dev/null ; then
+	echo "E: missing comment in set element" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0008create_verdict_map_0 b/tests/shell/testcases/sets/0008create_verdict_map_0
new file mode 100755
index 0000000..e501049
--- /dev/null
+++ b/tests/shell/testcases/sets/0008create_verdict_map_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+RULESET="
+table ip t {
+	map sourcemap {
+		type ipv4_addr : verdict;
+	}
+	chain postrouting {
+		ip saddr vmap @sourcemap accept
+	}
+}
+add chain t c
+add element t sourcemap { 100.123.10.2 : jump c }
+"
+
+set -e
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0009comments_timeout_0 b/tests/shell/testcases/sets/0009comments_timeout_0
new file mode 100755
index 0000000..4e3f80c
--- /dev/null
+++ b/tests/shell/testcases/sets/0009comments_timeout_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Test that comments are added to set elements in timemout sets.
+
+$NFT flush ruleset
+$NFT add table t
+$NFT add set t s {type ipv4_addr \; flags timeout \;}
+$NFT add element t s { 1.1.1.1 comment "test" }
+if ! $NFT list ruleset | grep test >/dev/null ; then
+	echo "E: missing comment in set element" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0010comments_0 b/tests/shell/testcases/sets/0010comments_0
new file mode 100755
index 0000000..4467a3b
--- /dev/null
+++ b/tests/shell/testcases/sets/0010comments_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Test that comments are added to set elements in standard sets.
+
+$NFT add table inet t
+$NFT add set inet t s {type ipv6_addr \; }
+$NFT add element inet t s { ::1 comment "test" }
+if ! $NFT list ruleset | grep test >/dev/null ; then
+	echo "E: missing comment in set element" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0011add_many_elements_0 b/tests/shell/testcases/sets/0011add_many_elements_0
new file mode 100755
index 0000000..c37b2f0
--- /dev/null
+++ b/tests/shell/testcases/sets/0011add_many_elements_0
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# test adding many sets elements
+
+HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	HOWMANY=30
+fi
+
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate() {
+	echo -n "{"
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			echo -n "10.0.${i}.${j}"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			echo -n ", "
+		done
+	done
+	echo -n "}"
+}
+
+echo "add table x
+add set x y { type ipv4_addr; }
+add element x y $(generate)" > $tmpfile
+
+set -e
+$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/0012add_delete_many_elements_0 b/tests/shell/testcases/sets/0012add_delete_many_elements_0
new file mode 100755
index 0000000..6445160
--- /dev/null
+++ b/tests/shell/testcases/sets/0012add_delete_many_elements_0
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# test adding and deleting many sets elements
+
+HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	HOWMANY=30
+fi
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate() {
+	echo -n "{"
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			echo -n "10.0.${i}.${j}"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			echo -n ", "
+		done
+	done
+	echo -n "}"
+}
+
+echo "add table x
+add set x y { type ipv4_addr; }
+add element x y $(generate)
+delete element x y $(generate)" > $tmpfile
+
+set -e
+$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/0013add_delete_many_elements_0 b/tests/shell/testcases/sets/0013add_delete_many_elements_0
new file mode 100755
index 0000000..c0925dd
--- /dev/null
+++ b/tests/shell/testcases/sets/0013add_delete_many_elements_0
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# test adding and deleting many sets elements in two nft -f runs.
+
+HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	HOWMANY=30
+fi
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate() {
+	echo -n "{"
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			echo -n "10.0.${i}.${j}"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			echo -n ", "
+		done
+	done
+	echo -n "}"
+}
+
+set -e
+
+echo "add table x
+add set x y { type ipv4_addr; }
+add element x y $(generate)" > $tmpfile
+$NFT -f $tmpfile
+echo "delete element x y $(generate)" > $tmpfile
+$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/0014malformed_set_is_not_defined_0 b/tests/shell/testcases/sets/0014malformed_set_is_not_defined_0
new file mode 100755
index 0000000..b34d71f
--- /dev/null
+++ b/tests/shell/testcases/sets/0014malformed_set_is_not_defined_0
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# This tests for the bug corrected in commit 5afa5a164ff1c066af1ec56d875b91562882bd50.
+# Sets were added to the table before checking for errors, and not removed from
+# the table on error, leading to an uninitialized set in the table, causing a
+# segfault for rules that tried to use it.
+# In this case, nft should error out because the set doesn't exist instead of
+# segfaulting
+
+RULESET="
+add table t
+add chain t c
+add set t s {type ipv4_addr\;}
+add rule t c ip saddr @s
+"
+
+$NFT -f - <<< "$RULESET"
+ret=$?
+
+trap - EXIT
+if [[ $ret -eq 1 ]]; then
+	exit 0
+else
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0015rulesetflush_0 b/tests/shell/testcases/sets/0015rulesetflush_0
new file mode 100755
index 0000000..855d289
--- /dev/null
+++ b/tests/shell/testcases/sets/0015rulesetflush_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+RULESET="flush ruleset
+add table t
+add chain t c
+
+table inet filter {
+  set blacklist_v4 { type ipv4_addr; flags interval; }
+}
+
+add element inet filter blacklist_v4 {
+192.168.0.1/24,
+}"
+
+$NFT -f - <<< "$RULESET"
+
+# make sure flush ruleset works right
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0016element_leak_0 b/tests/shell/testcases/sets/0016element_leak_0
new file mode 100755
index 0000000..5675db3
--- /dev/null
+++ b/tests/shell/testcases/sets/0016element_leak_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# This tests for a bug where a repeated element is added and the set
+# elements counter is incorrectly increased.
+
+set -e
+$NFT add table x
+$NFT add set x s {type ipv4_addr\; size 2\;}
+$NFT add element x s {1.1.1.1}
+$NFT add element x s {1.1.1.1}
+$NFT add element x s {1.1.1.1}
diff --git a/tests/shell/testcases/sets/0017add_after_flush_0 b/tests/shell/testcases/sets/0017add_after_flush_0
new file mode 100755
index 0000000..0390b03
--- /dev/null
+++ b/tests/shell/testcases/sets/0017add_after_flush_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# This tests for a bug where elements can't be added after flushing a
+# full set with the flag NFTNL_SET_DESC_SIZE set
+
+set -e
+$NFT add table x
+$NFT add set x s {type ipv4_addr\; size 2\;}
+$NFT add element x s {1.1.1.1}
+$NFT add element x s {1.1.1.2}
+$NFT flush set x s
+$NFT add element x s {1.1.1.1}
diff --git a/tests/shell/testcases/sets/0018set_check_size_1 b/tests/shell/testcases/sets/0018set_check_size_1
new file mode 100755
index 0000000..bc70560
--- /dev/null
+++ b/tests/shell/testcases/sets/0018set_check_size_1
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+$NFT add table x
+$NFT add set x s {type ipv4_addr\; size 2\;}
+$NFT add element x s {1.1.1.1}
+$NFT add element x s {1.1.1.2}
+
+$NFT add element x s {1.1.1.3} || exit 0
+echo "E: Accepted 3rd element in a table with max size of 2" 1>&2
+exit 1
diff --git a/tests/shell/testcases/sets/0019set_check_size_0 b/tests/shell/testcases/sets/0019set_check_size_0
new file mode 100755
index 0000000..c209708
--- /dev/null
+++ b/tests/shell/testcases/sets/0019set_check_size_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+$NFT add table x
+$NFT add set x s {type ipv4_addr\; size 2\;}
+$NFT add element x s {1.1.1.1}
+$NFT add element x s {1.1.1.2}
+
+$NFT add element x s { 1.1.1.3 } 2>/dev/null
+if [ $? -eq 0 ]; then
+        echo "E: set is full, but element was added" >&2
+	exit 1
+fi
+#
+# Try again, this helps us catch incorrect set->nelems decrement from abort path
+#
+$NFT add element x s { 1.1.1.3 } 2>/dev/null
+if [ $? -eq 0 ]; then
+        echo "E: set is full, but element was added" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0020comments_0 b/tests/shell/testcases/sets/0020comments_0
new file mode 100755
index 0000000..44d451a
--- /dev/null
+++ b/tests/shell/testcases/sets/0020comments_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Test that comments are added to set elements in standard sets.
+# Explicitly test bitmap backend set implementation.
+
+$NFT add table inet t
+$NFT add set inet t s {type inet_service \; }
+$NFT add element inet t s { 22 comment "test" }
+if ! $NFT list ruleset | grep test >/dev/null ; then
+	echo "E: missing comment in set element" >&2
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0021nesting_0 b/tests/shell/testcases/sets/0021nesting_0
new file mode 100755
index 0000000..0b90dc7
--- /dev/null
+++ b/tests/shell/testcases/sets/0021nesting_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+RULESET='
+define set1 = {
+	2.2.2.0/24,
+	3.3.3.0/24,
+}
+define set2 = {
+	$set1,
+	1.1.1.0/24
+}
+table ip x {
+	chain y {
+		ip saddr { 3.3.3.0/24, $set2 }
+	}
+}'
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/sets/0022type_selective_flush_0 b/tests/shell/testcases/sets/0022type_selective_flush_0
new file mode 100755
index 0000000..6062913
--- /dev/null
+++ b/tests/shell/testcases/sets/0022type_selective_flush_0
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# This tests the selectiveness of flush command on structures that use the
+# generic set infrastructure (sets, maps and meters).
+
+RULESET="
+add table t
+add chain t c
+add set t s {type ipv4_addr;}
+add map t m {type ipv4_addr : inet_service;}
+add rule t c tcp dport 80 meter f size 1024 {ip saddr limit rate 10/second}
+"
+
+$NFT -f - <<< "$RULESET"
+
+# Commands that should be invalid
+
+declare -a cmds=(
+		"flush set t m" "flush set t f"
+		"flush map t s" "flush map t f"
+		"flush meter t s" "flush meter t m"
+		)
+
+for i in "${cmds[@]}"
+do
+	$NFT "$i" &>/dev/null
+	ret=$?
+
+	if [ $ret -eq 0 ]; then
+		exit 1
+	fi
+done
diff --git a/tests/shell/testcases/sets/0023incomplete_add_set_command_0 b/tests/shell/testcases/sets/0023incomplete_add_set_command_0
new file mode 100755
index 0000000..b7535f7
--- /dev/null
+++ b/tests/shell/testcases/sets/0023incomplete_add_set_command_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# This testscase checks bug identified and fixed in the commit Id "c6cd7c22548a"
+# Before the commit c6cd7c22548a, nft returns 139 (i.e, segmentation fault) which
+# indicates the bug but after the commit it returns 1.
+
+$NFT add table t
+$NFT add set t c
+
+ret=$?
+if [ $ret -ne 1 ] ;
+then
+	echo "E: returned $ret instead of 1" >&2
+	exit 1
+fi
+
diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/sets/0024named_objects_0
new file mode 100755
index 0000000..6d21e38
--- /dev/null
+++ b/tests/shell/testcases/sets/0024named_objects_0
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# This is the testscase:
+# * creating valid named objects
+# * referencing them from a valid rule
+
+RULESET="
+table inet x {
+	counter user123 {
+		packets 12 bytes 1433
+	}
+	counter user321 {
+		packets 12 bytes 1433
+	}
+	quota user123 {
+		over 2000 bytes
+	}
+	quota user124 {
+		over 2000 bytes
+	}
+	synproxy https-synproxy {
+		mss 1460
+		wscale 7
+		timestamp sack-perm
+	}
+	synproxy other-synproxy {
+		mss 1460
+		wscale 5
+	}
+	set y {
+		type ipv4_addr
+	}
+	map test {
+		type ipv4_addr : quota
+		elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"}
+	}
+	map test2 {
+		type ipv4_addr : synproxy
+		flags interval
+		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
+	chain y {
+		type filter hook input priority 0; policy accept;
+		counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"}
+		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+		quota name ip saddr map @test drop
+	}
+}"
+
+set -e
+$NFT -f - <<< "$RULESET"
+
+EXPECTED="table inet x {
+	counter user321 {
+		packets 12 bytes 1433
+	}
+}"
+
+GET="$($NFT reset counter inet x user321)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0025anonymous_set_0 b/tests/shell/testcases/sets/0025anonymous_set_0
new file mode 100755
index 0000000..74777d8
--- /dev/null
+++ b/tests/shell/testcases/sets/0025anonymous_set_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Adding anonymous sets
+
+set -e
+
+$NFT add table t
+$NFT add chain t c { type filter hook output priority 0 \; }
+# set: IP addresses
+$NFT add rule t c ip daddr { \
+        192.168.0.1, \
+        192.168.0.2, \
+        192.168.0.3, \
+}
+
+#set : tcp ports
+$NFT add rule t c meta oifname \"doesntexist\" tcp dport { 22, 23 } counter
diff --git a/tests/shell/testcases/sets/0026named_limit_0 b/tests/shell/testcases/sets/0026named_limit_0
new file mode 100755
index 0000000..11f1f5d
--- /dev/null
+++ b/tests/shell/testcases/sets/0026named_limit_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# This is the testscase:
+# * creating valid named limits
+# * referencing them from a valid rule
+
+RULESET="
+table ip filter {
+	limit http-traffic {
+		rate 1/second
+	}
+	chain input {
+		type filter hook input priority 0; policy accept;
+		limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
+	}
+}"
+
+set -e
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0027ipv6_maps_ipv4_0 b/tests/shell/testcases/sets/0027ipv6_maps_ipv4_0
new file mode 100755
index 0000000..87603c5
--- /dev/null
+++ b/tests/shell/testcases/sets/0027ipv6_maps_ipv4_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Tests IPv4 Mapped IPv6 addresses.
+
+set -e
+
+RULESET="
+table inet t {
+	set s {
+		type ipv6_addr
+		flags interval
+		elements = { ::ffff:0.0.0.0/96 }
+	}
+}
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0028autoselect_0 b/tests/shell/testcases/sets/0028autoselect_0
new file mode 100755
index 0000000..23f43a2
--- /dev/null
+++ b/tests/shell/testcases/sets/0028autoselect_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# This testscase checks kernel picks a suitable set backends.
+# Ruleset attempts to update from packet path, so set backend
+# needs an ->update() implementation.
+
+set -e
+
+$NFT add table t
+$NFT add set t s1 { type inet_proto \; flags dynamic \; }
+$NFT add set t s2 { type ipv4_addr \; flags dynamic \; }
+$NFT add set t s3 { type ipv4_addr \; size 1024\; flags dynamic \; }
+$NFT add chain t c {type filter hook input priority 0 \; }
+
+$NFT add rule t c meta iifname foobar add @s1 { ip protocol }
+$NFT add rule t c meta iifname foobar add @s2 { ip daddr }
+$NFT add rule t c meta iifname foobar add @s3 { ip daddr }
diff --git a/tests/shell/testcases/sets/0028delete_handle_0 b/tests/shell/testcases/sets/0028delete_handle_0
new file mode 100755
index 0000000..c6d1253
--- /dev/null
+++ b/tests/shell/testcases/sets/0028delete_handle_0
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+$NFT add table test-ip
+$NFT add set test-ip x { type ipv4_addr\; }
+$NFT add set test-ip y { type inet_service \; timeout 3h45s \;}
+$NFT add set test-ip z { type ipv4_addr\; flags constant , interval\;}
+$NFT add set test-ip c {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
+
+set_handle=$($NFT -a list ruleset | awk '/set c/{print $NF}')
+$NFT delete set test-ip handle $set_handle
+
+EXPECTED="table ip test-ip {
+	set x {
+		type ipv4_addr
+	}
+
+	set y {
+		type inet_service
+		timeout 3h45s
+	}
+
+	set z {
+		type ipv4_addr
+		flags constant,interval
+	}
+}"
+
+GET="$($NFT list ruleset)"
+
+if [ "$EXPECTED" != "$GET" ] ; then
+	$DIFF -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/sets/0029named_ifname_dtype_0 b/tests/shell/testcases/sets/0029named_ifname_dtype_0
new file mode 100755
index 0000000..2dbcd22
--- /dev/null
+++ b/tests/shell/testcases/sets/0029named_ifname_dtype_0
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# support for ifname in named sets
+
+EXPECTED="table inet t {
+	set s {
+		type ifname
+		elements = { \"eth0\" }
+	}
+
+	set sc {
+		type inet_service . ifname
+		elements = { \"ssh\" . \"eth0\" }
+	}
+
+	set nv {
+		type ifname . mark
+	}
+
+	set z {
+		typeof ct zone
+		elements = { 1 }
+	}
+
+	set m {
+		typeof meta mark
+		elements = { 1 }
+	}
+
+	map cz {
+		typeof meta iifname : ct zone
+		elements = { \"veth4\" : 1 }
+	}
+
+	map cm {
+		typeof meta iifname : ct mark
+		elements = { \"veth4\" : 1 }
+	}
+
+	chain c {
+		iifname @s accept
+		oifname @s accept
+		tcp dport . meta iifname @sc accept
+		meta iifname . meta mark @nv accept
+	}
+}"
+
+set -e
+$NFT -f - <<< "$EXPECTED"
+$NFT add element inet t s '{ "eth1" }'
+$NFT add element inet t s '{ "eth2", "eth3", "veth1" }'
+
+$NFT add element inet t sc '{ 80 . "eth0" }'
+$NFT add element inet t sc '{ 80 . "eth0" }' || true
+$NFT add element inet t sc '{ 80 . "eth1" }'
+$NFT add element inet t sc '{ 81 . "eth0" }'
+
+$NFT add element inet t nv '{ "eth0" . 1 }'
+$NFT add element inet t nv '{ "eth0" . 2 }'
+
+$NFT add element inet t z '{ 2, 3, 4, 5, 6 }'
+$NFT add element inet t cz '{ "eth0" : 1,  "eth1" : 2 }'
+
+$NFT add element inet t m '{ 2, 3, 4, 5, 6 }'
+$NFT add element inet t cm '{ "eth0" : 1,  "eth1" : 2 }'
diff --git a/tests/shell/testcases/sets/0030add_many_elements_interval_0 b/tests/shell/testcases/sets/0030add_many_elements_interval_0
new file mode 100755
index 0000000..32a705b
--- /dev/null
+++ b/tests/shell/testcases/sets/0030add_many_elements_interval_0
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	HOWMANY=30
+fi
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+	echo "Failed to create tmp file" >&2
+	exit 0
+fi
+
+trap "rm -rf $tmpfile" EXIT # cleanup if aborted
+
+generate() {
+	echo -n "{"
+	for ((i=1; i<=HOWMANY; i++)) ; do
+		for ((j=1; j<=HOWMANY; j++)) ; do
+			echo -n "10.${i}.${j}.0/24"
+			[ "$i" == "$HOWMANY" ] && [ "$j" == "$HOWMANY" ] && break
+			echo -n ", "
+		done
+	done
+	echo -n "}"
+}
+
+echo "add table x
+add set x y { type ipv4_addr; flags interval; }
+add element x y $(generate)" > $tmpfile
+
+set -e
+$NFT -f $tmpfile
+
+if [ "$HOWMANY" != 255 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 b/tests/shell/testcases/sets/0031set_timeout_size_0
new file mode 100755
index 0000000..9a4a27f
--- /dev/null
+++ b/tests/shell/testcases/sets/0031set_timeout_size_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+RULESET="add table x
+add set x y { type ipv4_addr; size 128; timeout 30s; flags dynamic; }
+add chain x test
+add rule x test set update ip saddr timeout 1d2h3m4s10ms @y
+add rule x test set update ip daddr timeout 100ms @y"
+
+set -e
+$NFT -f - <<< "$RULESET"
+$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s\(10\|8\)ms }'
+$NFT list chain x test | grep -q 'update @y { ip daddr timeout 100ms }'
diff --git a/tests/shell/testcases/sets/0032restore_set_simple_0 b/tests/shell/testcases/sets/0032restore_set_simple_0
new file mode 100755
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/sets/0032restore_set_simple_0
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/0033add_set_simple_flat_0 b/tests/shell/testcases/sets/0033add_set_simple_flat_0
new file mode 100755
index 0000000..86be0c9
--- /dev/null
+++ b/tests/shell/testcases/sets/0033add_set_simple_flat_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+RULESET="add table ip x
+add set x setA {type ipv4_addr . inet_service . ipv4_addr; flags timeout;}
+add set x setB {type ipv4_addr . inet_service; flags timeout;}
+"
+
+set -e
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0
new file mode 100755
index 0000000..3343529
--- /dev/null
+++ b/tests/shell/testcases/sets/0034get_element_0
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+RC=0
+
+check() { # (set, elems, expected)
+	out=$($NFT get element ip t $1 "{ $2 }")
+	out=$(grep "elements =" <<< "$out")
+	out="${out#* \{ }"
+	out="${out% \}}"
+	[[ "$out" == "$3" ]] && return
+	echo "ERROR: asked for '$2' in set $1, expecting '$3' but got '$out'"
+	((RC++))
+}
+
+RULESET="add table ip t
+add set ip t s { type inet_service; flags interval; }
+add element ip t s { 10, 20-30, 40, 50-60 }
+add set ip t ips { type ipv4_addr; flags interval; }
+add element ip t ips { 10.0.0.1, 10.0.0.5-10.0.0.8 }
+add element ip t ips { 10.0.0.128/25, 10.0.1.0/24, 10.0.2.3-10.0.2.12 }
+add set ip t cs { type ipv4_addr . inet_service; flags interval; }
+add element ip t cs { 10.0.0.1 . 22, 10.1.0.0/16 . 1-1024 }
+add element ip t cs { 10.2.0.1-10.2.0.8 . 1024-65535 }
+"
+
+$NFT -f - <<< "$RULESET"
+
+# simple cases, (non-)existing values and ranges
+check s 10 10
+check s 11 ""
+check s 20-30 20-30
+check s 15-18 ""
+
+# multiple single elements, ranges smaller than present
+check s "10, 40" "10, 40"
+check s "22-24, 26-28" "20-30, 20-30"
+check s 21-29 20-30
+
+# mixed single elements and ranges
+check s "10, 20" "10, 20-30"
+check s "10, 22" "10, 20-30"
+check s "10, 22-24" "10, 20-30"
+
+# non-existing ranges matching elements
+check s 10-40 ""
+check s 10-20 ""
+check s 10-25 ""
+check s 25-55 ""
+
+# playing with IPs, ranges and prefixes
+check ips 10.0.0.1 10.0.0.1
+check ips 10.0.0.2 ""
+check ips 10.0.1.0/24 10.0.1.0/24
+check ips 10.0.1.2/31 10.0.1.0/24
+check ips 10.0.1.0 10.0.1.0/24
+check ips 10.0.1.3 10.0.1.0/24
+check ips 10.0.1.255 10.0.1.0/24
+check ips 10.0.2.3-10.0.2.12 10.0.2.3-10.0.2.12
+check ips 10.0.2.10 10.0.2.3-10.0.2.12
+check ips 10.0.2.12 10.0.2.3-10.0.2.12
+
+# test concatenated ranges, i.e. Pi, Pa and Po
+check cs "10.0.0.1 . 22" "10.0.0.1 . 22"
+check cs "10.0.0.1 . 23" ""
+check cs "10.0.0.2 . 22" ""
+check cs "10.1.0.1 . 42" "10.1.0.0/16 . 1-1024"
+check cs "10.1.1.0/24 . 10-20" "10.1.0.0/16 . 1-1024"
+check cs "10.2.0.3 . 20000" "10.2.0.1-10.2.0.8 . 1024-65535"
+
+exit $RC
diff --git a/tests/shell/testcases/sets/0035add_set_elements_flat_0 b/tests/shell/testcases/sets/0035add_set_elements_flat_0
new file mode 100755
index 0000000..d914ba9
--- /dev/null
+++ b/tests/shell/testcases/sets/0035add_set_elements_flat_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+RULESET="add table ip x
+add set x y {type ipv4_addr; flags interval;}
+add element x y { 10.0.24.0/24 }
+"
+
+set -e
+$NFT -f - <<< "$RULESET"
+$NFT delete element x y { 10.0.24.0/24 }
diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0
new file mode 100755
index 0000000..0fd016e
--- /dev/null
+++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+drop_seconds() {
+	sed -E 's/m[0-9]*s([0-9]*ms)?/m/g'
+}
+
+RULESET="add table ip x
+add set ip x y { type ipv4_addr; flags dynamic,timeout; }
+add element ip x y { 1.1.1.1 timeout 30m expires 15m59s }"
+
+EXPECTED="add table ip x
+add set ip x y { type ipv4_addr; flags dynamic,timeout; } 
+add element ip x y { 1.1.1.1 timeout 30m expires 15m }"
+
+test_output=$($NFT -e -f - <<< "$RULESET" 2>&1 | grep -v '# new generation' | drop_seconds)
+
+if [ "$test_output" != "$EXPECTED" ] ; then
+	$DIFF -u <(echo "$test_output") <(echo "$EXPECTED")
+	exit 1
+fi
+
+$NFT "add chain ip x c; add rule ip x c ip saddr @y"
diff --git a/tests/shell/testcases/sets/0037_set_with_inet_service_0 b/tests/shell/testcases/sets/0037_set_with_inet_service_0
new file mode 100755
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/sets/0037_set_with_inet_service_0
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/0038meter_list_0 b/tests/shell/testcases/sets/0038meter_list_0
new file mode 100755
index 0000000..e9e0f6f
--- /dev/null
+++ b/tests/shell/testcases/sets/0038meter_list_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+#
+# Listing meters should not include dynamic sets in the output
+#
+
+set -e
+
+RULESET="
+  add table t
+  add set t s { type ipv4_addr; size 256; flags dynamic,timeout; }
+  add chain t c
+  add rule t c tcp dport 80 meter m size 128 { ip saddr limit rate 10/second }
+"
+
+expected_output="table ip t {
+	meter m {
+		type ipv4_addr
+		size 128
+		flags dynamic
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
+
+test_output=$($NFT list meters)
+
+test "$test_output" = "$expected_output"
+
diff --git a/tests/shell/testcases/sets/0039delete_interval_0 b/tests/shell/testcases/sets/0039delete_interval_0
new file mode 100755
index 0000000..19df16e
--- /dev/null
+++ b/tests/shell/testcases/sets/0039delete_interval_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Make sure nft allows to delete existing ranges only
+
+RULESET="
+table t {
+	set s {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 }
+	}
+}"
+
+$NFT -f - <<< "$RULESET" || { echo "E: Can't load basic ruleset" 1>&2; exit 1; }
+
+$NFT delete element t s '{ 192.168.1.0/24 }' 2>/dev/null || exit 0
+echo "E: Deletion of non-existing range allowed" 1>&2
diff --git a/tests/shell/testcases/sets/0040get_host_endian_elements_0 b/tests/shell/testcases/sets/0040get_host_endian_elements_0
new file mode 100755
index 0000000..caf6a4a
--- /dev/null
+++ b/tests/shell/testcases/sets/0040get_host_endian_elements_0
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+RULESET="table ip t {
+	set s {
+		type mark
+		flags interval
+		elements = {
+			0x23-0x42, 0x1337
+		}
+	}
+}"
+
+$NFT -f - <<< "$RULESET" || { echo "can't apply basic ruleset"; exit 1; }
+
+$NFT get element ip t s '{ 0x23-0x42 }' || {
+	echo "can't find existing range 0x23-0x42"
+	exit 1
+}
+
+$NFT get element ip t s '{ 0x26-0x28 }' || {
+	echo "can't find existing sub-range 0x26-0x28"
+	exit 1
+}
+
+$NFT get element ip t s '{ 0x26-0x99 }' && {
+	echo "found non-existing range 0x26-0x99"
+	exit 1
+}
+
+$NFT get element ip t s '{ 0x55-0x99 }' && {
+	echo "found non-existing range 0x55-0x99"
+	exit 1
+}
+
+$NFT get element ip t s '{ 0x55 }' && {
+	echo "found non-existing element 0x55"
+	exit 1
+}
+
+$NFT get element ip t s '{ 0x1337 }' || {
+	echo "can't find existing element 0x1337"
+	exit 1
+}
diff --git a/tests/shell/testcases/sets/0041interval_0 b/tests/shell/testcases/sets/0041interval_0
new file mode 100755
index 0000000..42fc6cc
--- /dev/null
+++ b/tests/shell/testcases/sets/0041interval_0
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+table ip t {
+        set s {
+                type ipv4_addr
+                flags interval
+                elements = { 192.168.2.195, 192.168.2.196,
+                             192.168.2.197, 192.168.2.198 }
+        }
+}"
+
+$NFT -f - <<< "$RULESET"
+
+$NFT 'delete element t s { 192.168.2.195, 192.168.2.196 }; add element t s { 192.168.2.196 }' 2>/dev/null
+$NFT get element t s { 192.168.2.196, 192.168.2.197, 192.168.2.198 } 1>/dev/null
+$NFT 'delete element t s { 192.168.2.196, 192.168.2.197 }; add element t s { 192.168.2.197 }' 2>/dev/null
+$NFT get element t s { 192.168.2.197, 192.168.2.198 } 1>/dev/null
+$NFT 'delete element t s { 192.168.2.198, 192.168.2.197 }; add element t s { 192.168.2.196, 192.168.2.197, 192.168.2.195 }' 1>/dev/null
+$NFT get element t s { 192.168.2.196, 192.168.2.197, 192.168.2.195 } 1>/dev/null
+$NFT delete element t s { 192.168.2.196, 192.168.2.197, 192.168.2.195 } 2>/dev/null
+$NFT create element t s { 192.168.2.196} 2>/dev/null
+$NFT get element t s { 192.168.2.196 } 1>/dev/null
diff --git a/tests/shell/testcases/sets/0042update_set_0 b/tests/shell/testcases/sets/0042update_set_0
new file mode 100755
index 0000000..a8e9e05
--- /dev/null
+++ b/tests/shell/testcases/sets/0042update_set_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip t {
+        set set1 {
+                type ether_addr
+        }
+
+        set set2 {
+                type ether_addr
+                size 65535
+                flags dynamic
+        }
+
+        chain c {
+                ether daddr @set1 add @set2 { ether daddr counter }
+        }
+}"
+
+$NFT -f - <<< "$RULESET" || { echo "can't apply basic ruleset"; exit 1; }
diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0
new file mode 100755
index 0000000..83d7435
--- /dev/null
+++ b/tests/shell/testcases/sets/0043concatenated_ranges_0
@@ -0,0 +1,194 @@
+#!/bin/bash -e
+#
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+#
+# 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges
+#
+# Cycle over supported data types, forming concatenations of three fields, for
+# all possible permutations, and:
+# - add entries to set
+# - list them
+# - get entries by specifying a value matching ranges for all fields
+# - delete them
+# - check that they can't be deleted again
+# - add them with 1s timeout
+# - check that they are not listed after 1s, just once, for the first entry
+# - delete them
+# - make sure they can't be deleted again
+
+TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark"
+
+RULESPEC_ipv4_addr="ip saddr"
+ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129"
+ADD_ipv4_addr="192.0.2.252/31"
+GET_ipv4_addr="198.51.100.127 198.51.100.0/25"
+
+RULESPEC_ipv6_addr="ip6 daddr"
+ELEMS_ipv6_addr="2001:db8:c0c:c0de::1-2001:db8:cacc::a 2001:db8::1 2001:db8:dada:da::/64"
+ADD_ipv6_addr="2001:db8::d1ca:d1ca"
+GET_ipv6_addr="2001:db8::1 2001:db8::1"
+
+RULESPEC_ether_addr="ether saddr"
+ELEMS_ether_addr="00:0a:c1:d1:f1:ed-00:0a:c1:dd:ec:af 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 f0:ca:cc:1a:b0:1a"
+ADD_ether_addr="00:be:1d:ed:ab:e1"
+GET_ether_addr="ac:c1:ac:c0:ce:c0 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00"
+
+RULESPEC_inet_proto="meta l4proto"
+ELEMS_inet_proto="tcp udp icmp"
+ADD_inet_proto="sctp"
+GET_inet_proto="udp udp"
+
+RULESPEC_inet_service="tcp dport"
+ELEMS_inet_service="22-23 1024-32768 31337"
+ADD_inet_service="32769-65535"
+GET_inet_service="32768 1024-32768"
+
+RULESPEC_mark="mark"
+ELEMS_mark="0x00000064-0x000000c8 0x0000006f 0x0000fffd-0x0000ffff"
+ADD_mark="0x0000002a"
+GET_mark="0x0000006f 0x0000006f"
+
+tmp="$(mktemp)"
+trap "rm -f ${tmp}" EXIT
+
+render() {
+	eval "echo \"$(cat ${1})\""
+}
+
+cat <<'EOF' > "${tmp}"
+flush ruleset
+
+table inet filter {
+	${setmap} test {
+		type ${ta} . ${tb} . ${tc} ${mapt}
+		flags interval,timeout
+		elements = { ${a1} . ${b1} . ${c1} ${mapv},
+			     ${a2} . ${b2} . ${c2} ${mapv},
+			     ${a3} . ${b3} . ${c3} ${mapv}, }
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+		${rule} @test counter
+	}
+}
+EOF
+
+timeout_tested=0
+run_test()
+{
+setmap="$1"
+for ta in ${TYPES}; do
+	eval a=\$ELEMS_${ta}
+	a1=${a%% *}; a2=$(expr "$a" : ".* \(.*\) .*"); a3=${a##* }
+	eval sa=\$RULESPEC_${ta}
+
+	mark=0
+	for tb in ${TYPES}; do
+		[ "${tb}" = "${ta}" ] && continue
+		if [ "${tb}" = "ipv6_addr" ]; then
+			[ "${ta}" = "ipv4_addr" ] && continue
+		elif [ "${tb}" = "ipv4_addr" ]; then
+			[ "${ta}" = "ipv6_addr" ] && continue
+		fi
+
+		eval b=\$ELEMS_${tb}
+		b1=${b%% *}; b2=$(expr "$b" : ".* \(.*\) .*"); b3=${b##* }
+		eval sb=\$RULESPEC_${tb}
+
+		for tc in ${TYPES}; do
+			[ "${tc}" = "${ta}" ] && continue
+			[ "${tc}" = "${tb}" ] && continue
+			if [ "${tc}" = "ipv6_addr" ]; then
+				[ "${ta}" = "ipv4_addr" ] && continue
+				[ "${tb}" = "ipv4_addr" ] && continue
+			elif [ "${tc}" = "ipv4_addr" ]; then
+				[ "${ta}" = "ipv6_addr" ] && continue
+				[ "${tb}" = "ipv6_addr" ] && continue
+			fi
+
+			echo "$setmap TYPE: ${ta} ${tb} ${tc}"
+
+			eval c=\$ELEMS_${tc}
+			c1=${c%% *}; c2=$(expr "$c" : ".* \(.*\) .*"); c3=${c##* }
+			eval sc=\$RULESPEC_${tc}
+
+			case "${setmap}" in
+			"set")
+				mapt=""
+				mapv=""
+				rule="${sa} . ${sb} . ${sc}"
+			;;
+			"map")
+				mapt=": mark"
+				mark=42
+				mapv=$(printf " : 0x%08x" ${mark})
+				rule="meta mark set ${sa} . ${sb} . ${sc} map"
+			;;
+			esac
+
+			render ${tmp} | ${NFT} -f -
+
+			[ $(${NFT} list ${setmap} inet filter test |		\
+			   grep -c -e "${a1} . ${b1} . ${c1}${mapv}"		\
+				   -e "${a2} . ${b2} . ${c2}${mapv}"		\
+				   -e "${a3} . ${b3} . ${c3}${mapv}") -eq 3 ]
+
+			${NFT} delete element inet filter test \
+				"{ ${a1} . ${b1} . ${c1}${mapv} }"
+			${NFT} delete element inet filter test \
+				"{ ${a1} . ${b1} . ${c1}${mapv} }" \
+				2>/dev/null && exit 1
+
+			eval add_a=\$ADD_${ta}
+			eval add_b=\$ADD_${tb}
+			eval add_c=\$ADD_${tc}
+			${NFT} add element inet filter test \
+				"{ ${add_a} . ${add_b} . ${add_c} timeout 2m${mapv}}"
+			[ $(${NFT} list ${setmap} inet filter test |	\
+			   grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ]
+
+			eval get_a=\$GET_${ta}
+			eval get_b=\$GET_${tb}
+			eval get_c=\$GET_${tc}
+			exp_a=${get_a##* }; get_a=${get_a%% *}
+			exp_b=${get_b##* }; get_b=${get_b%% *}
+			exp_c=${get_c##* }; get_c=${get_c%% *}
+			[ $(${NFT} get element inet filter test 	\
+			   "{ ${get_a} . ${get_b} . ${get_c}${mapv} }" |	\
+			   grep -c "${exp_a} . ${exp_b} . ${exp_c}") -eq 1 ]
+
+			${NFT} "delete element inet filter test \
+				{ ${a2} . ${b2} . ${c2}${mapv} };
+				delete element inet filter test \
+				{ ${a3} . ${b3} . ${c3}${mapv} }"
+			${NFT} "delete element inet filter test \
+				  { ${a2} . ${b2} . ${c2}${mapv} };
+				  delete element inet filter test \
+				  { ${a3} . ${b3} . ${c3} ${mapv} }" \
+				  2>/dev/null && exit 1
+
+			if [ ${timeout_tested} -eq 1 ]; then
+				${NFT} delete element inet filter test \
+					"{ ${add_a} . ${add_b} . ${add_c} ${mapv} }"
+				${NFT} delete element inet filter test \
+					"{ ${add_a} . ${add_b} . ${add_c} ${mapv} }" \
+					2>/dev/null && exit 1
+				continue
+			fi
+
+			${NFT} delete element inet filter test \
+				"{ ${add_a} . ${add_b} . ${add_c} ${mapv}}"
+			${NFT} add element inet filter test \
+				"{ ${add_a} . ${add_b} . ${add_c} timeout 1s${mapv}}"
+			sleep 1
+			[ $(${NFT} list ${setmap} inet filter test |		\
+			   grep -c "${add_a} . ${add_b} . ${add_c} ${mapv}") -eq 0 ]
+			timeout_tested=1
+		done
+	done
+done
+}
+
+run_test "set"
+run_test "map"
diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_1 b/tests/shell/testcases/sets/0043concatenated_ranges_1
new file mode 100755
index 0000000..1be2889
--- /dev/null
+++ b/tests/shell/testcases/sets/0043concatenated_ranges_1
@@ -0,0 +1,23 @@
+#!/bin/bash -e
+#
+# 0043concatenated_ranges_1 - Insert and list subnets of different sizes
+
+check() {
+	$NFT add element "${1}" t s "{ ${2} . ${3} }"
+	[ "$( $NFT list set "${1}" t s | grep -c "${2} . ${3}" )" = 1 ]
+}
+
+$NFT add table ip6 t
+$NFT add table ip  t
+
+$NFT add set ip6 t s '{ type ipv6_addr . ipv6_addr ; flags interval ; }'
+$NFT add set ip  t s '{ type ipv4_addr . ipv4_addr ; flags interval ; }'
+
+for n in $(seq 32 127); do
+	h="$(printf %x "${n}")"
+	check ip6 "2001:db8::/${n}" "2001:db8:${h}::-2001:db8:${h}::${h}:1"
+done
+
+for n in $(seq 24 31); do
+	check ip  "192.0.2.0/${n}"  "192.0.2.$((n * 3))-192.0.2.$((n * 3 + 2))"
+done
diff --git a/tests/shell/testcases/sets/0044interval_overlap_0 b/tests/shell/testcases/sets/0044interval_overlap_0
new file mode 100755
index 0000000..71bf334
--- /dev/null
+++ b/tests/shell/testcases/sets/0044interval_overlap_0
@@ -0,0 +1,166 @@
+#!/bin/bash -e
+#
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+#
+# 0044interval_overlap_0 - Add overlapping and non-overlapping intervals
+#
+# Check that adding overlapping intervals to a set returns an error, unless:
+# - the inserted element overlaps entirely, that is, it's identical to an
+#   existing one
+# - for concatenated ranges, the new element is less specific than any existing
+#   overlapping element, as elements are evaluated in order of insertion
+#
+# Then, repeat the test with a set configured with a timeout, checking that:
+# - we can insert all the elements as described above
+# - once the timeout has expired, we can insert all the elements again, and old
+#   elements are not present
+# - before the timeout expires again, we can re-add elements that are not
+#   expected to fail, but old elements might be present
+#
+# If $NFT points to a libtool wrapper, and we're running on a slow machine or
+# kernel (e.g. KASan enabled), it might not be possible to execute hundreds of
+# commands within an otherwise reasonable 1 second timeout. Estimate a usable
+# timeout first, by counting commands and measuring against one nft rule timeout
+# itself, so that we can keep this fast for a binary $NFT on a reasonably fast
+# kernel.
+
+#	Accept	Interval	List
+intervals_simple="
+	y	 0 -  2		0-2
+	y	 0 -  2		0-2
+	n	 0 -  1		0-2
+	n	 0 -  3		0-2
+	y	 3 - 10		0-2, 3-10
+	n	 3 -  9		0-2, 3-10
+	n	 4 - 10		0-2, 3-10
+	n	 4 -  9		0-2, 3-10
+	y	20 - 30		0-2, 3-10, 20-30
+	y	11 - 12		0-2, 3-10, 11-12, 20-30
+	y	13 - 19		0-2, 3-10, 11-12, 13-19, 20-30
+	n	25 - 40		0-2, 3-10, 11-12, 13-19, 20-30
+	y	50 - 60		0-2, 3-10, 11-12, 13-19, 20-30, 50-60
+	y	31 - 49		0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60
+	n	59 - 60		0-2, 3-10, 11-12, 13-19, 20-30, 31-49, 50-60
+"
+
+intervals_concat="
+	y	0-2 . 0-3	0-2 . 0-3
+	y	0-2 . 0-3	0-2 . 0-3
+	n	0-1 . 0-2	0-2 . 0-3
+	y	10-20 . 30-40	0-2 . 0-3, 10-20 . 30-40
+	y	15-20 . 50-60	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60
+	y	3-9 . 4-29	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29
+	y	3-9 . 4-29	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29
+	n	11-19 . 30-40	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29
+	y	15-20 . 49-61	0-2 . 0-3, 10-20 . 30-40, 15-20 . 50-60, 3-9 . 4-29, 15-20 . 49-61
+"
+
+count_elements() {
+	pass=
+	interval=
+	elements=0
+	for t in ${intervals_simple} ${intervals_concat}; do
+		[ -z "${pass}" ]      && pass="${t}"     && continue
+		[ -z "${interval}" ]  && interval="${t}" && continue
+		unset IFS
+
+		elements=$((elements + 1))
+
+		IFS='	
+'
+	done
+	unset IFS
+}
+
+match_elements() {
+	skip=0
+	n=0
+	out=
+	for a in $($NFT list set t ${1})}; do
+		[ ${n} -eq 0 ] && { [ "${a}" = "elements" ] && n=1; continue; }
+		[ ${n} -eq 1 ] && { [ "${a}" = "=" ] 	    && n=2; continue; }
+		[ ${n} -eq 2 ] && { [ "${a}" = "{" ]	    && n=3; continue; }
+
+		[ "${a}" = "}" ]				 && break
+
+		[ ${skip} -eq 1 ] && skip=0 && out="${out},"	 && continue
+		[ "${a}" = "expires" ] && skip=1		 && continue
+
+		[ -n "${out}" ] && out="${out} ${a}" || out="${a}"
+
+	done
+
+	if [ "${out%,}" != "${2}" ]; then
+		echo "Expected: ${2}, got: ${out%,}"
+		return 1
+	fi
+}
+
+estimate_timeout() {
+	count_elements
+
+	$NFT add table t
+	$NFT add set t s '{ type inet_service ; flags timeout; timeout 1s; gc-interval 1s; }'
+	execs_1s=1
+	$NFT add element t s "{ 0 }"
+	while match_elements s "0" >/dev/null; do
+		execs_1s=$((execs_1s + 1))
+	done
+
+	timeout="$((elements / execs_1s * 3 / 2 + 1))"
+}
+
+add_elements() {
+	set="s"
+	pass=
+	interval=
+	IFS='	
+'
+	for t in ${intervals_simple} switch ${intervals_concat}; do
+		[ "${t}" = "switch" ] && set="c"         && continue
+		[ -z "${pass}" ]      && pass="${t}"     && continue
+		[ -z "${interval}" ]  && interval="${t}" && continue
+		unset IFS
+
+		if [ "${pass}" = "y" ]; then
+			if ! $NFT add element t ${set} "{ ${interval} }"; then
+				echo "Failed to insert ${interval} given:"
+				$NFT list ruleset
+				exit 1
+			fi
+		else
+			if $NFT add element t ${set} "{ ${interval} }" 2>/dev/null; then
+				echo "Could insert ${interval} given:"
+				$NFT list ruleset
+				exit 1
+			fi
+		fi
+
+		[ "${1}" != "nomatch" ] && match_elements "${set}" "${t}"
+
+		pass=
+		interval=
+		IFS='	
+'
+	done
+	unset IFS
+}
+
+$NFT add table t
+$NFT add set t s '{ type inet_service ; flags interval ; }'
+$NFT add set t c '{ type inet_service . inet_service ; flags interval ; }'
+add_elements
+
+$NFT flush ruleset
+estimate_timeout
+
+$NFT flush ruleset
+$NFT add table t
+$NFT add set t s "{ type inet_service ; flags interval,timeout; timeout ${timeout}s; gc-interval ${timeout}s; }"
+$NFT add set t c "{ type inet_service . inet_service ; flags interval,timeout ; timeout ${timeout}s; gc-interval ${timeout}s; }"
+add_elements
+
+sleep $((timeout * 3 / 2))
+add_elements
+
+add_elements nomatch
diff --git a/tests/shell/testcases/sets/0044interval_overlap_1 b/tests/shell/testcases/sets/0044interval_overlap_1
new file mode 100755
index 0000000..cdd0c84
--- /dev/null
+++ b/tests/shell/testcases/sets/0044interval_overlap_1
@@ -0,0 +1,38 @@
+#!/bin/bash -e
+#
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+#
+# 0044interval_overlap_1 - Single-sized intervals can never overlap partially
+#
+# Check that inserting, deleting, and inserting single-sized intervals again
+# never leads to a partial overlap. Specifically trigger rbtree rebalancing in
+# the process, to ensure different tree shapes of equivalent sets don't lead to
+# false positives, by deleting every second inserted item.
+
+xorshift() {
+	# Adaptation of Xorshift algorithm from:
+	#   Marsaglia, G. (2003). Xorshift RNGs.
+	#   Journal of Statistical Software, 8(14), 1 - 6.
+	#   doi:http://dx.doi.org/10.18637/jss.v008.i14
+	# with triplet (5, 3, 1), suitable for 16-bit ranges.
+
+	: $((port ^= port << 5))
+	: $((port ^= port >> 3))
+	: $((port ^= port << 1))
+}
+
+$NFT add table t
+$NFT add set t s '{ type inet_service ; flags interval ; }'
+
+for op in add delete add; do
+	port=1
+	skip=0
+	for i in $(seq 1 500); do
+		xorshift
+		if [ "${op}" = "delete" ]; then
+			[ ${skip} -eq 0 ] && skip=1 && continue
+			skip=0
+		fi
+		$NFT ${op} element t s "{ { $((port % 32768 + 32768)) } }"
+	done
+done
diff --git a/tests/shell/testcases/sets/0045concat_ipv4_service b/tests/shell/testcases/sets/0045concat_ipv4_service
new file mode 100755
index 0000000..5b40f97
--- /dev/null
+++ b/tests/shell/testcases/sets/0045concat_ipv4_service
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+$NFT -f - <<EOF
+table inet t {
+	set s {
+		type ipv4_addr . inet_service
+		size 65536
+		flags dynamic,timeout
+		elements = { 192.168.7.1 . 22 }
+	}
+
+	chain c {
+		tcp dport 21 add @s { ip saddr . 22 timeout 60s }
+	}
+}
+EOF
diff --git a/tests/shell/testcases/sets/0046netmap_0 b/tests/shell/testcases/sets/0046netmap_0
new file mode 100755
index 0000000..60bda40
--- /dev/null
+++ b/tests/shell/testcases/sets/0046netmap_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+EXPECTED="table ip x {
+            chain y {
+                    type nat hook postrouting priority srcnat; policy accept;
+                    snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24,
+						     10.141.12.0/24 : 192.168.3.0/24,
+						     10.141.13.0/24 : 192.168.4.0/24 }
+            }
+     }
+     table ip6 x {
+            chain y {
+                    type nat hook postrouting priority srcnat; policy accept;
+                    snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 }
+            }
+     }
+"
+
+set -e
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0
new file mode 100755
index 0000000..4e53b7b
--- /dev/null
+++ b/tests/shell/testcases/sets/0047nat_0
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+EXPECTED="table ip x {
+            map y {
+                    type ipv4_addr : interval ipv4_addr
+                    flags interval
+                    elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4,
+				 10.141.11.0/24 : 192.168.4.2-192.168.4.3 }
+            }
+
+            chain x {
+                    type nat hook prerouting priority dstnat; policy accept;
+                    meta l4proto tcp dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+                    dnat ip to iifname . ip saddr map { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+            }
+
+            chain y {
+                    type nat hook postrouting priority srcnat; policy accept;
+                    snat to ip saddr map @y
+            }
+     }
+"
+
+set -e
+$NFT -f - <<< $EXPECTED
+$NFT add element x y { 10.141.12.0/24 : 192.168.5.10-192.168.5.20 }
+
+EXPECTED="table inet x {
+            chain x {
+                    type nat hook prerouting priority dstnat; policy accept;
+                    dnat to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 }
+            }
+
+            chain y {
+                    type nat hook postrouting priority srcnat; policy accept;
+                    snat to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2-192.168.4.3 }
+            }
+}"
+
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/0048set_counters_0 b/tests/shell/testcases/sets/0048set_counters_0
new file mode 100755
index 0000000..e62d25d
--- /dev/null
+++ b/tests/shell/testcases/sets/0048set_counters_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table ip x {
+          set y {
+                  typeof ip saddr
+                  counter
+                  elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
+          }
+
+          chain z {
+                  type filter hook output priority filter; policy accept;
+                  ip daddr @y
+          }
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0
new file mode 100755
index 0000000..1d512f7
--- /dev/null
+++ b/tests/shell/testcases/sets/0049set_define_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
+define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS, \$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
+	}
+}
+"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0050set_define_1 b/tests/shell/testcases/sets/0050set_define_1
new file mode 100755
index 0000000..c12de17
--- /dev/null
+++ b/tests/shell/testcases/sets/0050set_define_1
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {}
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
+	}
+}
+"
+
+$NFT -f - <<< "$EXPECTED" &> /dev/null || exit 0
+echo "E: Accepted empty set" 1>&2
+exit 1
diff --git a/tests/shell/testcases/sets/0051set_interval_counter_0 b/tests/shell/testcases/sets/0051set_interval_counter_0
new file mode 100755
index 0000000..ea90e26
--- /dev/null
+++ b/tests/shell/testcases/sets/0051set_interval_counter_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table ip x {
+	set s {
+		type ipv4_addr
+		flags interval
+		counter
+		elements = { 192.168.2.0/24 }
+	}
+
+	chain y {
+		type filter hook output priority filter; policy accept;
+		ip daddr @s
+	}
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0052overlap_0 b/tests/shell/testcases/sets/0052overlap_0
new file mode 100755
index 0000000..c296094
--- /dev/null
+++ b/tests/shell/testcases/sets/0052overlap_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="add table ip filter
+add set ip filter w_all {type ipv4_addr; flags interval; auto-merge}
+add element ip filter w_all {10.10.10.10, 10.10.10.11}
+"
+
+$NFT -f - <<< "$EXPECTED"
+
+EXPECTED="flush set ip filter w_all
+add element ip filter w_all {10.10.10.10, 10.10.10.253}
+"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0053echo_0 b/tests/shell/testcases/sets/0053echo_0
new file mode 100755
index 0000000..6bb03c2
--- /dev/null
+++ b/tests/shell/testcases/sets/0053echo_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="add table inet filter
+delete table inet filter
+
+table inet filter {
+        chain input {
+                type filter hook input priority filter; policy drop;
+                iifname { lo } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter accept
+        }
+}
+"
+
+$NFT -ef - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0054comments_set_0 b/tests/shell/testcases/sets/0054comments_set_0
new file mode 100755
index 0000000..9c8f787
--- /dev/null
+++ b/tests/shell/testcases/sets/0054comments_set_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+# Test that comments are added to sets
+
+$NFT add table t
+$NFT add set t s {type ipv4_addr \; flags interval \; comment "test" \;}
+$NFT add map t m {type ipv4_addr : ipv4_addr \; flags interval \; comment \"another test\" \;}
diff --git a/tests/shell/testcases/sets/0055tcpflags_0 b/tests/shell/testcases/sets/0055tcpflags_0
new file mode 100755
index 0000000..a2b24eb
--- /dev/null
+++ b/tests/shell/testcases/sets/0055tcpflags_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+EXPECTED="add table ip test
+
+add set ip test tcp_good_flags { type tcp_flag ; flags constant ; elements = {
+  ( 0 | 0 | 0 |ack| 0 | 0 ),  \
+  ( 0 | 0 | 0 |ack| 0 |urg),  \
+  ( 0 | 0 | 0 |ack|psh| 0 ),  \
+  ( 0 | 0 | 0 |ack|psh|urg),  \
+  ( 0 | 0 |rst| 0 | 0 | 0 ),  \
+  ( 0 | 0 |rst|ack| 0 | 0 ),  \
+  ( 0 | 0 |rst|ack| 0 |urg),  \
+  ( 0 | 0 |rst|ack|psh| 0 ),  \
+  ( 0 | 0 |rst|ack|psh|urg),  \
+  ( 0 |syn| 0 | 0 | 0 | 0 ),  \
+  ( 0 |syn| 0 |ack| 0 | 0 ),  \
+  ( 0 |syn| 0 |ack| 0 |urg),  \
+  ( 0 |syn| 0 |ack|psh| 0 ),  \
+  ( 0 |syn| 0 |ack|psh|urg),  \
+  (fin| 0 | 0 |ack| 0 | 0 ),  \
+  (fin| 0 | 0 |ack| 0 |urg),  \
+  (fin| 0 | 0 |ack|psh| 0 ),  \
+  (fin| 0 | 0 |ack|psh|urg)   \
+} ; }"
+
+set -e
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/0056dynamic_limit_0 b/tests/shell/testcases/sets/0056dynamic_limit_0
new file mode 100755
index 0000000..21fa0bf
--- /dev/null
+++ b/tests/shell/testcases/sets/0056dynamic_limit_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+RULESET="table inet filter {
+        set ssh_meter {
+                type ipv4_addr
+                size 65535
+                flags dynamic,timeout
+                timeout 1m
+                elements = { 127.0.0.1 expires 52s44ms limit rate over 1/minute }
+        }
+
+        chain output {
+                type filter hook output priority filter; policy accept;
+                ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit rate over 1/minute }
+        }
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/0057set_create_fails_0 b/tests/shell/testcases/sets/0057set_create_fails_0
new file mode 100755
index 0000000..5f0149a
--- /dev/null
+++ b/tests/shell/testcases/sets/0057set_create_fails_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+RULESET="table inet filter {
+        set test {
+                type ipv4_addr
+                size 65535
+		elements = { 1.1.1.1 }
+        }
+}"
+
+$NFT -f - <<< $RULESET
+
+CMD="create element inet filter test { 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 1.1.1.7, 1.1.1.8, 1.1.1.9, 1.1.1.10, 1.1.1.11, 1.1.1.12, 1.1.1.13, 1.1.1.14, 1.1.1.15, 1.1.1.16, 1.1.1.17, 1.1.1.18, 1.1.1.19, 1.1.1.20, 1.1.1.21, 1.1.1.22, 1.1.1.23, 1.1.1.24, 1.1.1.25, 1.1.1.26, 1.1.1.27, 1.1.1.28, 1.1.1.29, 1.1.1.30, 1.1.1.31, 1.1.1.32, 1.1.1.33, 1.1.1.34, 1.1.1.35, 1.1.1.36, 1.1.1.37, 1.1.1.38, 1.1.1.39, 1.1.1.40, 1.1.1.41, 1.1.1.42, 1.1.1.43, 1.1.1.44, 1.1.1.45, 1.1.1.46, 1.1.1.47, 1.1.1.48, 1.1.1.49, 1.1.1.50, 1.1.1.51, 1.1.1.52, 1.1.1.53, 1.1.1.54, 1.1.1.55, 1.1.1.56, 1.1.1.57, 1.1.1.58, 1.1.1.59, 1.1.1.60, 1.1.1.61, 1.1.1.62, 1.1.1.63, 1.1.1.64, 1.1.1.65, 1.1.1.66, 1.1.1.67, 1.1.1.68, 1.1.1.69, 1.1.1.70, 1.1.1.71, 1.1.1.72, 1.1.1.73, 1.1.1.74, 1.1.1.75, 1.1.1.76, 1.1.1.77, 1.1.1.78, 1.1.1.79, 1.1.1.80, 1.1.1.81, 1.1.1.82, 1.1.1.83, 1.1.1.84, 1.1.1.85, 1.1.1.86, 1.1.1.87, 1.1.1.88, 1.1.1.89, 1.1.1.90, 1.1.1.91, 1.1.1.92, 1.1.1.93, 1.1.1.94, 1.1.1.95, 1.1.1.96, 1.1.1.97, 1.1.1.98, 1.1.1.99, 1.1.1.100, 1.1.1.101, 1.1.1.102, 1.1.1.103, 1.1.1.104, 1.1.1.105, 1.1.1.106, 1.1.1.107, 1.1.1.108, 1.1.1.109, 1.1.1.110, 1.1.1.111, 1.1.1.112, 1.1.1.113, 1.1.1.114, 1.1.1.115, 1.1.1.116, 1.1.1.117, 1.1.1.118, 1.1.1.119, 1.1.1.120, 1.1.1.121, 1.1.1.122, 1.1.1.123, 1.1.1.124, 1.1.1.125, 1.1.1.126, 1.1.1.127, 1.1.1.128, 1.1.1.129, 1.1.1.130, 1.1.1.131, 1.1.1.132, 1.1.1.133, 1.1.1.134, 1.1.1.135, 1.1.1.136, 1.1.1.137, 1.1.1.138, 1.1.1.139, 1.1.1.140, 1.1.1.141, 1.1.1.142, 1.1.1.143, 1.1.1.144, 1.1.1.145, 1.1.1.146, 1.1.1.147, 1.1.1.148, 1.1.1.149, 1.1.1.150, 1.1.1.151, 1.1.1.152, 1.1.1.153, 1.1.1.154, 1.1.1.155, 1.1.1.156, 1.1.1.157, 1.1.1.158, 1.1.1.159, 1.1.1.160, 1.1.1.161, 1.1.1.162, 1.1.1.163, 1.1.1.164, 1.1.1.165, 1.1.1.166, 1.1.1.167, 1.1.1.168, 1.1.1.169, 1.1.1.170, 1.1.1.171, 1.1.1.172, 1.1.1.173, 1.1.1.174, 1.1.1.175, 1.1.1.176, 1.1.1.177, 1.1.1.178, 1.1.1.179, 1.1.1.180, 1.1.1.181, 1.1.1.182, 1.1.1.183, 1.1.1.184, 1.1.1.185, 1.1.1.186, 1.1.1.187, 1.1.1.188, 1.1.1.189, 1.1.1.190, 1.1.1.191, 1.1.1.192, 1.1.1.193, 1.1.1.194, 1.1.1.195, 1.1.1.196, 1.1.1.197, 1.1.1.198, 1.1.1.199, 1.1.1.200, 1.1.1.201, 1.1.1.202, 1.1.1.203, 1.1.1.204, 1.1.1.205, 1.1.1.206, 1.1.1.207, 1.1.1.208, 1.1.1.209, 1.1.1.210, 1.1.1.211, 1.1.1.212, 1.1.1.213, 1.1.1.214, 1.1.1.215, 1.1.1.216, 1.1.1.217, 1.1.1.218, 1.1.1.219, 1.1.1.220, 1.1.1.221, 1.1.1.222, 1.1.1.223, 1.1.1.224, 1.1.1.225, 1.1.1.226, 1.1.1.227, 1.1.1.228, 1.1.1.229, 1.1.1.230, 1.1.1.231, 1.1.1.232, 1.1.1.233, 1.1.1.234, 1.1.1.235, 1.1.1.236, 1.1.1.237, 1.1.1.238, 1.1.1.239, 1.1.1.240, 1.1.1.241, 1.1.1.242, 1.1.1.243, 1.1.1.244, 1.1.1.245, 1.1.1.246, 1.1.1.247, 1.1.1.248, 1.1.1.249, 1.1.1.250, 1.1.1.251, 1.1.1.252, 1.1.1.253 }"
+
+# If this returns ENOSPC, then nft is sending a netlink message that is larger
+# than NFT_MNL_ACK_MAXSIZE. Make sure this returns EEXIST.
+$NFT -f - <<< $CMD 2>&1 >/dev/null | grep "File exists"
+[ "$?" -eq 0 ] && exit 0
diff --git a/tests/shell/testcases/sets/0058_setupdate_timeout_0 b/tests/shell/testcases/sets/0058_setupdate_timeout_0
new file mode 100755
index 0000000..52a658e
--- /dev/null
+++ b/tests/shell/testcases/sets/0058_setupdate_timeout_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+RULESET="table inet filter {
+	set ssh_meter {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+		timeout 30d
+	}
+
+	chain test {
+		add @ssh_meter { ip saddr timeout 30d }
+	}
+}"
+
+set -e
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0
new file mode 100755
index 0000000..2aeba2c
--- /dev/null
+++ b/tests/shell/testcases/sets/0059set_update_multistmt_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
+RULESET="table x {
+	set y {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+		timeout 1h
+	}
+	chain z {
+		type filter hook output priority 0;
+		update @y { ip daddr limit rate 1/second counter }
+	}
+}"
+
+set -e
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0
new file mode 100755
index 0000000..8e17444
--- /dev/null
+++ b/tests/shell/testcases/sets/0060set_multistmt_0
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
+RULESET="table x {
+	set y {
+		type ipv4_addr
+		limit rate 1/second counter
+		elements = { 5.5.5.5 limit rate 1/second counter packets 0 bytes 0 }
+	}
+	chain y {
+		type filter hook output priority filter; policy accept;
+		ip daddr @y
+	}
+}"
+
+$NFT -f - <<< $RULESET
+# should work
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+# should work
+$NFT add element x y { 1.1.1.1 limit rate 1/second counter }
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+# should fail
+$NFT add element x y { 2.2.2.2 limit rate 1/second }
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+# should fail
+$NFT add element x y { 3.3.3.3 counter limit rate 1/second }
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+# should work
+$NFT add element x y { 4.4.4.4 }
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+exit 0
diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1
new file mode 100755
index 0000000..04ef047
--- /dev/null
+++ b/tests/shell/testcases/sets/0060set_multistmt_1
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
+RULESET="table x {
+	set y {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter quota 500 bytes
+		elements = { 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes }
+	}
+	chain y {
+		type filter hook output priority filter; policy accept;
+		update @y { ip daddr }
+	}
+}"
+
+$NFT -f - <<< $RULESET
+# should work
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+# should work
+$NFT add element x y { 1.1.1.1 }
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+# should work
+$NFT add element x y { 2.2.2.2 counter quota 1000 bytes }
+if [ $? -ne 0 ]
+then
+	exit 1
+fi
+
+exit 0
diff --git a/tests/shell/testcases/sets/0061anonymous_automerge_0 b/tests/shell/testcases/sets/0061anonymous_automerge_0
new file mode 100755
index 0000000..2dfb800
--- /dev/null
+++ b/tests/shell/testcases/sets/0061anonymous_automerge_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain y {
+		ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 }
+	}
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0
new file mode 100755
index 0000000..48d589f
--- /dev/null
+++ b/tests/shell/testcases/sets/0062set_connlimit_0
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	set est-connlimit {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		elements = { 84.245.120.167 ct count over 20 }
+	}
+}"
+
+$NFT -f - <<< $RULESET
+
+RULESET="table ip x {
+	set new-connlimit {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		ct count over 20
+		elements = { 84.245.120.167 }
+	}
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/0063set_catchall_0 b/tests/shell/testcases/sets/0063set_catchall_0
new file mode 100755
index 0000000..edd015d
--- /dev/null
+++ b/tests/shell/testcases/sets/0063set_catchall_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
+set -e
+
+RULESET="table ip x {
+	set y {
+		type ipv4_addr
+		counter
+		elements = { 1.1.1.1, * }
+	}
+	set z {
+		type ipv4_addr
+		flags interval
+		counter
+		elements = { 1.1.1.0/24 , * }
+	}
+}"
+
+$NFT -f - <<< $RULESET
+$NFT delete element x y { \* }
+$NFT add element x y { \* }
diff --git a/tests/shell/testcases/sets/0064map_catchall_0 b/tests/shell/testcases/sets/0064map_catchall_0
new file mode 100755
index 0000000..fd28937
--- /dev/null
+++ b/tests/shell/testcases/sets/0064map_catchall_0
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_catchall_element)
+
+set -e
+
+RULESET="table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.3 }
+	}
+	map z {
+		type ipv4_addr : ipv4_addr
+		flags interval
+		elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 }
+	}
+}"
+
+$NFT -f - <<< $RULESET
+$NFT delete element x y { \* : 192.168.0.3 }
+$NFT add element x y { \* : 192.168.0.4 }
+
+$NFT add chain x y
+$NFT add rule x y snat to ip saddr map @z
+$NFT 'add rule x y snat to ip saddr map { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 }'
+$NFT 'add rule x y snat to ip saddr . ip daddr map { 10.141.0.0/24 . 10.0.0.0/8 : 192.168.0.2, 192.168.9.0/24 . 192.168.10.0/24 : 192.168.0.4, * : 192.168.0.3 }'
diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing
new file mode 100755
index 0000000..f838c3e
--- /dev/null
+++ b/tests/shell/testcases/sets/0065_icmp_postprocessing
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+	chain foo {
+		icmp id 42
+	}
+}"
+
+$NFT -f - <<< $RULESET
+
+$NFT insert rule ip x foo index 0 accept
diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0
new file mode 100755
index 0000000..55cc0d4
--- /dev/null
+++ b/tests/shell/testcases/sets/0067nat_concat_interval_0
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table ip nat {
+       map ipportmap {
+                type ipv4_addr : interval ipv4_addr . inet_service
+                flags interval
+                elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 }
+       }
+       chain prerouting {
+                type nat hook prerouting priority dstnat; policy accept;
+                ip protocol tcp dnat ip to ip saddr map @ipportmap
+       }
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+
+EXPECTED="table ip nat {
+        map ipportmap2 {
+                type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service
+                flags interval
+                elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.1/8  . 42 - 43 }
+        }
+
+        chain prerouting {
+                type nat hook prerouting priority dstnat; policy accept;
+                ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
+        }
+}"
+
+$NFT -f - <<< $EXPECTED
+
+EXPECTED="table ip nat {
+	map fwdtoip_th {
+		type ipv4_addr . inet_service : interval ipv4_addr . inet_service
+		flags interval
+		elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 }
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th
+
+EXPECTED="table ip nat {
+        map ipportmap4 {
+		typeof iifname . ip saddr : interval ip daddr
+		flags interval
+		elements = { enp2s0 . 10.1.1.136 : 1.1.2.69, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+	}
+	chain prerouting {
+		type nat hook prerouting priority dstnat; policy accept;
+		dnat to iifname . ip saddr map @ipportmap4
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
+EXPECTED="table ip nat {
+        map ipportmap5 {
+		typeof iifname . ip saddr : interval ip daddr . tcp dport
+		flags interval
+		elements = { enp2s0 . 10.1.1.136 : 1.1.2.69 . 22, enp2s0 . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+	}
+	chain prerouting {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
new file mode 100755
index 0000000..e61010c
--- /dev/null
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+ruleset_file=$(mktemp)
+
+trap 'rm -f "$ruleset_file"' EXIT
+
+HOWMANY=255
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	HOWMANY=30
+fi
+
+{
+	echo 'define big_set = {'
+	for ((i = 1; i < $HOWMANY; i++)); do
+		for ((j = 1; j < 255; j++)); do
+			echo "10.0.$i.$j,"
+		done
+	done
+	echo '10.1.0.0/24 }'
+} >"$ruleset_file"
+
+cat >>"$ruleset_file" <<\EOF
+table inet test68_table {
+	set test68_set {
+		type ipv4_addr
+		flags interval
+		elements = { $big_set }
+	}
+}
+EOF
+
+( ulimit -s 400 && $NFT -f "$ruleset_file" )
+
+if [ "$HOWMANY" != 255 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/0069interval_merge_0 b/tests/shell/testcases/sets/0069interval_merge_0
new file mode 100755
index 0000000..edb6422
--- /dev/null
+++ b/tests/shell/testcases/sets/0069interval_merge_0
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+        set y {
+                type ipv4_addr
+                flags interval
+                auto-merge
+                elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8, 3.3.3.4, 3.3.3.5 }
+        }
+}"
+
+$NFT -f - <<< $RULESET
+
+RULESET="table ip x {
+        set y {
+                type ipv4_addr
+                flags interval
+                auto-merge
+                elements = { 1.2.4.0, 3.3.3.6, 4.4.4.0/24 }
+        }
+}"
+
+$NFT -f - <<< $RULESET
+
+$NFT add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.5, 4.4.4.1 }
+$NFT add element ip x y { 1.2.3.0-1.2.4.255, 3.3.3.5, 4.4.5.0 }
diff --git a/tests/shell/testcases/sets/0070stacked_l2_headers b/tests/shell/testcases/sets/0070stacked_l2_headers
new file mode 100755
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/sets/0070stacked_l2_headers
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/0071unclosed_prefix_interval_0 b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0
new file mode 100755
index 0000000..79e3ca7
--- /dev/null
+++ b/tests/shell/testcases/sets/0071unclosed_prefix_interval_0
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+table inet t {
+	set s1 {
+		type ipv4_addr
+		flags interval
+		elements = { 192.0.0.0/2, 10.0.0.0/8 }
+	}
+	set s2 {
+		type ipv6_addr
+		flags interval
+		elements = { ff00::/8, fe80::/10 }
+	}
+	chain c {
+		ip saddr @s1 accept
+		ip6 daddr @s2 accept
+	}
+}"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/0072destroy_0 b/tests/shell/testcases/sets/0072destroy_0
new file mode 100755
index 0000000..9886a9b
--- /dev/null
+++ b/tests/shell/testcases/sets/0072destroy_0
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy)
+
+$NFT add table x
+
+# pass for non-existent set
+$NFT destroy set x s
+
+# successfully delete existing set
+$NFT add set x s '{type ipv4_addr; size 2;}'
+$NFT destroy set x s
diff --git a/tests/shell/testcases/sets/0073flat_interval_set b/tests/shell/testcases/sets/0073flat_interval_set
new file mode 100755
index 0000000..0630595
--- /dev/null
+++ b/tests/shell/testcases/sets/0073flat_interval_set
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="flush ruleset
+add table inet filter
+add map inet filter testmap { type ipv4_addr : counter; flags interval;}
+add counter inet filter TEST
+add element inet filter testmap { 192.168.0.0/24 : \"TEST\" }"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0074nested_interval_set b/tests/shell/testcases/sets/0074nested_interval_set
new file mode 100755
index 0000000..e7f65fc
--- /dev/null
+++ b/tests/shell/testcases/sets/0074nested_interval_set
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0
new file mode 100755
index 0000000..1dbac0b
--- /dev/null
+++ b/tests/shell/testcases/sets/automerge_0
@@ -0,0 +1,131 @@
+#!/bin/bash
+
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+
+set -e
+
+RULESET="table inet x {
+	set y {
+		type inet_service
+		flags interval
+		auto-merge
+	}
+}"
+
+HOWMANY=65535
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	HOWMANY=5000
+fi
+
+$NFT -f - <<< $RULESET
+
+tmpfile=$(mktemp)
+echo -n "add element inet x y { " > $tmpfile
+for ((i=0;i<$HOWMANY;i+=2))
+do
+	echo -n "$i, " >> $tmpfile
+	if [ $i -eq $((HOWMANY-1)) ]
+	then
+		echo -n "$i" >> $tmpfile
+	fi
+done
+echo "}" >> $tmpfile
+
+$NFT -f $tmpfile
+
+tmpfile2=$(mktemp)
+for ((i=1;i<$HOWMANY;i+=2))
+do
+	echo "$i" >> $tmpfile2
+done
+
+tmpfile3=$(mktemp)
+shuf "$tmpfile2" --random-source=<("$NFT_TEST_BASEDIR/helpers/random-source.sh" "automerge-shuf-tmpfile2" "$NFT_TEST_RANDOM_SEED") > "$tmpfile3"
+i=0
+cat $tmpfile3 | while read line && [ $i -lt 10 ]
+do
+	$NFT add element inet x y { $line }
+	if [ $? -ne 0 ]
+	then
+		echo "failed to add $line"
+		exit 1
+	fi
+	i=$((i+1))
+done
+
+for ((i=0;i<10;i++))
+do
+	from=$(($RANDOM%$HOWMANY))
+	to=$(($from+100))
+	$NFT add element inet x y { $from-$to }
+	if [ $? -ne 0 ]
+	then
+		echo "failed to add $from-$to"
+		exit 1
+	fi
+
+	$NFT get element inet x y { $from-$to } 1>/dev/null
+	if [ $? -ne 0 ]
+	then
+		echo "failed to get $from-$to"
+		exit 1
+	fi
+
+	# partial removals in the previous random range
+	from2=$(($from+10))
+	to2=$(($to-10))
+	$NFT delete element inet x y { $from, $to, $from2-$to2 }
+	if [ $? -ne 0 ]
+	then
+		echo "failed to delete $from, $to, $from2-$to2"
+		exit 1
+	fi
+
+	# check deletions are correct
+	from=$(($from+1))
+	$NFT get element inet x y { $from } 1>/dev/null
+	if [ $? -ne 0 ]
+	then
+		echo "failed to get $from"
+		exit 1
+	fi
+
+	to=$(($to-1))
+	$NFT get element inet x y { $to } 1>/dev/null
+	if [ $? -ne 0 ]
+	then
+		echo "failed to get $to"
+		exit 1
+	fi
+
+	from2=$(($from2-1))
+	$NFT get element inet x y { $from2 } 1>/dev/null
+	if [ $? -ne 0 ]
+	then
+		echo "failed to get $from2"
+		exit 1
+	fi
+	to2=$(($to2+1))
+
+	$NFT get element inet x y { $to2 } 1>/dev/null
+	if [ $? -ne 0 ]
+	then
+		echo "failed to get $to2"
+		exit 1
+	fi
+done
+
+rm -f $tmpfile
+rm -f $tmpfile2
+rm -f $tmpfile3
+
+if [ "$HOWMANY" != 65535 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/wmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0
new file mode 100755
index 0000000..7699e9d
--- /dev/null
+++ b/tests/shell/testcases/sets/collapse_elem_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip a {
+	set x {
+		type inet_service;
+	}
+}
+table ip6 a {
+	set x {
+		type inet_service;
+	}
+}
+add element ip a x { 1 }
+add element ip a x { 2 }
+add element ip6 a x { 2 }"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/concat_interval_0 b/tests/shell/testcases/sets/concat_interval_0
new file mode 100755
index 0000000..4d90af9
--- /dev/null
+++ b/tests/shell/testcases/sets/concat_interval_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip t {
+	set s {
+		type ipv4_addr . inet_proto . inet_service
+		flags interval
+		counter
+		elements = { 1.0.0.1 . udp . 53 }
+	}
+	set s2 {
+		type ipv4_addr . mark
+		flags interval
+		elements = { 10.10.10.10 . 0x00000100,
+			     20.20.20.20 . 0x00000200 }
+	}
+}"
+
+$NFT -f - <<< $RULESET
+
+$NFT delete element t s { 1.0.0.1 . udp . 53}
+
+exit 0
diff --git a/tests/shell/testcases/sets/dumps/0001named_interval_0.nft b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft
new file mode 100644
index 0000000..3049aa8
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0001named_interval_0.nft
@@ -0,0 +1,34 @@
+table inet t {
+	set s1 {
+		type ipv4_addr
+		flags interval
+		elements = { 10.0.0.0-11.0.0.0, 172.16.0.0/16 }
+	}
+
+	set s2 {
+		type ipv6_addr
+		flags interval
+		elements = { fe00::/64,
+			     fe11::-fe22:: }
+	}
+
+	set s3 {
+		type inet_proto
+		flags interval
+		elements = { 10-20, 50-60 }
+	}
+
+	set s4 {
+		type inet_service
+		flags interval
+		elements = { 0-1024, 8080-8082, 10000-40000 }
+	}
+
+	chain c {
+		ip saddr @s1 accept
+		ip6 daddr @s2 accept
+		ip protocol @s3 accept
+		ip6 nexthdr @s3 accept
+		tcp dport @s4 accept
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft
new file mode 100644
index 0000000..452ee23
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0002named_interval_automerging_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.0.0/24, 192.168.1.0/24 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft
new file mode 100644
index 0000000..70c32a8
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0003named_interval_missing_flag_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+	set s {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft
new file mode 100644
index 0000000..940030a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0004named_interval_shadow_0.nft
@@ -0,0 +1,7 @@
+table inet t {
+	set s {
+		type ipv6_addr
+		flags interval
+		elements = { fe00::/64 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft
new file mode 100644
index 0000000..4224d9d
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0005named_interval_shadow_0.nft
@@ -0,0 +1,7 @@
+table inet t {
+	set s {
+		type ipv6_addr
+		flags interval
+		elements = { fe00::/48 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0006create_set_0.nft b/tests/shell/testcases/sets/dumps/0006create_set_0.nft
new file mode 100644
index 0000000..70c32a8
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0006create_set_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+	set s {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0007create_element_0.nft b/tests/shell/testcases/sets/dumps/0007create_element_0.nft
new file mode 100644
index 0000000..169be11
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0007create_element_0.nft
@@ -0,0 +1,6 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		elements = { 1.1.1.1 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft
new file mode 100644
index 0000000..5e7a768
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0008comments_interval_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		flags interval
+		elements = { 1.1.1.1 comment "test" }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft
new file mode 100644
index 0000000..ab0fe80
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0008create_verdict_map_0.nft
@@ -0,0 +1,13 @@
+table ip t {
+	map sourcemap {
+		type ipv4_addr : verdict
+		elements = { 100.123.10.2 : jump c }
+	}
+
+	chain postrouting {
+		ip saddr vmap @sourcemap accept
+	}
+
+	chain c {
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft
new file mode 100644
index 0000000..455ebe3
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0009comments_timeout_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		flags timeout
+		elements = { 1.1.1.1 comment "test" }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0010comments_0.nft b/tests/shell/testcases/sets/dumps/0010comments_0.nft
new file mode 100644
index 0000000..6e42ec4
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0010comments_0.nft
@@ -0,0 +1,6 @@
+table inet t {
+	set s {
+		type ipv6_addr
+		elements = { ::1 comment "test" }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0011add_many_elements_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft
new file mode 100644
index 0000000..e3d4aee
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0012add_delete_many_elements_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	set y {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft
new file mode 100644
index 0000000..e3d4aee
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0013add_delete_many_elements_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	set y {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0014malformed_set_is_not_defined_0.nft
diff --git a/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft
new file mode 100644
index 0000000..f6eddbf
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0015rulesetflush_0.nft
@@ -0,0 +1,11 @@
+table ip t {
+	chain c {
+	}
+}
+table inet filter {
+	set blacklist_v4 {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.0.0/24 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0016element_leak_0.nft b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft
new file mode 100644
index 0000000..9d2b0af
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0016element_leak_0.nft
@@ -0,0 +1,7 @@
+table ip x {
+	set s {
+		type ipv4_addr
+		size 2
+		elements = { 1.1.1.1 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft
new file mode 100644
index 0000000..9d2b0af
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0017add_after_flush_0.nft
@@ -0,0 +1,7 @@
+table ip x {
+	set s {
+		type ipv4_addr
+		size 2
+		elements = { 1.1.1.1 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft
new file mode 100644
index 0000000..8cd3707
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0018set_check_size_1.nft
@@ -0,0 +1,7 @@
+table ip x {
+	set s {
+		type ipv4_addr
+		size 2
+		elements = { 1.1.1.1, 1.1.1.2 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft
new file mode 100644
index 0000000..8cd3707
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0019set_check_size_0.nft
@@ -0,0 +1,7 @@
+table ip x {
+	set s {
+		type ipv4_addr
+		size 2
+		elements = { 1.1.1.1, 1.1.1.2 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.nft b/tests/shell/testcases/sets/dumps/0020comments_0.nft
new file mode 100644
index 0000000..8b7d60a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0020comments_0.nft
@@ -0,0 +1,6 @@
+table inet t {
+	set s {
+		type inet_service
+		elements = { 22 comment "test" }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0021nesting_0.nft b/tests/shell/testcases/sets/dumps/0021nesting_0.nft
new file mode 100644
index 0000000..6fd2a44
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0021nesting_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	chain y {
+		ip saddr { 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
new file mode 100644
index 0000000..0a4cb0a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
@@ -0,0 +1,13 @@
+table ip t {
+	set s {
+		type ipv4_addr
+	}
+
+	map m {
+		type ipv4_addr : inet_service
+	}
+
+	chain c {
+		tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second burst 5 packets }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft
new file mode 100644
index 0000000..985768b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0023incomplete_add_set_command_0.nft
@@ -0,0 +1,2 @@
+table ip t {
+}
diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
new file mode 100644
index 0000000..52d1bf6
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
@@ -0,0 +1,50 @@
+table inet x {
+	counter user123 {
+		packets 12 bytes 1433
+	}
+
+	counter user321 {
+		packets 0 bytes 0
+	}
+
+	quota user123 {
+		over 2000 bytes
+	}
+
+	quota user124 {
+		over 2000 bytes
+	}
+
+	synproxy https-synproxy {
+		mss 1460
+		wscale 7
+		timestamp sack-perm
+	}
+
+	synproxy other-synproxy {
+		mss 1460
+		wscale 5
+	}
+
+	set y {
+		type ipv4_addr
+	}
+
+	map test {
+		type ipv4_addr : quota
+		elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" }
+	}
+
+	map test2 {
+		type ipv4_addr : synproxy
+		flags interval
+		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
+
+	chain y {
+		type filter hook input priority filter; policy accept;
+		counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" }
+		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+		quota name ip saddr map @test drop
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
new file mode 100644
index 0000000..5963699
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	chain c {
+		type filter hook output priority filter; policy accept;
+		ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 }
+		oifname "doesntexist" tcp dport { 22, 23 } counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft
new file mode 100644
index 0000000..e4daa28
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft
@@ -0,0 +1,10 @@
+table ip filter {
+	limit http-traffic {
+		rate 1/second
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+		limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic" }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft
new file mode 100644
index 0000000..c49eefa
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0027ipv6_maps_ipv4_0.nft
@@ -0,0 +1,7 @@
+table inet t {
+	set s {
+		type ipv6_addr
+		flags interval
+		elements = { ::ffff:0.0.0.0/96 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0028autoselect_0.nft b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft
new file mode 100644
index 0000000..0c60492
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0028autoselect_0.nft
@@ -0,0 +1,26 @@
+table ip t {
+	set s1 {
+		type inet_proto
+		size 65535
+		flags dynamic
+	}
+
+	set s2 {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+	}
+
+	set s3 {
+		type ipv4_addr
+		size 1024
+		flags dynamic
+	}
+
+	chain c {
+		type filter hook input priority filter; policy accept;
+		iifname "foobar" add @s1 { ip protocol }
+		iifname "foobar" add @s2 { ip daddr }
+		iifname "foobar" add @s3 { ip daddr }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft
new file mode 100644
index 0000000..0f25c76
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0028delete_handle_0.nft
@@ -0,0 +1,15 @@
+table ip test-ip {
+	set x {
+		type ipv4_addr
+	}
+
+	set y {
+		type inet_service
+		timeout 3h45s
+	}
+
+	set z {
+		type ipv4_addr
+		flags constant,interval
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft
new file mode 100644
index 0000000..55cd4f2
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0029named_ifname_dtype_0.nft
@@ -0,0 +1,57 @@
+table inet t {
+	set s {
+		type ifname
+		elements = { "eth0",
+			     "eth1",
+			     "eth2",
+			     "eth3",
+			     "veth1" }
+	}
+
+	set sc {
+		type inet_service . ifname
+		elements = { 22 . "eth0",
+			     80 . "eth0",
+			     81 . "eth0",
+			     80 . "eth1" }
+	}
+
+	set nv {
+		type ifname . mark
+		elements = { "eth0" . 0x00000001,
+			     "eth0" . 0x00000002 }
+	}
+
+	set z {
+		typeof ct zone
+		elements = { 1, 2, 3, 4, 5,
+			     6 }
+	}
+
+	set m {
+		typeof meta mark
+		elements = { 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005,
+			     0x00000006 }
+	}
+
+	map cz {
+		typeof iifname : ct zone
+		elements = { "eth0" : 1,
+			     "eth1" : 2,
+			     "veth4" : 1 }
+	}
+
+	map cm {
+		typeof iifname : ct mark
+		elements = { "eth0" : 0x00000001,
+			     "eth1" : 0x00000002,
+			     "veth4" : 0x00000001 }
+	}
+
+	chain c {
+		iifname @s accept
+		oifname @s accept
+		tcp dport . iifname @sc accept
+		iifname . meta mark @nv accept
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0030add_many_elements_interval_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0031set_timeout_size_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft
new file mode 100644
index 0000000..86c5549
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft
@@ -0,0 +1,11 @@
+table ip filter {
+	set setA {
+		type ipv4_addr . inet_service . ipv4_addr
+		flags timeout
+	}
+
+	set setB {
+		type ipv4_addr . inet_service
+		flags timeout
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft
new file mode 100644
index 0000000..d6174c5
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0033add_set_simple_flat_0.nft
@@ -0,0 +1,11 @@
+table ip x {
+	set setA {
+		type ipv4_addr . inet_service . ipv4_addr
+		flags timeout
+	}
+
+	set setB {
+		type ipv4_addr . inet_service
+		flags timeout
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0034get_element_0.nft b/tests/shell/testcases/sets/dumps/0034get_element_0.nft
new file mode 100644
index 0000000..1c1dd97
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0034get_element_0.nft
@@ -0,0 +1,23 @@
+table ip t {
+	set s {
+		type inet_service
+		flags interval
+		elements = { 10, 20-30, 40, 50-60 }
+	}
+
+	set ips {
+		type ipv4_addr
+		flags interval
+		elements = { 10.0.0.1, 10.0.0.5-10.0.0.8,
+			     10.0.0.128/25, 10.0.1.0/24,
+			     10.0.2.3-10.0.2.12 }
+	}
+
+	set cs {
+		type ipv4_addr . inet_service
+		flags interval
+		elements = { 10.0.0.1 . 22,
+			     10.1.0.0/16 . 1-1024,
+			     10.2.0.1-10.2.0.8 . 1024-65535 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft
new file mode 100644
index 0000000..ca69cee
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0035add_set_elements_flat_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		flags interval
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0036add_set_element_expiration_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft
new file mode 100644
index 0000000..68b1f7b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0037_set_with_inet_service_0.nft
@@ -0,0 +1,16 @@
+table inet filter {
+	set myset {
+		type ipv4_addr . inet_proto . inet_service
+		elements = { 192.168.0.113 . tcp . 22,
+			     192.168.0.12 . tcp . 53,
+			     192.168.0.12 . udp . 53,
+			     192.168.0.12 . tcp . 80,
+			     192.168.0.13 . tcp . 80 }
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy drop;
+		ct state established,related accept
+		ct state new ip daddr . ip protocol . th dport @myset accept
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0038meter_list_0.nft b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft
new file mode 100644
index 0000000..f274086
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0038meter_list_0.nft
@@ -0,0 +1,11 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		size 256
+		flags dynamic,timeout
+	}
+
+	chain c {
+		tcp dport 80 meter m size 128 { ip saddr limit rate 10/second burst 5 packets }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft
new file mode 100644
index 0000000..1fc7657
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0039delete_interval_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft
new file mode 100644
index 0000000..f580c38
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0040get_host_endian_elements_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	set s {
+		type mark
+		flags interval
+		elements = { 0x00000023-0x00000042, 0x00001337 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0041interval_0.nft b/tests/shell/testcases/sets/dumps/0041interval_0.nft
new file mode 100644
index 0000000..222d4d7
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0041interval_0.nft
@@ -0,0 +1,7 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.2.196 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0042update_set_0.nft b/tests/shell/testcases/sets/dumps/0042update_set_0.nft
new file mode 100644
index 0000000..56cc875
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0042update_set_0.nft
@@ -0,0 +1,15 @@
+table ip t {
+	set set1 {
+		type ether_addr
+	}
+
+	set set2 {
+		type ether_addr
+		size 65535
+		flags dynamic
+	}
+
+	chain c {
+		ether daddr @set1 add @set2 { ether daddr counter }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft
new file mode 100644
index 0000000..f2077b9
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_0.nft
@@ -0,0 +1,11 @@
+table inet filter {
+	map test {
+		type mark . inet_service . inet_proto : mark
+		flags interval,timeout
+	}
+
+	chain output {
+		type filter hook output priority filter; policy accept;
+		meta mark set meta mark . tcp dport . meta l4proto map @test counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft
new file mode 100644
index 0000000..19d08d3
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0043concatenated_ranges_1.nft
@@ -0,0 +1,116 @@
+table ip6 t {
+	set s {
+		type ipv6_addr . ipv6_addr
+		flags interval
+		elements = { 2001:db8::/32 . 2001:db8:20::-2001:db8:20::20:1,
+			     2001:db8::/33 . 2001:db8:21::-2001:db8:21::21:1,
+			     2001:db8::/34 . 2001:db8:22::-2001:db8:22::22:1,
+			     2001:db8::/35 . 2001:db8:23::-2001:db8:23::23:1,
+			     2001:db8::/36 . 2001:db8:24::-2001:db8:24::24:1,
+			     2001:db8::/37 . 2001:db8:25::-2001:db8:25::25:1,
+			     2001:db8::/38 . 2001:db8:26::-2001:db8:26::26:1,
+			     2001:db8::/39 . 2001:db8:27::-2001:db8:27::27:1,
+			     2001:db8::/40 . 2001:db8:28::-2001:db8:28::28:1,
+			     2001:db8::/41 . 2001:db8:29::-2001:db8:29::29:1,
+			     2001:db8::/42 . 2001:db8:2a::-2001:db8:2a::2a:1,
+			     2001:db8::/43 . 2001:db8:2b::-2001:db8:2b::2b:1,
+			     2001:db8::/44 . 2001:db8:2c::-2001:db8:2c::2c:1,
+			     2001:db8::/45 . 2001:db8:2d::-2001:db8:2d::2d:1,
+			     2001:db8::/46 . 2001:db8:2e::-2001:db8:2e::2e:1,
+			     2001:db8::/47 . 2001:db8:2f::-2001:db8:2f::2f:1,
+			     2001:db8::/48 . 2001:db8:30::-2001:db8:30::30:1,
+			     2001:db8::/49 . 2001:db8:31::-2001:db8:31::31:1,
+			     2001:db8::/50 . 2001:db8:32::-2001:db8:32::32:1,
+			     2001:db8::/51 . 2001:db8:33::-2001:db8:33::33:1,
+			     2001:db8::/52 . 2001:db8:34::-2001:db8:34::34:1,
+			     2001:db8::/53 . 2001:db8:35::-2001:db8:35::35:1,
+			     2001:db8::/54 . 2001:db8:36::-2001:db8:36::36:1,
+			     2001:db8::/55 . 2001:db8:37::-2001:db8:37::37:1,
+			     2001:db8::/56 . 2001:db8:38::-2001:db8:38::38:1,
+			     2001:db8::/57 . 2001:db8:39::-2001:db8:39::39:1,
+			     2001:db8::/58 . 2001:db8:3a::-2001:db8:3a::3a:1,
+			     2001:db8::/59 . 2001:db8:3b::-2001:db8:3b::3b:1,
+			     2001:db8::/60 . 2001:db8:3c::-2001:db8:3c::3c:1,
+			     2001:db8::/61 . 2001:db8:3d::-2001:db8:3d::3d:1,
+			     2001:db8::/62 . 2001:db8:3e::-2001:db8:3e::3e:1,
+			     2001:db8::/63 . 2001:db8:3f::-2001:db8:3f::3f:1,
+			     2001:db8::/64 . 2001:db8:40::-2001:db8:40::40:1,
+			     2001:db8::/65 . 2001:db8:41::-2001:db8:41::41:1,
+			     2001:db8::/66 . 2001:db8:42::-2001:db8:42::42:1,
+			     2001:db8::/67 . 2001:db8:43::-2001:db8:43::43:1,
+			     2001:db8::/68 . 2001:db8:44::-2001:db8:44::44:1,
+			     2001:db8::/69 . 2001:db8:45::-2001:db8:45::45:1,
+			     2001:db8::/70 . 2001:db8:46::-2001:db8:46::46:1,
+			     2001:db8::/71 . 2001:db8:47::-2001:db8:47::47:1,
+			     2001:db8::/72 . 2001:db8:48::-2001:db8:48::48:1,
+			     2001:db8::/73 . 2001:db8:49::-2001:db8:49::49:1,
+			     2001:db8::/74 . 2001:db8:4a::-2001:db8:4a::4a:1,
+			     2001:db8::/75 . 2001:db8:4b::-2001:db8:4b::4b:1,
+			     2001:db8::/76 . 2001:db8:4c::-2001:db8:4c::4c:1,
+			     2001:db8::/77 . 2001:db8:4d::-2001:db8:4d::4d:1,
+			     2001:db8::/78 . 2001:db8:4e::-2001:db8:4e::4e:1,
+			     2001:db8::/79 . 2001:db8:4f::-2001:db8:4f::4f:1,
+			     2001:db8::/80 . 2001:db8:50::-2001:db8:50::50:1,
+			     2001:db8::/81 . 2001:db8:51::-2001:db8:51::51:1,
+			     2001:db8::/82 . 2001:db8:52::-2001:db8:52::52:1,
+			     2001:db8::/83 . 2001:db8:53::-2001:db8:53::53:1,
+			     2001:db8::/84 . 2001:db8:54::-2001:db8:54::54:1,
+			     2001:db8::/85 . 2001:db8:55::-2001:db8:55::55:1,
+			     2001:db8::/86 . 2001:db8:56::-2001:db8:56::56:1,
+			     2001:db8::/87 . 2001:db8:57::-2001:db8:57::57:1,
+			     2001:db8::/88 . 2001:db8:58::-2001:db8:58::58:1,
+			     2001:db8::/89 . 2001:db8:59::-2001:db8:59::59:1,
+			     2001:db8::/90 . 2001:db8:5a::-2001:db8:5a::5a:1,
+			     2001:db8::/91 . 2001:db8:5b::-2001:db8:5b::5b:1,
+			     2001:db8::/92 . 2001:db8:5c::-2001:db8:5c::5c:1,
+			     2001:db8::/93 . 2001:db8:5d::-2001:db8:5d::5d:1,
+			     2001:db8::/94 . 2001:db8:5e::-2001:db8:5e::5e:1,
+			     2001:db8::/95 . 2001:db8:5f::-2001:db8:5f::5f:1,
+			     2001:db8::/96 . 2001:db8:60::-2001:db8:60::60:1,
+			     2001:db8::/97 . 2001:db8:61::-2001:db8:61::61:1,
+			     2001:db8::/98 . 2001:db8:62::-2001:db8:62::62:1,
+			     2001:db8::/99 . 2001:db8:63::-2001:db8:63::63:1,
+			     2001:db8::/100 . 2001:db8:64::-2001:db8:64::64:1,
+			     2001:db8::/101 . 2001:db8:65::-2001:db8:65::65:1,
+			     2001:db8::/102 . 2001:db8:66::-2001:db8:66::66:1,
+			     2001:db8::/103 . 2001:db8:67::-2001:db8:67::67:1,
+			     2001:db8::/104 . 2001:db8:68::-2001:db8:68::68:1,
+			     2001:db8::/105 . 2001:db8:69::-2001:db8:69::69:1,
+			     2001:db8::/106 . 2001:db8:6a::-2001:db8:6a::6a:1,
+			     2001:db8::/107 . 2001:db8:6b::-2001:db8:6b::6b:1,
+			     2001:db8::/108 . 2001:db8:6c::-2001:db8:6c::6c:1,
+			     2001:db8::/109 . 2001:db8:6d::-2001:db8:6d::6d:1,
+			     2001:db8::/110 . 2001:db8:6e::-2001:db8:6e::6e:1,
+			     2001:db8::/111 . 2001:db8:6f::-2001:db8:6f::6f:1,
+			     2001:db8::/112 . 2001:db8:70::-2001:db8:70::70:1,
+			     2001:db8::/113 . 2001:db8:71::-2001:db8:71::71:1,
+			     2001:db8::/114 . 2001:db8:72::-2001:db8:72::72:1,
+			     2001:db8::/115 . 2001:db8:73::-2001:db8:73::73:1,
+			     2001:db8::/116 . 2001:db8:74::-2001:db8:74::74:1,
+			     2001:db8::/117 . 2001:db8:75::-2001:db8:75::75:1,
+			     2001:db8::/118 . 2001:db8:76::-2001:db8:76::76:1,
+			     2001:db8::/119 . 2001:db8:77::-2001:db8:77::77:1,
+			     2001:db8::/120 . 2001:db8:78::-2001:db8:78::78:1,
+			     2001:db8::/121 . 2001:db8:79::-2001:db8:79::79:1,
+			     2001:db8::/122 . 2001:db8:7a::-2001:db8:7a::7a:1,
+			     2001:db8::/123 . 2001:db8:7b::-2001:db8:7b::7b:1,
+			     2001:db8::/124 . 2001:db8:7c::-2001:db8:7c::7c:1,
+			     2001:db8::/125 . 2001:db8:7d::-2001:db8:7d::7d:1,
+			     2001:db8::/126 . 2001:db8:7e::-2001:db8:7e::7e:1,
+			     2001:db8::/127 . 2001:db8:7f::-2001:db8:7f::7f:1 }
+	}
+}
+table ip t {
+	set s {
+		type ipv4_addr . ipv4_addr
+		flags interval
+		elements = { 192.0.2.0/24 . 192.0.2.72-192.0.2.74,
+			     192.0.2.0/25 . 192.0.2.75-192.0.2.77,
+			     192.0.2.0/26 . 192.0.2.78-192.0.2.80,
+			     192.0.2.0/27 . 192.0.2.81-192.0.2.83,
+			     192.0.2.0/28 . 192.0.2.84-192.0.2.86,
+			     192.0.2.0/29 . 192.0.2.87-192.0.2.89,
+			     192.0.2.0/30 . 192.0.2.90-192.0.2.92,
+			     192.0.2.0/31 . 192.0.2.93-192.0.2.95 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft
new file mode 100644
index 0000000..5b249a3
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0044interval_overlap_1.nft
@@ -0,0 +1,106 @@
+table ip t {
+	set s {
+		type inet_service
+		flags interval
+		elements = { 25, 30, 82, 119, 349,
+			     745, 748, 1165, 1233, 1476,
+			     1550, 1562, 1743, 1745, 1882,
+			     2070, 2194, 2238, 2450, 2455,
+			     2642, 2671, 2906, 3093, 3203,
+			     3287, 3348, 3411, 3540, 3892,
+			     3943, 4133, 4205, 4317, 4733,
+			     5095, 5156, 5223, 5230, 5432,
+			     5826, 5828, 6044, 6377, 6388,
+			     6491, 6952, 6986, 7012, 7187,
+			     7300, 7305, 7549, 7664, 8111,
+			     8206, 8396, 8782, 8920, 8981,
+			     9067, 9216, 9245, 9315, 9432,
+			     9587, 9689, 9844, 9991, 10045,
+			     10252, 10328, 10670, 10907, 11021,
+			     11337, 11427, 11497, 11502, 11523,
+			     11552, 11577, 11721, 11943, 12474,
+			     12718, 12764, 12794, 12922, 13186,
+			     13232, 13383, 13431, 13551, 13676,
+			     13685, 13747, 13925, 13935, 14015,
+			     14090, 14320, 14392, 14515, 14647,
+			     14911, 15096, 15105, 15154, 15440,
+			     15583, 15623, 15677, 15710, 15926,
+			     15934, 15960, 16068, 16166, 16486,
+			     16489, 16528, 16646, 16650, 16770,
+			     16882, 17052, 17237, 17387, 17431,
+			     17886, 17939, 17999, 18092, 18123,
+			     18238, 18562, 18698, 19004, 19229,
+			     19237, 19585, 19879, 19938, 19950,
+			     19958, 20031, 20138, 20157, 20205,
+			     20368, 20682, 20687, 20873, 20910,
+			     20919, 21019, 21068, 21115, 21188,
+			     21236, 21319, 21563, 21734, 21806,
+			     21810, 21959, 21982, 22078, 22181,
+			     22308, 22480, 22643, 22854, 22879,
+			     22961, 23397, 23534, 23845, 23893,
+			     24130, 24406, 24794, 24997, 25019,
+			     25143, 25179, 25439, 25603, 25718,
+			     25859, 25949, 26006, 26022, 26047,
+			     26170, 26193, 26725, 26747, 26924,
+			     27023, 27040, 27233, 27344, 27478,
+			     27593, 27600, 27664, 27678, 27818,
+			     27822, 28003, 28038, 28709, 28808,
+			     29010, 29057, 29228, 29485, 30132,
+			     30160, 30415, 30469, 30673, 30736,
+			     30776, 30780, 31450, 31537, 31669,
+			     31839, 31873, 32019, 32229, 32685,
+			     32879, 33318, 33337, 33404, 33517,
+			     33906, 34214, 34346, 34416, 34727,
+			     34848, 35325, 35400, 35451, 35501,
+			     35637, 35653, 35710, 35761, 35767,
+			     36238, 36258, 36279, 36464, 36586,
+			     36603, 36770, 36774, 36805, 36851,
+			     37079, 37189, 37209, 37565, 37570,
+			     37585, 37832, 37931, 37954, 38006,
+			     38015, 38045, 38109, 38114, 38200,
+			     38209, 38214, 38277, 38306, 38402,
+			     38606, 38697, 38960, 39004, 39006,
+			     39197, 39217, 39265, 39319, 39460,
+			     39550, 39615, 39871, 39886, 40088,
+			     40135, 40244, 40323, 40339, 40355,
+			     40385, 40428, 40538, 40791, 40848,
+			     40959, 41003, 41131, 41349, 41643,
+			     41710, 41826, 41904, 42027, 42148,
+			     42235, 42255, 42498, 42680, 42973,
+			     43118, 43135, 43233, 43349, 43411,
+			     43487, 43840, 43843, 43870, 44040,
+			     44204, 44817, 44883, 44894, 44958,
+			     45201, 45259, 45283, 45357, 45423,
+			     45473, 45498, 45519, 45561, 45611,
+			     45627, 45831, 46043, 46105, 46116,
+			     46147, 46169, 46349, 47147, 47252,
+			     47314, 47335, 47360, 47546, 47617,
+			     47648, 47772, 47793, 47846, 47913,
+			     47952, 48095, 48325, 48334, 48412,
+			     48419, 48540, 48569, 48628, 48751,
+			     48944, 48971, 49008, 49025, 49503,
+			     49505, 49613, 49767, 49839, 49925,
+			     50022, 50028, 50238, 51057, 51477,
+			     51617, 51910, 52044, 52482, 52550,
+			     52643, 52832, 53382, 53690, 53809,
+			     53858, 54001, 54198, 54280, 54327,
+			     54376, 54609, 54776, 54983, 54984,
+			     55019, 55038, 55094, 55368, 55737,
+			     55793, 55904, 55941, 55960, 55978,
+			     56063, 56121, 56314, 56505, 56548,
+			     56568, 56696, 56798, 56855, 57102,
+			     57236, 57333, 57334, 57441, 57574,
+			     57659, 57987, 58325, 58404, 58509,
+			     58782, 58876, 59116, 59544, 59685,
+			     59700, 59750, 59799, 59866, 59870,
+			     59894, 59984, 60343, 60481, 60564,
+			     60731, 61075, 61087, 61148, 61174,
+			     61655, 61679, 61691, 61723, 61730,
+			     61758, 61824, 62035, 62056, 62661,
+			     62768, 62946, 63059, 63116, 63338,
+			     63387, 63672, 63719, 63881, 63995,
+			     64197, 64374, 64377, 64472, 64606,
+			     64662, 64777, 64795, 64906, 65049,
+			     65122, 65318 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft
new file mode 100644
index 0000000..e548a17
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0045concat_ipv4_service.nft
@@ -0,0 +1,12 @@
+table inet t {
+	set s {
+		type ipv4_addr . inet_service
+		size 65536
+		flags dynamic,timeout
+		elements = { 192.168.7.1 . 22 }
+	}
+
+	chain c {
+		tcp dport 21 add @s { ip saddr . 22 timeout 1m }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0046netmap_0.nft b/tests/shell/testcases/sets/dumps/0046netmap_0.nft
new file mode 100644
index 0000000..5ac6b34
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0046netmap_0.nft
@@ -0,0 +1,12 @@
+table ip x {
+	chain y {
+		type nat hook postrouting priority srcnat; policy accept;
+		snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.0/24 : 192.168.3.0/24, 10.141.13.0/24 : 192.168.4.0/24 }
+	}
+}
+table ip6 x {
+	chain y {
+		type nat hook postrouting priority srcnat; policy accept;
+		snat ip6 prefix to ip6 saddr map { 2001:db8:1111::/64 : 2001:db8:2222::/64 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft
new file mode 100644
index 0000000..9fa9fc7
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft
@@ -0,0 +1,30 @@
+table ip x {
+	map y {
+		type ipv4_addr : interval ipv4_addr
+		flags interval
+		elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31,
+			     10.141.12.0/24 : 192.168.5.10-192.168.5.20 }
+	}
+
+	chain x {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto tcp dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+		dnat ip to iifname . ip saddr map { "enp2s0" . 10.1.1.136 : 1.1.2.69/32, "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+	}
+
+	chain y {
+		type nat hook postrouting priority srcnat; policy accept;
+		snat ip to ip saddr map @y
+	}
+}
+table inet x {
+	chain x {
+		type nat hook prerouting priority dstnat; policy accept;
+		dnat ip to ip daddr . tcp dport map { 10.141.10.1 . 22 : 192.168.2.2, 10.141.11.2 . 2222 : 192.168.4.2 }
+	}
+
+	chain y {
+		type nat hook postrouting priority srcnat; policy accept;
+		snat ip to ip saddr map { 10.141.10.0/24 : 192.168.2.2-192.168.2.4, 10.141.11.0/24 : 192.168.4.2/31 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft
new file mode 100644
index 0000000..2145f6b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.nft
@@ -0,0 +1,13 @@
+table ip x {
+	set y {
+		typeof ip saddr
+		counter
+		elements = { 192.168.10.35 counter packets 0 bytes 0, 192.168.10.101 counter packets 0 bytes 0,
+			     192.168.10.135 counter packets 0 bytes 0 }
+	}
+
+	chain z {
+		type filter hook output priority filter; policy accept;
+		ip daddr @y
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft
new file mode 100644
index 0000000..998b387
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft
@@ -0,0 +1,6 @@
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0050set_define_1.nft b/tests/shell/testcases/sets/dumps/0050set_define_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0050set_define_1.nft
diff --git a/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft
new file mode 100644
index 0000000..fd488a7
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0051set_interval_counter_0.nft
@@ -0,0 +1,13 @@
+table ip x {
+	set s {
+		type ipv4_addr
+		flags interval
+		counter
+		elements = { 192.168.2.0/24 counter packets 0 bytes 0 }
+	}
+
+	chain y {
+		type filter hook output priority filter; policy accept;
+		ip daddr @s
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0052overlap_0.nft b/tests/shell/testcases/sets/dumps/0052overlap_0.nft
new file mode 100644
index 0000000..1cc02ad
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0052overlap_0.nft
@@ -0,0 +1,8 @@
+table ip filter {
+	set w_all {
+		type ipv4_addr
+		flags interval
+		auto-merge
+		elements = { 10.10.10.10, 10.10.10.253 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft
new file mode 100644
index 0000000..bb7c551
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft
@@ -0,0 +1,6 @@
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		iifname "lo" ip saddr 10.0.0.0/8 ip daddr 192.168.100.62 tcp dport 2001 counter packets 0 bytes 0 accept
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0054comments_set_0.nft b/tests/shell/testcases/sets/dumps/0054comments_set_0.nft
new file mode 100644
index 0000000..7929924
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0054comments_set_0.nft
@@ -0,0 +1,13 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		flags interval
+		comment "test"
+	}
+
+	map m {
+		type ipv4_addr : ipv4_addr
+		flags interval
+		comment "another test"
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft
new file mode 100644
index 0000000..ffed542
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0055tcpflags_0.nft
@@ -0,0 +1,10 @@
+table ip test {
+	set tcp_good_flags {
+		type tcp_flag
+		flags constant
+		elements = { fin | psh | ack | urg, fin | psh | ack, fin | ack | urg, fin | ack, syn | psh | ack | urg,
+			     syn | psh | ack, syn | ack | urg, syn | ack, syn, rst | psh | ack | urg,
+			     rst | psh | ack, rst | ack | urg, rst | ack, rst, psh | ack | urg,
+			     psh | ack, ack | urg, ack }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0056dynamic_limit_0.nft
diff --git a/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft
new file mode 100644
index 0000000..de43d56
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0057set_create_fails_0.nft
@@ -0,0 +1,7 @@
+table inet filter {
+	set test {
+		type ipv4_addr
+		size 65535
+		elements = { 1.1.1.1 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft
new file mode 100644
index 0000000..873adc6
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0058_setupdate_timeout_0.nft
@@ -0,0 +1,12 @@
+table inet filter {
+	set ssh_meter {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+		timeout 30d
+	}
+
+	chain test {
+		add @ssh_meter { ip saddr timeout 30d }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
new file mode 100644
index 0000000..c1cc3b5
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0059set_update_multistmt_0.nft
@@ -0,0 +1,13 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		size 65535
+		flags dynamic,timeout
+		timeout 1h
+	}
+
+	chain z {
+		type filter hook output priority filter; policy accept;
+		update @y { ip daddr limit rate 1/second burst 5 packets counter }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft
new file mode 100644
index 0000000..df68fcd
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_0.nft
@@ -0,0 +1,13 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		limit rate 1/second burst 5 packets counter
+		elements = { 1.1.1.1 limit rate 1/second burst 5 packets counter packets 0 bytes 0, 4.4.4.4 limit rate 1/second burst 5 packets counter packets 0 bytes 0,
+			     5.5.5.5 limit rate 1/second burst 5 packets counter packets 0 bytes 0 }
+	}
+
+	chain y {
+		type filter hook output priority filter; policy accept;
+		ip daddr @y
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft
new file mode 100644
index 0000000..ac1bd26
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0060set_multistmt_1.nft
@@ -0,0 +1,15 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		counter quota 500 bytes
+		elements = { 1.1.1.1 counter packets 0 bytes 0 quota 500 bytes, 1.2.3.4 counter packets 9 bytes 756 quota 500 bytes used 500 bytes,
+			     2.2.2.2 counter packets 0 bytes 0 quota 1000 bytes }
+	}
+
+	chain y {
+		type filter hook output priority filter; policy accept;
+		update @y { ip daddr }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft
new file mode 100644
index 0000000..04361f4
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0061anonymous_automerge_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	chain y {
+		ip saddr { 1.1.1.1-1.1.1.2 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft
new file mode 100644
index 0000000..080d675
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0062set_connlimit_0.nft
@@ -0,0 +1,16 @@
+table ip x {
+	set est-connlimit {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		elements = { 84.245.120.167 ct count over 20 }
+	}
+
+	set new-connlimit {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+		ct count over 20
+		elements = { 84.245.120.167 ct count over 20 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft
new file mode 100644
index 0000000..f0d42cc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0063set_catchall_0.nft
@@ -0,0 +1,14 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		counter
+		elements = { 1.1.1.1 counter packets 0 bytes 0, * counter packets 0 bytes 0 }
+	}
+
+	set z {
+		type ipv4_addr
+		flags interval
+		counter
+		elements = { 1.1.1.0/24 counter packets 0 bytes 0, * counter packets 0 bytes 0 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft
new file mode 100644
index 0000000..890ed2a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0064map_catchall_0.nft
@@ -0,0 +1,18 @@
+table ip x {
+	map y {
+		type ipv4_addr : ipv4_addr
+		elements = { 10.141.0.1 : 192.168.0.2, * : 192.168.0.4 }
+	}
+
+	map z {
+		type ipv4_addr : ipv4_addr
+		flags interval
+		elements = { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 }
+	}
+
+	chain y {
+		snat to ip saddr map @z
+		snat to ip saddr map { 10.141.0.0/24 : 192.168.0.2, * : 192.168.0.3 }
+		snat to ip saddr . ip daddr map { 10.141.0.0/24 . 10.0.0.0/8 : 192.168.0.2, 192.168.9.0/24 . 192.168.10.0/24 : 192.168.0.4, * : 192.168.0.3 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft
new file mode 100644
index 0000000..461c7a7
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0065_icmp_postprocessing.nft
@@ -0,0 +1,6 @@
+table ip x {
+	chain foo {
+		accept
+		icmp type { echo-reply, echo-request } icmp id 42
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
new file mode 100644
index 0000000..0215691
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
@@ -0,0 +1,42 @@
+table ip nat {
+	map ipportmap {
+		type ipv4_addr : interval ipv4_addr . inet_service
+		flags interval
+		elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+	}
+
+	map ipportmap2 {
+		type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service
+		flags interval
+		elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 }
+	}
+
+	map fwdtoip_th {
+		type ipv4_addr . inet_service : interval ipv4_addr . inet_service
+		flags interval
+		elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 }
+	}
+
+	map ipportmap4 {
+		typeof iifname . ip saddr : interval ip daddr
+		flags interval
+		elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69/32,
+			     "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 }
+	}
+
+	map ipportmap5 {
+		typeof iifname . ip saddr : interval ip daddr . tcp dport
+		flags interval
+		elements = { "enp2s0" . 10.1.1.136 : 1.1.2.69 . 22,
+			     "enp2s0" . 10.1.1.1-10.1.1.135 : 1.1.2.66-1.84.236.78 . 22 }
+	}
+
+	chain prerouting {
+		type nat hook prerouting priority dstnat; policy accept;
+		ip protocol tcp dnat ip to ip saddr map @ipportmap
+		ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
+		meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th
+		dnat ip to iifname . ip saddr map @ipportmap4
+		meta l4proto tcp dnat ip to iifname . ip saddr map @ipportmap5
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0068interval_stack_overflow_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft
new file mode 100644
index 0000000..2d4e170
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0069interval_merge_0.nft
@@ -0,0 +1,9 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		flags interval
+		auto-merge
+		elements = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6,
+			     4.4.4.0-4.4.5.0 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
new file mode 100644
index 0000000..0057e9c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft
@@ -0,0 +1,28 @@
+table netdev nt {
+	set vlanidset {
+		typeof vlan id
+		size 1024
+		flags dynamic,timeout
+	}
+
+	set macset {
+		typeof ether saddr . vlan id
+		size 1024
+		flags dynamic,timeout
+	}
+
+	set ipset {
+		typeof vlan id . ip saddr
+		size 1024
+		flags dynamic,timeout
+	}
+
+	chain nc {
+		update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0
+		ether saddr . vlan id @macset
+		vlan pcp 1
+		ether saddr 0a:0b:0c:0d:0e:0f vlan id 42
+		update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0
+		update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft
new file mode 100644
index 0000000..4eed94c
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft
@@ -0,0 +1,19 @@
+table inet t {
+	set s1 {
+		type ipv4_addr
+		flags interval
+		elements = { 10.0.0.0/8, 192.0.0.0/2 }
+	}
+
+	set s2 {
+		type ipv6_addr
+		flags interval
+		elements = { fe80::/10,
+			     ff00::/8 }
+	}
+
+	chain c {
+		ip saddr @s1 accept
+		ip6 daddr @s2 accept
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0072destroy_0.nft b/tests/shell/testcases/sets/dumps/0072destroy_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0072destroy_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft
new file mode 100644
index 0000000..20f5374
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft
@@ -0,0 +1,11 @@
+table inet filter {
+	counter TEST {
+		packets 0 bytes 0
+	}
+
+	map testmap {
+		type ipv4_addr : counter
+		flags interval
+		elements = { 192.168.0.0/24 : "TEST" }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft
new file mode 100644
index 0000000..20f5374
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft
@@ -0,0 +1,11 @@
+table inet filter {
+	counter TEST {
+		packets 0 bytes 0
+	}
+
+	map testmap {
+		type ipv4_addr : counter
+		flags interval
+		elements = { 192.168.0.0/24 : "TEST" }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/automerge_0.nodump b/tests/shell/testcases/sets/dumps/automerge_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/automerge_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
new file mode 100644
index 0000000..a3244fc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
@@ -0,0 +1,12 @@
+table ip a {
+	set x {
+		type inet_service
+		elements = { 1, 2 }
+	}
+}
+table ip6 a {
+	set x {
+		type inet_service
+		elements = { 2 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/concat_interval_0.nft b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
new file mode 100644
index 0000000..61547c5
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/concat_interval_0.nft
@@ -0,0 +1,14 @@
+table ip t {
+	set s {
+		type ipv4_addr . inet_proto . inet_service
+		flags interval
+		counter
+	}
+
+	set s2 {
+		type ipv4_addr . mark
+		flags interval
+		elements = { 10.10.10.10 . 0x00000100,
+			     20.20.20.20 . 0x00000200 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft
new file mode 100644
index 0000000..6c8ed32
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft
@@ -0,0 +1,12 @@
+table ip test {
+	set dlist {
+		type ipv4_addr
+		size 65535
+		flags dynamic
+	}
+
+	chain output {
+		type filter hook output priority filter; policy accept;
+		udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/errors_0.nft b/tests/shell/testcases/sets/dumps/errors_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/errors_0.nft
diff --git a/tests/shell/testcases/sets/dumps/exact_overlap_0.nft b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft
new file mode 100644
index 0000000..c903e3f
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/exact_overlap_0.nft
@@ -0,0 +1,13 @@
+table ip t {
+	set s {
+		type ipv4_addr
+		flags interval
+		elements = { 1.0.1.0/24, 1.0.2.0/23,
+			     1.0.8.0/21, 1.0.32.0/19,
+			     1.1.0.0/24, 1.1.2.0/23,
+			     1.1.4.0/22, 1.1.8.0/24,
+			     1.1.9.0/24, 1.1.10.0/23,
+			     1.1.12.0/22, 1.1.16.0/20,
+			     1.1.32.0/19 }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/inner_0.nft b/tests/shell/testcases/sets/dumps/inner_0.nft
new file mode 100644
index 0000000..925ca77
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/inner_0.nft
@@ -0,0 +1,18 @@
+table netdev x {
+	set x {
+		typeof vxlan ip saddr . vxlan ip daddr
+		elements = { 3.3.3.3 . 4.4.4.4 }
+	}
+
+	set y {
+		typeof vxlan ip saddr
+		size 65535
+		flags dynamic
+	}
+
+	chain y {
+		udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter packets 0 bytes 0
+		udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter packets 0 bytes 0
+		udp dport 4789 update @y { vxlan ip saddr }
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/reset_command_0.nodump b/tests/shell/testcases/sets/dumps/reset_command_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/reset_command_0.nodump
diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.nft b/tests/shell/testcases/sets/dumps/set_eval_0.nft
new file mode 100644
index 0000000..a45462b
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/set_eval_0.nft
@@ -0,0 +1,11 @@
+table ip nat {
+	set set_with_interval {
+		type ipv4_addr
+		flags interval
+	}
+
+	chain prerouting {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft
new file mode 100644
index 0000000..77a8baf
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/sets_with_ifnames.nft
@@ -0,0 +1,62 @@
+table inet testifsets {
+	set simple {
+		type ifname
+		elements = { "abcdef0",
+			     "abcdef1",
+			     "othername" }
+	}
+
+	set simple_wild {
+		type ifname
+		flags interval
+		elements = { "abcdef*",
+			     "othername",
+			     "ppp0" }
+	}
+
+	set concat {
+		type ipv4_addr . ifname
+		elements = { 10.1.2.2 . "abcdef0",
+			     10.1.2.2 . "abcdef1" }
+	}
+
+	set concat_wild {
+		type ipv4_addr . ifname
+		flags interval
+		elements = { 10.1.2.2 . "abcdef*",
+			     10.1.2.1 . "bar",
+			     1.1.2.0/24 . "abcdef0",
+			     12.2.2.0/24 . "abcdef*" }
+	}
+
+	map map_wild {
+		type ifname : verdict
+		flags interval
+		elements = { "abcdef*" : jump do_nothing,
+			     "eth0" : jump do_nothing }
+	}
+
+	chain v4icmp {
+		iifname @simple counter packets 0 bytes 0
+		iifname @simple_wild counter packets 0 bytes 0
+		iifname { "eth0", "abcdef0" } counter packets 0 bytes 0
+		iifname { "abcdef*", "eth0" } counter packets 0 bytes 0
+		iifname vmap @map_wild
+	}
+
+	chain v4icmpc {
+		ip saddr . iifname @concat counter packets 0 bytes 0
+		ip saddr . iifname @concat_wild counter packets 0 bytes 0
+		ip saddr . iifname { 10.1.2.2 . "abcdef0" } counter packets 0 bytes 0
+		ip saddr . iifname { 10.1.2.2 . "abcdef*" } counter packets 0 bytes 0
+	}
+
+	chain input {
+		type filter hook input priority filter; policy accept;
+		ip protocol icmp jump v4icmp
+		ip protocol icmp goto v4icmpc
+	}
+
+	chain do_nothing {
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/type_set_symbol.nft b/tests/shell/testcases/sets/dumps/type_set_symbol.nft
new file mode 100644
index 0000000..21209f6
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/type_set_symbol.nft
@@ -0,0 +1,16 @@
+table ip t {
+	set s1 {
+		type ipv4_addr . ipv4_addr . inet_service
+		size 65535
+		flags dynamic,timeout
+		timeout 3h
+	}
+
+	chain c1 {
+		update @s1 { ip saddr . 10.180.0.4 . 80 }
+	}
+
+	chain c2 {
+		ip saddr . 1.2.3.4 . 80 @s1 goto c1
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/typeof_raw_0.nft b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft
new file mode 100644
index 0000000..4d6abaa
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/typeof_raw_0.nft
@@ -0,0 +1,12 @@
+table inet t {
+	set y {
+		typeof ip daddr . @ih,32,32
+		elements = { 1.1.1.1 . 0x14,
+			     2.2.2.2 . 0x20 }
+	}
+
+	chain y {
+		ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+		ip daddr . @nh,32,32 @y
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_0.nft b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
new file mode 100644
index 0000000..6f5b83a
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_0.nft
@@ -0,0 +1,97 @@
+table inet t {
+	set s1 {
+		typeof osf name
+		elements = { "Linux" }
+	}
+
+	set s2 {
+		typeof vlan id
+		elements = { 2, 3, 103 }
+	}
+
+	set s3 {
+		typeof meta ibrpvid
+		elements = { 2, 3, 103 }
+	}
+
+	set s4 {
+		typeof frag frag-off
+		elements = { 1, 1024 }
+	}
+
+	set s5 {
+		typeof ip option ra value
+		elements = { 1, 1024 }
+	}
+
+	set s6 {
+		typeof tcp option maxseg size
+		elements = { 1, 1024 }
+	}
+
+	set s7 {
+		typeof sctp chunk init num-inbound-streams
+		elements = { 1, 4 }
+	}
+
+	set s8 {
+		typeof ip version
+		elements = { 4, 6 }
+	}
+
+	set s9 {
+		typeof ip hdrlength
+		elements = { 0, 1, 2, 3, 4,
+			     15 }
+	}
+
+	set s10 {
+		typeof iifname . ip saddr . ipsec in reqid
+		elements = { "eth0" . 10.1.1.2 . 42 }
+	}
+
+	set s11 {
+		typeof vlan id . ip saddr
+		elements = { 3567 . 1.2.3.4 }
+	}
+
+	chain c1 {
+		osf name @s1 accept
+	}
+
+	chain c2 {
+		vlan id @s2 accept
+	}
+
+	chain c4 {
+		frag frag-off @s4 accept
+	}
+
+	chain c5 {
+		ip option ra value @s5 accept
+	}
+
+	chain c6 {
+		tcp option maxseg size @s6 accept
+	}
+
+	chain c7 {
+		sctp chunk init num-inbound-streams @s7 accept
+	}
+
+	chain c8 {
+		ip version @s8 accept
+	}
+
+	chain c9 {
+		ip hdrlength @s9 accept
+	}
+
+	chain c10 {
+		iifname . ip saddr . ipsec in reqid @s10 accept
+	}
+
+	chain c11 {
+		vlan id . ip saddr @s11 accept
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft
new file mode 100644
index 0000000..89cbc83
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft
@@ -0,0 +1,15 @@
+table bridge t {
+	set nodhcpvlan {
+		typeof vlan id
+		elements = { 1 }
+	}
+
+	chain c1 {
+		vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2
+		vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2
+		vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2
+	}
+
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft
new file mode 100644
index 0000000..dbaf7cd
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft
@@ -0,0 +1,12 @@
+table netdev t {
+	set s {
+		typeof ether saddr . vlan id
+		size 2048
+		flags dynamic,timeout
+	}
+
+	chain c {
+		ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return
+		ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return
+	}
+}
diff --git a/tests/shell/testcases/sets/dynset_missing b/tests/shell/testcases/sets/dynset_missing
new file mode 100755
index 0000000..fdf5f49
--- /dev/null
+++ b/tests/shell/testcases/sets/dynset_missing
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+$NFT -f /dev/stdin <<EOF
+table ip test {
+	chain output { type filter hook output priority 0;
+	}
+}
+EOF
+
+# misses 'flags dynamic'
+$NFT 'add set ip test dlist {type ipv4_addr; }'
+
+# picks rhash backend because 'size' was also missing.
+$NFT 'add rule ip test output udp dport 1234 update @dlist { ip daddr } counter'
+
+tmpfile=$(mktemp)
+
+trap "rm -rf $tmpfile" EXIT
+
+# kernel has forced an 64k upper size, i.e. this restore file
+# has 'size 65536' but no 'flags dynamic'.
+$NFT list ruleset > $tmpfile
+
+# this restore works, because set is still the rhash backend.
+$NFT -f $tmpfile # success
+$NFT flush ruleset
+
+# fails without commit 'attempt to set_eval flag if dynamic updates requested',
+# because set in $tmpfile has 'size x' but no 'flags dynamic'.
+$NFT -f $tmpfile
diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0
new file mode 100755
index 0000000..27f65df
--- /dev/null
+++ b/tests/shell/testcases/sets/errors_0
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+RULESET="table ip x {
+	set y {
+		type ipv4_addr
+		flags interval
+	}
+}
+
+delete element ip x y { 2.3.4.5 }"
+
+$NFT -f - <<< $RULESET
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+RULESET="table ip x {
+        set y {
+                type ipv4_addr
+                flags interval
+        }
+}
+
+add element x y { 1.1.1.1/24 }
+delete element x y { 1.1.1.1/24 }
+add element x y { 1.1.1.1/24 }
+delete element x y { 2.2.2.2/24 }"
+
+$NFT -f - <<< $RULESET
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+RULESET="flush ruleset
+create table inet filter
+set inet filter foo {}
+add element inet filter foo { foobar }"
+
+$NFT -f - <<< $RULESET
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+RULESET="table ip x {
+        map x {
+                type ifname . ipv4_addr : verdict
+                elements = { if2 . 10.0.0.2 : jump chain2,
+                             if2 . 192.168.0.0/24 : jump chain2 }
+        }
+
+        chain chain2 {}
+}"
+
+$NFT -f - <<< $RULESET
+if [ $? -eq 0 ]
+then
+	exit 1
+fi
+
+RULESET="add set inet filter myset { type ipv4_addr; flags interval; auto-merge }
+add element inet filter myset { 192.168.0.0/24 }
+add element inet filter myset { 192.168.0.2 }
+add element inet filter myset { 192.168.1.0/24 }
+add element inet filter myset { 192.168.1.100 }"
+
+$NFT -f - <<< $RULESET || exit 0
diff --git a/tests/shell/testcases/sets/exact_overlap_0 b/tests/shell/testcases/sets/exact_overlap_0
new file mode 100755
index 0000000..1ce9304
--- /dev/null
+++ b/tests/shell/testcases/sets/exact_overlap_0
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+RULESET="add table t
+add set t s { type ipv4_addr; flags interval; }
+add element t s { 1.0.1.0/24 }
+add element t s { 1.0.2.0/23 }
+add element t s { 1.0.8.0/21 }
+add element t s { 1.0.32.0/19 }
+add element t s { 1.1.0.0/24 }
+add element t s { 1.1.2.0/23 }
+add element t s { 1.1.4.0/22 }
+add element t s { 1.1.8.0/24 }
+add element t s { 1.1.9.0/24 }
+add element t s { 1.1.10.0/23 }
+add element t s { 1.1.12.0/22 }
+add element t s { 1.1.16.0/20 }
+add element t s { 1.1.32.0/19 }
+add element t s { 1.0.1.0/24 }"
+
+$NFT -f - <<< $RULESET || exit 1
+
+$NFT add element t s { 1.0.1.0/24 }
diff --git a/tests/shell/testcases/sets/inner_0 b/tests/shell/testcases/sets/inner_0
new file mode 100755
index 0000000..39d91bd
--- /dev/null
+++ b/tests/shell/testcases/sets/inner_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inner_matching)
+
+set -e
+
+RULESET="table netdev x {
+	set x {
+		typeof vxlan ip saddr . vxlan ip daddr
+		elements = {
+			3.3.3.3 . 4.4.4.4,
+		}
+	}
+
+	set y {
+		typeof vxlan ip saddr
+		flags dynamic
+	}
+
+        chain y {
+		udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.1.1.1 . 2.2.2.2 } counter
+		udp dport 4789 vxlan ip saddr . vxlan ip daddr @x counter
+		udp dport 4789 update @y { vxlan ip saddr }
+        }
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0
new file mode 100755
index 0000000..e663dac
--- /dev/null
+++ b/tests/shell/testcases/sets/reset_command_0
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_reset_set)
+
+set -e
+
+trap '[[ $? -eq 0 ]] || echo FAIL' EXIT
+
+RULESET="table t {
+	set s {
+		type ipv4_addr . inet_proto . inet_service
+		flags interval, timeout
+		counter
+		timeout 30m
+		elements = {
+			1.0.0.1 . udp . 53 counter packets 5 bytes 30 expires 20m,
+			2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15m expires 10m
+		}
+	}
+	map m {
+		type ipv4_addr : ipv4_addr
+		quota 50 bytes
+		elements = {
+			1.2.3.4 quota 50 bytes used 10 bytes : 10.2.3.4,
+			5.6.7.8 quota 100 bytes used 50 bytes : 50.6.7.8
+		}
+	}
+}"
+
+echo -n "applying test ruleset: "
+$NFT -f - <<< "$RULESET"
+echo OK
+
+drop_seconds() {
+	sed 's/[0-9]\+m\?s//g'
+}
+expires_minutes() {
+	sed -n 's/.*expires \([0-9]*\)m.*/\1/p'
+}
+
+echo -n "get set elem matches reset set elem: "
+elem='element t s { 1.0.0.1 . udp . 53 }'
+[[ $($NFT "get $elem ; reset $elem" | \
+	grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]]
+echo OK
+
+echo -n "counters and expiry are reset: "
+NEW=$($NFT "get $elem")
+grep -q 'counter packets 0 bytes 0' <<< "$NEW"
+[[ $(expires_minutes <<< "$NEW") -gt 20 ]]
+echo OK
+
+echo -n "get map elem matches reset map elem: "
+elem='element t m { 1.2.3.4 }'
+[[ $($NFT "get $elem ; reset $elem" | \
+	grep 'elements = ' | uniq | wc -l) == 1 ]]
+echo OK
+
+echo -n "quota value is reset: "
+$NFT get element t m '{ 1.2.3.4 }' | grep -q 'quota 50 bytes : 10.2.3.4'
+echo OK
+
+echo -n "other elements remain the same: "
+OUT=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }')
+grep -q 'counter packets 10 bytes 100 timeout 15m' <<< "$OUT"
+VAL=$(expires_minutes <<< "$OUT")
+[[ $val -lt 10 ]]
+$NFT get element t m '{ 5.6.7.8 }' | grep -q 'quota 100 bytes used 50 bytes'
+echo OK
+
+echo -n "list set matches reset set: "
+EXP=$($NFT list set t s | drop_seconds)
+OUT=$($NFT reset set t s | drop_seconds)
+$DIFF -u <(echo "$EXP") <(echo "$OUT")
+echo OK
+
+echo -n "list map matches reset map: "
+EXP=$($NFT list map t m)
+OUT=$($NFT reset map t m)
+$DIFF -u <(echo "$EXP") <(echo "$OUT")
+echo OK
+
+echo -n "reset command respects per-element timeout: "
+VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes)
+[[ $VAL -lt 15 ]]	# custom timeout applies
+[[ $VAL -gt 10 ]]	# expires was reset
+echo OK
+
+echo -n "remaining elements are reset: "
+OUT=$($NFT list ruleset)
+grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT"
+grep -q '5.6.7.8 quota 100 bytes : 50.6.7.8' <<< "$OUT"
+echo OK
diff --git a/tests/shell/testcases/sets/set_eval_0 b/tests/shell/testcases/sets/set_eval_0
new file mode 100755
index 0000000..82b6d3b
--- /dev/null
+++ b/tests/shell/testcases/sets/set_eval_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip nat {
+        set set_with_interval {
+                type ipv4_addr
+                flags interval
+        }
+
+        chain prerouting {
+                type nat hook prerouting priority dstnat; policy accept;
+                meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
+        }
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/sets_with_ifnames b/tests/shell/testcases/sets/sets_with_ifnames
new file mode 100755
index 0000000..9531c85
--- /dev/null
+++ b/tests/shell/testcases/sets/sets_with_ifnames
@@ -0,0 +1,150 @@
+#!/bin/bash
+
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+[ -z "$NFT" ] && exit 111
+
+$NFT -f "$dumpfile" || exit 1
+
+rnd=$(mktemp -u XXXXXXXX)
+ns1="nft1ifname-$rnd"
+ns2="nft2ifname-$rnd"
+
+cleanup()
+{
+	ip netns del "$ns1"
+	ip netns del "$ns2"
+}
+
+trap cleanup EXIT
+
+# check a given element is (not) present in the set.
+lookup_elem()
+{
+	local setname=$1
+	local value=$2
+	local fail=$3
+	local expect_result=$4
+	local msg=$5
+
+	result=$(ip netns exec "$ns1" $NFT get element inet testifsets $setname { "$value" } 2>/dev/null | grep "$expect_result" )
+
+	if [ -z "$result" ] && [ $fail -ne 1 ] ; then
+		echo "empty result, expected $expect_result $msg"
+		ip netns exec "$ns1" $NFT get element inet testifsets $setname { "$value" }
+		exit 1
+	fi
+}
+
+check_elem_get()
+{
+	local setname=$1
+	local value=$2
+	local fail=$3
+	local expect_result=$4
+
+	# when query is 'abcde', and set has 'abc*', result is
+	# 'abc*', not 'abcde', so returned element can be different.
+	if [ -z "$expect_result" ]; then
+		expect_result=$ifname
+	fi
+
+	lookup_elem "$setname" "$value" "$fail" "$expect_result" ""
+}
+
+# same, but also delete and re-add the element.
+check_elem()
+{
+	local setname=$1
+	local value=$2
+
+	lookup_elem "$setname" "$value" "0" "$value" "initial check"
+
+	ip netns exec "$ns1" $NFT delete element inet testifsets $setname { "$value" }
+	if [ $? -ne 0 ]; then
+		ip netns exec "$ns1" $NFT list ruleset
+		echo "delete element $setname { $value } failed"
+		exit 1
+	fi
+
+	ip netns exec "$ns1" $NFT add element inet testifsets $setname { "$value" }
+
+	lookup_elem "$setname" "$value" "0" "$value" "check after add/del"
+}
+
+# send pings, check all rules with sets that contain abcdef1 match.
+# there are 4 rules in this chain, 4 should match.
+check_matching_icmp_ppp()
+{
+	pkt=$((RANDOM%10))
+	pkt=$((pkt+1))
+	ip netns exec "$ns1" ping -f -c $pkt 10.1.2.2
+
+	# replies should arrive via 'abcdeg', so, should NOT increment any counters.
+	ip netns exec "$ns1" ping -f -c 100 10.2.2.2
+
+	matches=$(ip netns exec "$ns1" $NFT list chain inet testifsets v4icmp | grep "counter packets $pkt " | wc -l)
+	want=3
+
+	if [ "$matches" -ne $want ] ;then
+		ip netns exec "$ns1" $NFT list ruleset
+		echo "Expected $want matching rules, got $matches, packets $pkt in v4icmp"
+		exit 1
+	fi
+
+	# same, for concat set type.
+
+	matches=$(ip netns exec "$ns1" $NFT list chain inet testifsets v4icmpc | grep "counter packets $pkt " | wc -l)
+
+	if [ "$matches" -ne $want ] ;then
+		ip netns exec "$ns1" $NFT list ruleset
+		echo "Expected $want matching rules, got $matches, packets $pkt in v4icmpc"
+		exit 1
+	fi
+}
+
+ip netns add "$ns1" || exit 111
+ip netns add "$ns2" || exit 111
+ip netns exec "$ns1" $NFT -f "$dumpfile" || exit 3
+
+for n in abcdef0 abcdef1 othername;do
+	check_elem simple $n
+done
+
+check_elem_get simple foo 1
+
+for n in ppp0 othername;do
+	check_elem simple_wild $n
+done
+
+check_elem_get simple_wild enoent 1
+check_elem simple_wild ppp0
+check_elem_get simple_wild abcdefghijk 0 'abcdef\*'
+
+check_elem_get concat '1.2.3.4 . "enoent"' 1
+check_elem_get concat '10.1.2.2 . "abcdef"' 1
+check_elem_get concat '10.1.2.1 . "abcdef1"' 1
+
+check_elem concat '10.1.2.2 . "abcdef0"'
+check_elem concat '10.1.2.2 . "abcdef1"'
+
+set -e
+ip -net "$ns1" link set lo up
+ip -net "$ns2" link set lo up
+ip netns exec "$ns1" ping -f -c 10 127.0.0.1
+
+ip link add abcdef1 netns $ns1 type veth peer name veth0 netns $ns2
+ip link add abcdeg  netns $ns1 type veth peer name veth1 netns $ns2
+
+ip -net "$ns1" link set abcdef1 up
+ip -net "$ns2" link set veth0 up
+ip -net "$ns1" link set abcdeg up
+ip -net "$ns2" link set veth1 up
+
+ip -net "$ns1" addr add 10.1.2.1/24 dev abcdef1
+ip -net "$ns1" addr add 10.2.2.1/24 dev abcdeg
+
+ip -net "$ns2" addr add 10.1.2.2/24 dev veth0
+ip -net "$ns2" addr add 10.2.2.2/24 dev veth1
+
+check_matching_icmp_ppp
diff --git a/tests/shell/testcases/sets/type_set_symbol b/tests/shell/testcases/sets/type_set_symbol
new file mode 100755
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/sets/type_set_symbol
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/typeof_raw_0 b/tests/shell/testcases/sets/typeof_raw_0
new file mode 100755
index 0000000..66042eb
--- /dev/null
+++ b/tests/shell/testcases/sets/typeof_raw_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+EXPECTED="table inet t {
+	set y {
+		typeof ip daddr . @ih,32,32
+		elements = { 1.1.1.1 . 0x14, 2.2.2.2 . 0x20}
+	}
+
+	chain y {
+		ip saddr . @nh,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+		ip daddr . @nh,32,32 @y
+	}
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
+
diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0
new file mode 100755
index 0000000..35c572c
--- /dev/null
+++ b/tests/shell/testcases/sets/typeof_sets_0
@@ -0,0 +1,226 @@
+#!/bin/bash
+
+# support for strings/typeof in named sets.
+# s1 and s2 are identical, they just use different
+# ways for declaration.
+
+set -e
+
+die() {
+	printf '%s\n' "$*"
+	exit 1
+}
+
+INPUT_OSF_SET="
+	set s1 {
+		typeof osf name
+		elements = { \"Linux\" }
+	}
+"
+INPUT_OSF_CHAIN="
+	chain c1 {
+		osf name @s1 accept
+	}
+"
+
+INPUT_SCTP_CHAIN="
+	chain c7 {
+		sctp chunk init num-inbound-streams @s7 accept
+	}
+"
+
+if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then
+	INPUT_SCTP_CHAIN=
+fi
+
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+	if [ "$((RANDOM % 2))" -eq 1 ] ; then
+		# Regardless of $NFT_TEST_HAVE_osf, we can define the set.
+		# Randomly do so.
+		INPUT_OSF_SET=
+	fi
+	INPUT_OSF_CHAIN=
+fi
+
+INPUT="table inet t {$INPUT_OSF_SET
+	set s2 {
+		typeof vlan id
+		elements = { 2, 3, 103 }
+	}
+
+	set s3 {
+		typeof meta ibrpvid
+		elements = { 2, 3, 103 }
+	}
+
+	set s4 {
+		typeof frag frag-off
+		elements = { 1, 1024 }
+	}
+
+	set s5 {
+		typeof ip option ra value
+		elements = { 1, 1024 }
+	}
+
+	set s6 {
+		typeof tcp option maxseg size
+		elements = { 1, 1024 }
+	}
+
+	set s7 {
+		typeof sctp chunk init num-inbound-streams
+		elements = { 1, 4 }
+	}
+
+	set s8 {
+		typeof ip version
+		elements = { 4, 6 }
+	}
+
+	set s9 {
+		typeof ip hdrlength
+		elements = { 0, 1, 2, 3, 4, 15 }
+	}
+
+	set s10 {
+		typeof meta iifname . ip saddr . ipsec in reqid
+		elements = { \"eth0\" . 10.1.1.2 . 42 }
+	}
+
+	set s11 {
+		typeof vlan id . ip saddr
+		elements = { 3567 . 1.2.3.4 }
+	}
+$INPUT_OSF_CHAIN
+	chain c2 {
+		ether type vlan vlan id @s2 accept
+	}
+
+	chain c4 {
+		frag frag-off @s4 accept
+	}
+
+	chain c5 {
+		ip option ra value @s5 accept
+	}
+
+	chain c6 {
+		tcp option maxseg size @s6 accept
+	}
+$INPUT_SCTP_CHAIN
+	chain c8 {
+		ip version @s8 accept
+	}
+
+	chain c9 {
+		ip hdrlength @s9 accept
+	}
+
+	chain c10 {
+		meta iifname . ip saddr . ipsec in reqid @s10 accept
+	}
+
+	chain c11 {
+		ether type vlan vlan id . ip saddr @s11 accept
+	}
+}"
+
+EXPECTED="table inet t {$INPUT_OSF_SET
+	set s2 {
+		typeof vlan id
+		elements = { 2, 3, 103 }
+	}
+
+	set s3 {
+		typeof meta ibrpvid
+		elements = { 2, 3, 103 }
+	}
+
+	set s4 {
+		typeof frag frag-off
+		elements = { 1, 1024 }
+	}
+
+	set s5 {
+		typeof ip option ra value
+		elements = { 1, 1024 }
+	}
+
+	set s6 {
+		typeof tcp option maxseg size
+		elements = { 1, 1024 }
+	}
+
+	set s7 {
+		typeof sctp chunk init num-inbound-streams
+		elements = { 1, 4 }
+	}
+
+	set s8 {
+		typeof ip version
+		elements = { 4, 6 }
+	}
+
+	set s9 {
+		typeof ip hdrlength
+		elements = { 0, 1, 2, 3, 4,
+			     15 }
+	}
+
+	set s10 {
+		typeof iifname . ip saddr . ipsec in reqid
+		elements = { \"eth0\" . 10.1.1.2 . 42 }
+	}
+
+	set s11 {
+		typeof vlan id . ip saddr
+		elements = { 3567 . 1.2.3.4 }
+	}
+$INPUT_OSF_CHAIN
+	chain c2 {
+		vlan id @s2 accept
+	}
+
+	chain c4 {
+		frag frag-off @s4 accept
+	}
+
+	chain c5 {
+		ip option ra value @s5 accept
+	}
+
+	chain c6 {
+		tcp option maxseg size @s6 accept
+	}
+$INPUT_SCTP_CHAIN
+	chain c8 {
+		ip version @s8 accept
+	}
+
+	chain c9 {
+		ip hdrlength @s9 accept
+	}
+
+	chain c10 {
+		iifname . ip saddr . ipsec in reqid @s10 accept
+	}
+
+	chain c11 {
+		vlan id . ip saddr @s11 accept
+	}
+}"
+
+
+$NFT -f - <<< "$INPUT" || die $'nft command failed to process input:\n'">$INPUT<"
+
+$DIFF -u <($NFT list ruleset) - <<<"$EXPECTED" || die $'diff failed between ruleset and expected data.\nExpected:\n'">$EXPECTED<"
+
+if [ "$NFT_TEST_HAVE_osf" = n ] ; then
+	echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
+	exit 77
+fi
+if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then
+	echo "Partial test due to NFT_TEST_HAVE_sctp_chunks=n. Skip"
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/typeof_sets_1 b/tests/shell/testcases/sets/typeof_sets_1
new file mode 100755
index 0000000..e520270
--- /dev/null
+++ b/tests/shell/testcases/sets/typeof_sets_1
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# regression test for corner case in netlink_delinearize
+
+EXPECTED="table bridge t {
+	set nodhcpvlan {
+		typeof vlan id
+		elements = { 1 }
+	}
+
+	chain c1 {
+		vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2
+		vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2
+		vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2
+	}
+
+	chain c2 {
+	}
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat
new file mode 100755
index 0000000..07820b7
--- /dev/null
+++ b/tests/shell/testcases/sets/typeof_sets_concat
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/transactions/0001table_0 b/tests/shell/testcases/transactions/0001table_0
new file mode 100755
index 0000000..9929824
--- /dev/null
+++ b/tests/shell/testcases/transactions/0001table_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+delete table x
+add table x
+add table y"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0002table_0 b/tests/shell/testcases/transactions/0002table_0
new file mode 100755
index 0000000..c5f31a6
--- /dev/null
+++ b/tests/shell/testcases/transactions/0002table_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+delete table x
+add table x
+add chain x y { type nat hook prerouting priority 0; policy accept; }
+add table x { flags dormant; }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0003table_0 b/tests/shell/testcases/transactions/0003table_0
new file mode 100755
index 0000000..91186de
--- /dev/null
+++ b/tests/shell/testcases/transactions/0003table_0
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add table y
+flush ruleset"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
+
+KERNEL_RULESET="$($NFT list ruleset)"
+if [ "" != "$KERNEL_RULESET" ] ; then
+	echo "Got a ruleset, but expected empty: "
+	echo "$KERNEL_RULESET"
+	exit 1
+fi
+
+RULESET="table ip x {
+}
+table ip y {
+}"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
+
+RULESETFAIL="flush ruleset
+create table ip nat
+create table inet filter
+create chain ip nat testchain
+delete table ip testtable"
+
+# testtable doesn't exist, batch expected to fail
+$NFT -f - <<< "$RULESETFAIL" && exit 2
+
+KERNEL_RULESET="$($NFT list ruleset)"
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+        $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0010chain_0 b/tests/shell/testcases/transactions/0010chain_0
new file mode 100755
index 0000000..ce66bd6
--- /dev/null
+++ b/tests/shell/testcases/transactions/0010chain_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add chain x y
+flush ruleset
+add table w
+add chain w y"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0011chain_0 b/tests/shell/testcases/transactions/0011chain_0
new file mode 100755
index 0000000..3bed16d
--- /dev/null
+++ b/tests/shell/testcases/transactions/0011chain_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add chain x y
+delete chain x y
+add chain x y { type filter hook input priority 0; }
+add chain x y { policy drop; }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0012chain_0 b/tests/shell/testcases/transactions/0012chain_0
new file mode 100755
index 0000000..0d80ef4
--- /dev/null
+++ b/tests/shell/testcases/transactions/0012chain_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add chain x y
+flush ruleset
+add table x
+add chain x y { type filter hook input priority 0; }
+add chain x y { policy drop; }
+flush ruleset
+add table w
+add chain w y { type filter hook output priority 0; }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0013chain_0 b/tests/shell/testcases/transactions/0013chain_0
new file mode 100755
index 0000000..2756dd6
--- /dev/null
+++ b/tests/shell/testcases/transactions/0013chain_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add chain x y
+delete chain x y
+delete table x
+add table x
+add chain x y { type filter hook input priority 0; }
+add chain x y { policy drop; }
+flush ruleset
+add table w
+add chain w y { type filter hook output priority 0; }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0014chain_1 b/tests/shell/testcases/transactions/0014chain_1
new file mode 100755
index 0000000..cddc8a2
--- /dev/null
+++ b/tests/shell/testcases/transactions/0014chain_1
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+RULESET="add table x
+add chain x y
+delete chain x y
+delete chain x y"
+
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
+echo "E: allowing double-removal of chain" >&2
+exit 1
diff --git a/tests/shell/testcases/transactions/0015chain_0 b/tests/shell/testcases/transactions/0015chain_0
new file mode 100755
index 0000000..42950b3
--- /dev/null
+++ b/tests/shell/testcases/transactions/0015chain_0
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add chain x y
+add chain x z
+add rule x z jump y"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
+
+RULESET="delete rule x z handle 3
+delete chain x z
+delete chain x y
+delete table x"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0020rule_0 b/tests/shell/testcases/transactions/0020rule_0
new file mode 100755
index 0000000..f8d2d37
--- /dev/null
+++ b/tests/shell/testcases/transactions/0020rule_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add chain x y
+add rule x y ip saddr 1.1.1.1 counter
+flush ruleset"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0021rule_0 b/tests/shell/testcases/transactions/0021rule_0
new file mode 100755
index 0000000..ee265ab
--- /dev/null
+++ b/tests/shell/testcases/transactions/0021rule_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add chain x y
+add rule x y ip saddr 1.1.1.1 counter
+flush ruleset
+add table x
+add chain x y
+add rule x y ip saddr 2.2.2.2 counter"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0022rule_1 b/tests/shell/testcases/transactions/0022rule_1
new file mode 100755
index 0000000..07be53f
--- /dev/null
+++ b/tests/shell/testcases/transactions/0022rule_1
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+RULESET="add table x
+add chain x y
+delete chain x y
+add rule x y jump y"
+
+# kernel must return ENOENT
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
+echo "E: allowing jump loop to unexisting chain"
+exit 1
diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1
new file mode 100755
index 0000000..e58c088
--- /dev/null
+++ b/tests/shell/testcases/transactions/0023rule_1
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+RULESET="add table x
+add chain x y
+add rule x y jump y"
+
+# kernel must return ELOOP
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
+echo "E: allowing jump to chain loop"
+exit 1
diff --git a/tests/shell/testcases/transactions/0024rule_0 b/tests/shell/testcases/transactions/0024rule_0
new file mode 100755
index 0000000..4c1ac41
--- /dev/null
+++ b/tests/shell/testcases/transactions/0024rule_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+RULESET="flush ruleset
+add table x
+add chain x y
+add rule x y accept comment rule1
+add rule x y accept comment rule4
+add rule x y index 0 accept comment rule2
+insert rule x y index 2 accept comment rule3"
+
+$NFT -f - <<< "$RULESET" && \
+	$NFT -f - <<< "$RULESET" && \
+	echo "$RULESET" | tr '\n' ';' | $NFT -i >/dev/null && \
+	exit 0
+echo "E: intra-transaction rule reference failed"
+exit 1
+
diff --git a/tests/shell/testcases/transactions/0025rule_0 b/tests/shell/testcases/transactions/0025rule_0
new file mode 100755
index 0000000..d72d5cf
--- /dev/null
+++ b/tests/shell/testcases/transactions/0025rule_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# make sure stored delete/replace rule commands are correctly applied
+
+set -e
+
+$NFT -f - <<EOF
+flush ruleset
+table x {
+	chain y {
+		accept
+		log
+	}
+}
+EOF
+
+$NFT -f - <<EOF
+replace rule x y handle 2 log
+delete rule x y handle 3
+add rule x y index 0 drop
+EOF
diff --git a/tests/shell/testcases/transactions/0030set_0 b/tests/shell/testcases/transactions/0030set_0
new file mode 100755
index 0000000..e17b42f
--- /dev/null
+++ b/tests/shell/testcases/transactions/0030set_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; }
+flush ruleset
+add table x"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0031set_0 b/tests/shell/testcases/transactions/0031set_0
new file mode 100755
index 0000000..b2133cf
--- /dev/null
+++ b/tests/shell/testcases/transactions/0031set_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; }
+delete set x y
+add set x y { type ipv4_addr; }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0032set_0 b/tests/shell/testcases/transactions/0032set_0
new file mode 100755
index 0000000..5882518
--- /dev/null
+++ b/tests/shell/testcases/transactions/0032set_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; }
+flush ruleset
+add table w
+add set w y { type ipv4_addr; }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0033set_0 b/tests/shell/testcases/transactions/0033set_0
new file mode 100755
index 0000000..6bd5893
--- /dev/null
+++ b/tests/shell/testcases/transactions/0033set_0
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; }
+delete set x y"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0034set_0 b/tests/shell/testcases/transactions/0034set_0
new file mode 100755
index 0000000..1580c32
--- /dev/null
+++ b/tests/shell/testcases/transactions/0034set_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; }
+add element x y { 1.1.1.1 }
+delete element x y { 1.1.1.1 }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0035set_0 b/tests/shell/testcases/transactions/0035set_0
new file mode 100755
index 0000000..0967fd4
--- /dev/null
+++ b/tests/shell/testcases/transactions/0035set_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; }
+add element x y { 1.1.1.1, 2.2.2.2 }
+delete element x y { 1.1.1.1 }
+delete element x y { 2.2.2.2 }
+add element x y { 3.3.3.3 }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0036set_1 b/tests/shell/testcases/transactions/0036set_1
new file mode 100755
index 0000000..45d922e
--- /dev/null
+++ b/tests/shell/testcases/transactions/0036set_1
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+RULESET="add table x
+add set x y { type ipv4_addr; }
+add element x y { 1.1.1.1, 2.2.2.2 }
+delete element x y { 1.1.1.1 }
+delete element x y { 1.1.1.1 }"
+
+$NFT -f - <<< "$RULESET" 2> /dev/null || exit 0
+# Kernel must return ENOENT
+echo "E: allowing double-removal of element"
+exit 1
diff --git a/tests/shell/testcases/transactions/0037set_0 b/tests/shell/testcases/transactions/0037set_0
new file mode 100755
index 0000000..2882863
--- /dev/null
+++ b/tests/shell/testcases/transactions/0037set_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; flags interval;}
+add element x y { 1.1.1.0/24 }
+delete element x y { 1.1.1.0/24 }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0038set_0 b/tests/shell/testcases/transactions/0038set_0
new file mode 100755
index 0000000..d7c2ba3
--- /dev/null
+++ b/tests/shell/testcases/transactions/0038set_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; flags interval;}
+add element x y { 192.168.0.0/24, 192.168.2.0/24 }
+delete element x y { 192.168.0.0/24 }
+delete element x y { 192.168.2.0/24 }
+add element x y { 192.168.4.0/24 }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0039set_0 b/tests/shell/testcases/transactions/0039set_0
new file mode 100755
index 0000000..d7c2ba3
--- /dev/null
+++ b/tests/shell/testcases/transactions/0039set_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table x
+add set x y { type ipv4_addr; flags interval;}
+add element x y { 192.168.0.0/24, 192.168.2.0/24 }
+delete element x y { 192.168.0.0/24 }
+delete element x y { 192.168.2.0/24 }
+add element x y { 192.168.4.0/24 }"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0040set_0 b/tests/shell/testcases/transactions/0040set_0
new file mode 100755
index 0000000..468816b
--- /dev/null
+++ b/tests/shell/testcases/transactions/0040set_0
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip filter {
+	map client_to_any {
+		type ipv4_addr : verdict
+		elements = { 1.2.3.4 : goto CIn_1 }
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		goto client_to_any
+	}
+
+	chain client_to_any {
+		ip saddr vmap @client_to_any
+	}
+
+	chain CIn_1 {
+	}
+}"
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
+
+GET="$($NFT list ruleset)"
+
+if [ "$RULESET" != "$GET" ] ; then
+	$DIFF -u <(echo "$RULESET") <(echo "$GET")
+	exit 1
+fi
+
+RULESET="delete element ip filter client_to_any { 1.2.3.4 : goto CIn_1 }
+delete chain ip filter CIn_1"
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0041nat_restore_0 b/tests/shell/testcases/transactions/0041nat_restore_0
new file mode 100755
index 0000000..9e1d6c9
--- /dev/null
+++ b/tests/shell/testcases/transactions/0041nat_restore_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+add table ip t
+add chain ip t c { type nat hook postrouting priority 0; }
+"
+
+$NFT -f - <<< "$RULESET"
+
+RULESET="
+flush ruleset
+$RULESET
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/transactions/0042_stateful_expr_0 b/tests/shell/testcases/transactions/0042_stateful_expr_0
new file mode 100755
index 0000000..918e721
--- /dev/null
+++ b/tests/shell/testcases/transactions/0042_stateful_expr_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+add table ip filter
+add counter ip filter c1
+add map ip filter m1 { type ipv4_addr : counter ;}
+add element ip filter m1 { 1 : c1 }
+add element ip filter m1 { 1 : c1 }
+delete element ip filter m1 { 1 }
+delete counter ip filter c1"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/transactions/0043set_1 b/tests/shell/testcases/transactions/0043set_1
new file mode 100755
index 0000000..a9135c1
--- /dev/null
+++ b/tests/shell/testcases/transactions/0043set_1
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+RULESET="add table ip test
+add set ip test foo { type ipv4_addr; }
+add chain ip test tc
+add element ip test foo { 1.2.3.4 }
+add rule ip test tc ip saddr { 1.2.3.4, 5.6.7.8 } accept
+delete table ip test
+add element ip test foo { 1.2.3.6 }"
+
+# kernel must return ENOENT
+$NFT -f - <<< "$RULESET" 2>/dev/null || exit 0
+echo "E: allowing element insertion on unexisting set"
+exit 1
diff --git a/tests/shell/testcases/transactions/0044rule_0 b/tests/shell/testcases/transactions/0044rule_0
new file mode 100755
index 0000000..a4da480
--- /dev/null
+++ b/tests/shell/testcases/transactions/0044rule_0
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+RULESET="add table ip test
+add chain ip test tc
+add rule ip test tc counter"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
+
+RULESET="delete rule ip test tc handle 2
+flush ruleset"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+        echo "E: unable to load good ruleset" >&2
+        exit 1
+fi
diff --git a/tests/shell/testcases/transactions/0045anon-unbind_0 b/tests/shell/testcases/transactions/0045anon-unbind_0
new file mode 100755
index 0000000..1e16af1
--- /dev/null
+++ b/tests/shell/testcases/transactions/0045anon-unbind_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+RULESET='table inet filter {
+ chain antileak {
+   udp dport { 137, 138 } drop comment "NetBT"
+ }
+}'
+
+set -e
+$NFT -c -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/transactions/0046set_0 b/tests/shell/testcases/transactions/0046set_0
new file mode 100755
index 0000000..172e24d
--- /dev/null
+++ b/tests/shell/testcases/transactions/0046set_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+RULESET='add table ip filter
+add chain ip filter group_7933
+add map ip filter group_7933 { type ipv4_addr : classid; flags interval; }
+add rule ip filter group_7933 meta priority 0 meta priority set ip saddr map @group_7933 counter
+add element ip filter group_7933 { 10.4.22.0/24 : "1:0xc7cb" }
+'
+
+set -e
+$NFT -f - <<< "$RULESET"
+
+RULESET='delete element ip filter group_7933 { 10.4.22.0/24 }
+flush chain ip filter group_7933
+delete chain ip filter group_7933
+delete map ip filter group_7933'
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/transactions/0047set_0 b/tests/shell/testcases/transactions/0047set_0
new file mode 100755
index 0000000..0a27231
--- /dev/null
+++ b/tests/shell/testcases/transactions/0047set_0
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+RULESET='add table ip filter
+add map ip filter group_10060 { type ipv4_addr : classid; flags interval; }
+add element ip filter group_10060 { 10.1.26.2/32 : "1:0xbbf8" }
+add element ip filter group_10060 { 10.1.26.3/32 : "1:0xc1ad" }
+add element ip filter group_10060 { 10.1.26.4/32 : "1:0xb2d7" }
+add element ip filter group_10060 { 10.1.26.5/32 : "1:0xf705" }
+add element ip filter group_10060 { 10.1.26.6/32 : "1:0xb895" }
+add element ip filter group_10060 { 10.1.26.7/32 : "1:0xec4c" }
+add element ip filter group_10060 { 10.1.26.8/32 : "1:0xde78" }
+add element ip filter group_10060 { 10.1.26.9/32 : "1:0xb4f3" }
+add element ip filter group_10060 { 10.1.26.10/32 : "1:0xdec6" }
+add element ip filter group_10060 { 10.1.26.11/32 : "1:0xb4c0" }
+add element ip filter group_10060 { 10.1.26.12/32 : "1:0xb4a2" }
+add element ip filter group_10060 { 10.1.26.13/32 : "1:0xa8ab" }
+add element ip filter group_10060 { 10.1.26.14/32 : "1:0xb3c1" }'
+
+set -e
+$NFT -f - <<< "$RULESET"
+
+RULESET='delete element ip filter group_10060 { 10.1.26.13/32 }
+delete element ip filter group_10060 { 10.1.26.14/32 }
+delete element ip filter group_10060 { 10.1.26.12/32 }'
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/transactions/0048helpers_0 b/tests/shell/testcases/transactions/0048helpers_0
new file mode 100755
index 0000000..675a977
--- /dev/null
+++ b/tests/shell/testcases/transactions/0048helpers_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+RULESET='add table ip filter
+add chain ip filter filter { type filter hook prerouting priority mangle; policy accept; }
+add ct helper ip filter ftp { type "ftp" protocol tcp; };
+add rule ip filter filter tcp dport 33 ct helper set "ftp"'
+
+set -e
+$NFT -f - <<< "$RULESET"
+
+RULESET='flush chain ip filter filter
+delete chain filter filter
+delete ct helper ip filter ftp'
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/transactions/0049huge_0 b/tests/shell/testcases/transactions/0049huge_0
new file mode 100755
index 0000000..f66953c
--- /dev/null
+++ b/tests/shell/testcases/transactions/0049huge_0
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# let's try to exceed transaction buffer space
+
+$NFT flush ruleset
+$NFT add table inet test
+$NFT add chain inet test c
+
+RULE_COUNT=3000
+
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/rmem_max may be unsuitable for
+	# the test.
+	#
+	# Run only a subset of the test and mark as skipped at the end.
+	RULE_COUNT=500
+fi
+
+RULESET=$(
+for ((i = 0; i < ${RULE_COUNT}; i++)); do
+	echo "add rule inet test c accept comment rule$i"
+done
+)
+test $($NFT -e -a -f - <<< "$RULESET" |grep "#[ ]\+handle[ ]\+[0-9]\+" |wc -l) -eq ${RULE_COUNT} || exit 1
+
+# same thing, but with JSON rules
+#
+$NFT flush ruleset
+$NFT add table inet test
+$NFT add chain inet test c
+
+RULESET=$(
+echo '{"nftables": ['
+for ((i = 0; i < $((${RULE_COUNT} - 1)); i++)); do
+	echo '{"add": {"rule": {"family": "inet", "table": "test", "chain": "c", "expr": [{"accept": null}], "comment": "rule'$i'"}}},'
+done
+	echo '{"add": {"rule": {"family": "inet", "table": "test", "chain": "c", "expr": [{"accept": null}], "comment": "rule'$((${RULE_COUNT} - 1))'"}}}'
+echo ']}'
+)
+
+if [ "$NFT_TEST_HAVE_json" != n ]; then
+	test $($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\)/\n\1/g' |grep '"handle"' |wc -l) -eq ${RULE_COUNT} || exit 1
+fi
+
+# Now an example from firewalld's testsuite
+#
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "ip", "name": "firewalld"}}}, {"add": {"table": {"family": "ip6", "name": "firewalld"}}},
+{"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -290}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"jump": {"target": "raw_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -140}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING", "expr": [{"jump": {"target": "mangle_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT", "type": "filter", "hook": "input", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD", "type": "filter", "hook": "forward", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_OUTPUT", "type": "filter", "hook": "output", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"jump": {"target": "filter_INPUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_IN_ZONES"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_OUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_IN_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_OUT_ZONES"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"fib": {"flags": ["saddr", "iif"], "result": "oif"}}, "op": "==", "right": false}}, {"drop": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": {"set": ["nd-router-advert", "nd-neighbor-solicit"]}}}, {"accept": null}]}}},
+{"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "index": 0, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "index": 2, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_public", "expr": [{"jump": {"target": "raw_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "expr": [{"jump": {"target": "filter_IN_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "expr": [{"jump": {"target": "filter_FWDI_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"goto": {"target": "raw_PRE_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_public", "expr": [{"jump": {"target": "mangle_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"goto": {"target": "mangle_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_public", "expr": [{"jump": {"target": "nat_PRE_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"goto": {"target": "nat_PRE_public"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_public_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_public", "expr": [{"jump": {"target": "nat_POST_public_post"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"goto": {"target": "nat_POST_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"goto": {"target": "filter_IN_public"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"goto": {"target": "filter_FWDI_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_public_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_public", "expr": [{"jump": {"target": "filter_FWDO_public_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"goto": {"target": "filter_FWDO_public"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_trusted", "expr": [{"jump": {"target": "raw_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "raw_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_trusted", "expr": [{"jump": {"target": "mangle_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "mangle_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_trusted", "expr": [{"jump": {"target": "nat_PRE_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_trusted_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_trusted", "expr": [{"jump": {"target": "nat_POST_trusted_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"jump": {"target": "filter_IN_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_IN_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"jump": {"target": "filter_FWDI_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDI_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_trusted_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"jump": {"target": "filter_FWDO_trusted_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_trusted", "expr": [{"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy2"}}, {"goto": {"target": "filter_FWDO_trusted"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PRE_work", "expr": [{"jump": {"target": "raw_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "expr": [{"jump": {"target": "filter_IN_work_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "raw_PRE_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_work", "expr": [{"jump": {"target": "mangle_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "mangle_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_work", "expr": [{"jump": {"target": "nat_PRE_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_PRE_work"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_work_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_work", "expr": [{"jump": {"target": "nat_POST_work_post"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "nat_POST_work"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_IN_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "expr": [{"jump": {"target": "filter_FWDI_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDI_work"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_work_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_work", "expr": [{"jump": {"target": "filter_FWDO_work_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "perm_dummy"}}, {"goto": {"target": "filter_FWDO_work"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_work", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}]}'
+
+if [ "$NFT_TEST_HAVE_json" != n ]; then
+	test -z "$($NFT -j -e -a -f - <<< "$RULESET" |sed 's/\({"add":\|{"insert":\)/\n\1/g' |grep '\({"add":\|{"insert":\)' | grep -v '"handle"')"
+fi
+
+if [ "$NFT_TEST_HAVE_json" = n ]; then
+	echo "Test partially skipped due to missing JSON support."
+	exit 77
+fi
+
+if [ "$RULE_COUNT" != 3000 ] ; then
+	echo "NFT_TEST_HAS_SOCKET_LIMITS indicates that the socket limit for"
+	echo "/proc/sys/net/core/rmem_max is too small for this test. Mark as SKIPPED"
+	echo "You may bump the limit and rerun with \`NFT_TEST_HAS_SOCKET_LIMITS=n\`."
+	exit 77
+fi
diff --git a/tests/shell/testcases/transactions/0050rule_1 b/tests/shell/testcases/transactions/0050rule_1
new file mode 100755
index 0000000..89e5f42
--- /dev/null
+++ b/tests/shell/testcases/transactions/0050rule_1
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+	flowtable ftable {
+		hook ingress priority 0; devices = { eno1, eno0, x };
+	}
+
+chain forward {
+	type filter hook forward priority 0; policy drop;
+
+	ip protocol { tcp, udp } ct mark and 1 == 1 counter flow add @ftable
+	ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter flow add @ftable
+	ct mark and 30 == 30 ct state established,related log prefix \"nftables accept: \" level info accept
+	}
+}"
+
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
diff --git a/tests/shell/testcases/transactions/0051map_0 b/tests/shell/testcases/transactions/0051map_0
new file mode 100755
index 0000000..9ea5cd4
--- /dev/null
+++ b/tests/shell/testcases/transactions/0051map_0
@@ -0,0 +1,122 @@
+#!/bin/bash
+
+rnd=$(mktemp -u XXXXXXXX)
+ns1="nft1trans-$rnd"
+
+#
+# dependency tracking for implicit set
+#
+RULESET="table ip x {
+	chain w {}
+	chain m {}
+
+	chain y {
+		ip saddr vmap { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m }
+	}
+}"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+ip netns add $ns1
+ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0
+ip netns del $ns1
+
+RULESET="flush chain ip x y
+delete chain ip x w"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+
+#
+# dependency tracking for map in implicit chain
+#
+RULESET="table ip x {
+	chain w {}
+	chain m {}
+
+	chain y {
+		meta iifname \"eno1\" jump {
+			ip saddr vmap { 1.1.1.1 : jump w, 3.3.3.3 : goto m }
+		}
+	}
+}"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+ip netns add $ns1
+ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0
+ip netns del $ns1
+
+RULESET="flush chain ip x y
+delete chain ip x w"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+
+#
+# dependency tracking for explicit map
+#
+RULESET="table ip x {
+	chain w {}
+	chain m {}
+
+	map y {
+		type ipv4_addr : verdict
+		elements = { 1.1.1.1 : jump w, 2.2.2.2 : accept, 3.3.3.3 : goto m }
+	}
+}"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+ip netns add $ns1
+ip netns exec $ns1 $NFT -f - <<< "$RULESET" >/dev/null || exit 0
+ip netns del $ns1
+
+RULESET="delete set ip x y
+delete chain ip x w"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+
+#
+# error path for implicit set
+#
+RULESET="table inet filter {
+	chain w {
+		jump z
+	}
+	chain z {
+		jump w
+	}
+
+	chain test {
+		ip protocol { tcp, udp } ip saddr vmap { 1.1.1.1 : jump z } counter flow add @nonexisting
+		ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter
+	}
+}"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+
+#
+# error path for implicit set
+#
+RULESET="table inet filter {
+	chain w {
+		jump z
+	}
+	chain z {
+		jump w
+	}
+
+	chain test {
+		ip protocol { tcp, udp } jump {
+			ip saddr vmap { 1.1.1.1 : jump z }
+		}
+	        ip6 nexthdr { tcp, udp } ct mark and 2 == 2 counter
+	}
+}"
+
+$NFT -c -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT -f - <<< "$RULESET" >/dev/null || exit 0
+$NFT flush table inet filter || exit 0
diff --git a/tests/shell/testcases/transactions/30s-stress b/tests/shell/testcases/transactions/30s-stress
new file mode 100755
index 0000000..4c3c6a2
--- /dev/null
+++ b/tests/shell/testcases/transactions/30s-stress
@@ -0,0 +1,637 @@
+#!/bin/bash
+
+# NFT_TEST_SKIP(NFT_TEST_SKIP_slow)
+
+runtime=30
+
+# allow stand-alone execution as well, e.g. '$0 3600'
+if [ x"$1" != "x" ] ;then
+	if [ $1 -ge 0 ]; then
+		runtime="$1"
+	else
+		echo "Invalid runtime $1"
+		exit 1
+	fi
+fi
+
+if [ x = x"$NFT" ] ; then
+	NFT=nft
+fi
+
+if [ "$NFT_TEST_HAS_SOCKET_LIMITS" = y ] ; then
+	# The socket limit /proc/sys/net/core/wmem_max may be unsuitable for
+	# the test.
+	#
+	# Skip it. You may ensure that the limits are suitable and rerun
+	# with NFT_TEST_HAS_SOCKET_LIMITS=n.
+	exit 77
+fi
+
+if [ -z "${NFT_TEST_HAVE_chain_binding+x}" ] ; then
+	NFT_TEST_HAVE_chain_binding=n
+	mydir="$(dirname "$0")"
+	$NFT --check -f "$mydir/../../features/chain_binding.nft"
+	if [ $? -eq 0 ];then
+		NFT_TEST_HAVE_chain_binding=y
+	else
+		echo "Assuming anonymous chains are not supported"
+	fi
+fi
+
+testns=testns-$(mktemp -u "XXXXXXXX")
+tmp=""
+
+faultname="/proc/self/make-it-fail"
+tables="foo bar"
+
+failslab_defaults() {
+	test -w $faultname || return
+
+	# Disable fault injection unless process has 'make-it-fail' set
+	echo Y > /sys/kernel/debug/failslab/task-filter
+
+	# allow all slabs to fail (if process is tagged).
+	find /sys/kernel/slab/ -wholename '*/kmalloc-[0-9]*/failslab' -type f -exec sh -c 'echo 1 > {}' \;
+
+	# no limit on the number of failures, or clause works around old kernels that reject negative integer.
+	echo -1 > /sys/kernel/debug/failslab/times 2>/dev/null || printf '%#x -1' > /sys/kernel/debug/failslab/times
+
+	# Set to 2 for full dmesg traces for each injected error
+	echo 0 > /sys/kernel/debug/failslab/verbose
+}
+
+failslab_random()
+{
+	r=$((RANDOM%2))
+
+	if [ $r -eq 0 ]; then
+		echo Y > /sys/kernel/debug/failslab/ignore-gfp-wait
+	else
+		echo N > /sys/kernel/debug/failslab/ignore-gfp-wait
+	fi
+
+	r=$((RANDOM%5))
+	echo $r > /sys/kernel/debug/failslab/probability
+	r=$((RANDOM%100))
+	echo $r > /sys/kernel/debug/failslab/interval
+
+	# allow a small initial 'success budget'.
+	# failures only appear after this many allocated bytes.
+	r=$((RANDOM%16384))
+	echo $r > /sys/kernel/debug/$FAILTYPE/space
+}
+
+netns_del() {
+	ip netns pids "$testns" | xargs kill 2>/dev/null
+	ip netns del "$testns"
+}
+
+netns_add()
+{
+	ip netns add "$testns"
+	ip -netns "$testns" link set lo up
+}
+
+cleanup() {
+	[ "$tmp" = "" ] || rm -f "$tmp"
+	netns_del
+}
+
+nft_with_fault_inject()
+{
+	file="$1"
+
+	if [ -w "$faultname" ]; then
+		failslab_random
+
+		ip netns exec "$testns" bash -c "echo 1 > $faultname ; exec $NFT -f $file"
+	fi
+
+	ip netns exec "$testns" $NFT -f "$file"
+}
+
+trap cleanup EXIT
+tmp=$(mktemp)
+
+jump_or_goto()
+{
+	if [ $((RANDOM & 1)) -eq 0 ] ;then
+		echo -n "jump"
+	else
+		echo -n "goto"
+	fi
+}
+
+random_verdict()
+{
+	max="$1"
+
+	if [ $max -eq 0 ]; then
+		max=1
+	fi
+
+	rnd=$((RANDOM%max))
+
+	if [ $rnd -gt 0 ];then
+		jump_or_goto
+		printf " chain%03u" "$((rnd+1))"
+		return
+	fi
+
+	if [ $((RANDOM & 1)) -eq 0 ] ;then
+		echo "accept"
+	else
+		echo "drop"
+	fi
+}
+
+randsleep()
+{
+	local s=$((RANDOM%1))
+	local ms=$((RANDOM%1000))
+	sleep $s.$ms
+}
+
+randlist()
+{
+	while [ -r $tmp ]; do
+		randsleep
+		ip netns exec $testns $NFT list ruleset > /dev/null
+	done
+}
+
+randflush()
+{
+	while [ -r $tmp ]; do
+		randsleep
+		ip netns exec $testns $NFT flush ruleset > /dev/null
+	done
+}
+
+randdeltable()
+{
+	while [ -r $tmp ]; do
+		randsleep
+		for t in $tables; do
+			r=$((RANDOM%10))
+
+			if [ $r -eq 1 ] ;then
+				ip netns exec $testns $NFT delete table inet $t
+				randsleep
+			fi
+		done
+	done
+}
+
+randdelset()
+{
+	while [ -r $tmp ]; do
+		randsleep
+		for t in $tables; do
+			r=$((RANDOM%10))
+			s=$((RANDOM%10))
+
+			case $r in
+			0)
+				setname=set_$s
+				;;
+			1)
+				setname=sett${s}
+				;;
+			2)
+				setname=dmap_${s}
+				;;
+			3)
+				setname=dmapt${s}
+				;;
+			4)
+				setname=vmap_${s}
+				;;
+			5)
+				setname=vmapt${s}
+				;;
+			*)
+				continue
+				;;
+			esac
+
+			if [ $r -eq 1 ] ;then
+				ip netns exec $testns $NFT delete set inet $t $setname
+			fi
+		done
+	done
+}
+
+randdelchain()
+{
+	while [ -r $tmp ]; do
+		for t in $tables; do
+			local c=$((RANDOM%100))
+			randsleep
+			chain=$(printf "chain%03u" "$c")
+
+			local r=$((RANDOM%10))
+			if [ $r -eq 1 ];then
+				# chain can be invalid/unknown.
+				ip netns exec $testns $NFT delete chain inet $t $chain
+			fi
+		done
+	done
+}
+
+randdisable()
+{
+	while [ -r $tmp ]; do
+		for t in $tables; do
+			randsleep
+			local r=$((RANDOM%10))
+			if [ $r -eq 1 ];then
+				ip netns exec $testns $NFT add table inet $t '{flags dormant; }'
+				randsleep
+				ip netns exec $testns $NFT add table inet $t '{ }'
+			fi
+		done
+	done
+}
+
+randdelns()
+{
+	while [ -r $tmp ]; do
+		randsleep
+		netns_del
+		netns_add
+		randsleep
+	done
+}
+
+random_element_string=""
+
+# create a random element.  Could cause any of the following:
+# 1. Invalid set/map
+# 2. Element already exists in set/map w. create
+# 3. Element is new but wants to jump to unknown chain
+# 4. Element already exsists in set/map w. add, but verdict (map data) differs
+# 5. Element is created/added/deleted from 'flags constant' set.
+random_elem()
+{
+	tr=$((RANDOM%2))
+	t=0
+
+	for table in $tables; do
+		if [ $t -ne $tr ]; then
+			t=$((t+1))
+			continue
+		fi
+
+		kr=$((RANDOM%2))
+		k=0
+		cnt=0
+		for key in "single" "concat"; do
+			if [ $k -ne $kr ] ;then
+				cnt=$((cnt+2))
+				k=$((k+1))
+				continue
+			fi
+
+			fr=$((RANDOM%2))
+			f=0
+			for flags in "" "interval" ; do
+				cnt=$((cnt+1))
+				if [ $f -ne fkr ] ;then
+					f=$((f+1))
+					continue
+				fi
+
+				want="${key}${flags}"
+
+				e=$((RANDOM%256))
+				case "$want" in
+				"single") element="10.1.1.$e"
+					;;
+				"concat") element="10.1.2.$e . $((RANDOM%65536))"
+					;;
+				"singleinterval") element="10.1.$e.0-10.1.$e.$e"
+					;;
+				"concatinterval") element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))"
+					;;
+				*)	echo "bogus key $want"
+					exit 111
+					;;
+				esac
+
+				# This may result in invalid jump, but thats what we want.
+				count=$(($RANDOM%100))
+
+				r=$((RANDOM%7))
+				case "$r" in
+				0)
+					random_element_string=" inet $table set_${cnt} { $element }"
+					;;
+				1)	random_element_string="inet $table sett${cnt} { $element timeout $((RANDOM%60))s }"
+					;;
+				2)	random_element_string="inet $table dmap_${cnt} { $element : $RANDOM }"
+					;;
+				3)	random_element_string="inet $table dmapt${cnt} { $element timeout $((RANDOM%60))s : $RANDOM }"
+					;;
+				4)	random_element_string="inet $table vmap_${cnt} { $element : `random_verdict $count` }"
+					;;
+				5)	random_element_string="inet $table vmapt${cnt} { $element timeout $((RANDOM%60))s : `random_verdict $count` }"
+					;;
+				6)	random_element_string="inet $table setc${cnt} { $element }"
+					;;
+				esac
+
+				return
+			done
+		done
+	done
+}
+
+randload()
+{
+	while [ -r $tmp ]; do
+		random_element_string=""
+		r=$((RANDOM%10))
+
+		what=""
+		case $r in
+		1)
+			(echo "flush ruleset"; cat "$tmp"
+			 echo "insert rule inet foo INPUT meta nftrace set 1"
+			 echo "insert rule inet foo OUTPUT meta nftrace set 1"
+			) | nft_with_fault_inject "/dev/stdin"
+			;;
+		2)	what="add"
+			;;
+		3)	what="create"
+			;;
+		4)	what="delete"
+			;;
+		5)	what="destroy"
+			;;
+		6)	what="get"
+			;;
+		*)
+			randsleep
+			;;
+		esac
+
+		if [ x"$what" = "x" ]; then
+			nft_with_fault_inject "$tmp"
+		else
+			# This can trigger abort path, for various reasons:
+			# invalid set name
+			# key mismatches set specification (concat vs. single value)
+			# attempt to delete non-existent key
+			# attempt to create dupliacte key
+			# attempt to add duplicate key with non-matching value (data)
+			# attempt to add new uniqeue key with a jump to an unknown chain
+			random_elem
+			( cat "$tmp"; echo "$what element $random_element_string") | nft_with_fault_inject "/dev/stdin"
+		fi
+	done
+}
+
+randmonitor()
+{
+	while [ -r $tmp ]; do
+		randsleep
+		timeout=$((RANDOM%16))
+		timeout $((timeout+1)) $NFT monitor > /dev/null
+	done
+}
+
+floodping() {
+	cpunum=$(grep -c processor /proc/cpuinfo)
+	cpunum=$((cpunum+1))
+
+	while [ -r $tmp ]; do
+		spawn=$((RANDOM%$cpunum))
+
+		# spawn at most $cpunum processes. Or maybe none at all.
+		i=0
+		while [ $i -lt $spawn ]; do
+			mask=$(printf 0x%x $((1<<$i)))
+		        timeout 3 ip netns exec "$testns" taskset $mask ping -4 -fq 127.0.0.1 > /dev/null &
+		        timeout 3 ip netns exec "$testns" taskset $mask ping -6 -fq ::1 > /dev/null &
+			i=$((i+1))
+		done
+
+		wait
+		randsleep
+	done
+}
+
+stress_all()
+{
+	# if fault injection is enabled, first a quick test to trigger
+	# abort paths without any parallel deletes/flushes.
+	if [ -w $faultname ] ;then
+		for i in $(seq 1 10);do
+			nft_with_fault_inject "$tmp"
+		done
+	fi
+
+	randlist &
+	randflush &
+	randdeltable &
+	randdisable &
+	randdelchain &
+	randdelset &
+	randdelns &
+	randload &
+	randmonitor &
+}
+
+gen_anon_chain_jump()
+{
+	echo -n "insert rule inet $@ "
+	jump_or_goto
+
+	if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then
+		echo " defaultchain"
+		return
+	fi
+
+	echo -n " { "
+	jump_or_goto
+	echo " defaultchain; counter; }"
+}
+
+gen_ruleset() {
+echo > "$tmp"
+for table in $tables; do
+	count=$((RANDOM % 100))
+	if [ $count -lt 1 ];then
+		count=1
+	fi
+
+	echo add table inet "$table" >> "$tmp"
+	echo flush table inet "$table" >> "$tmp"
+
+	echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"
+	echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"
+	for c in $(seq 1 $count); do
+		chain=$(printf "chain%03u" "$c")
+		echo "add chain inet $table $chain" >> "$tmp"
+	done
+
+	echo "add chain inet $table defaultchain" >> "$tmp"
+
+	for c in $(seq 1 $count); do
+		chain=$(printf "chain%03u" "$c")
+		for BASE in INPUT OUTPUT; do
+			echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"
+		done
+		if [ $((RANDOM%10)) -eq 1 ];then
+			echo "add rule inet $table $chain counter jump defaultchain" >> "$tmp"
+		else
+			echo "add rule inet $table $chain counter return" >> "$tmp"
+		fi
+	done
+
+	cnt=0
+
+	# add a few anonymous sets. rhashtable is convered by named sets below.
+	c=$((RANDOM%$count))
+	chain=$(printf "chain%03u" "$((c+1))")
+	echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp"
+	echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp"
+	echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp"
+	# bitmap 1byte, with anon chain jump
+	gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp"
+
+	# bitmap 2byte
+	echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp"
+	echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp"
+	# pipapo (concat + set), with goto anonymous chain.
+	gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp"
+
+	# add a few anonymous sets. rhashtable is convered by named sets below.
+	c=$((RANDOM%$count))
+	chain=$(printf "chain%03u" "$((c+1))")
+	echo "insert rule inet $table $chain tcp dport 22-26 ip saddr { 1.2.3.4, 5.6.7.8 } counter comment hash_fast" >> "$tmp"
+	echo "insert rule inet $table $chain ip6 saddr { ::1, dead::beef } counter" comment hash >> "$tmp"
+	echo "insert rule inet $table $chain ip saddr { 1.2.3.4 - 5.6.7.8, 127.0.0.1 } comment rbtree" >> "$tmp"
+	# bitmap 1byte, with anon chain jump
+	gen_anon_chain_jump "$table $chain ip protocol { 6, 17 }" >> "$tmp"
+	# bitmap 2byte
+	echo "insert rule inet $table $chain tcp dport != { 22, 23, 80 } goto defaultchain" >> "$tmp"
+	echo "insert rule inet $table $chain tcp dport { 1-1024, 8000-8080 } jump defaultchain comment rbtree" >> "$tmp"
+	# pipapo (concat + set), with goto anonymous chain.
+	gen_anon_chain_jump "$table $chain ip saddr . tcp dport { 1.2.3.4 . 1-1024, 1.2.3.6 - 1.2.3.10 . 8000-8080, 1.2.3.4 . 8080, 1.2.3.6 - 1.2.3.10 . 22 }" >> "$tmp"
+
+	# add constant/immutable sets
+	size=$((RANDOM%5120000))
+	size=$((size+2))
+	echo "add set inet $table setc1 { typeof tcp dport; size $size; flags constant; elements = { 22, 44 } }" >> "$tmp"
+	echo "add set inet $table setc2 { typeof ip saddr; size $size; flags constant; elements = { 1.2.3.4, 5.6.7.8 } }" >> "$tmp"
+	echo "add set inet $table setc3 { typeof ip6 daddr; size $size; flags constant; elements = { ::1, dead::1 } }" >> "$tmp"
+	echo "add set inet $table setc4 { typeof tcp dport; size $size; flags interval,constant; elements = { 22-44, 55-66 } }" >> "$tmp"
+	echo "add set inet $table setc5 { typeof ip saddr; size $size; flags interval,constant; elements = { 1.2.3.4-5.6.7.8, 10.1.1.1 } }" >> "$tmp"
+	echo "add set inet $table setc6 { typeof ip6 daddr; size $size; flags interval,constant; elements = { ::1, dead::1-dead::3 } }" >> "$tmp"
+
+	# add named sets with various combinations (plain value, range, concatenated values, concatenated ranges, with timeouts, with data ...)
+	for key in "ip saddr" "ip saddr . tcp dport"; do
+		for flags in "" "flags interval;" ; do
+			timeout=$((RANDOM%10))
+			timeout=$((timeout+1))
+			timeout="timeout ${timeout}s"
+
+			cnt=$((cnt+1))
+			echo "add set inet $table set_${cnt}  { typeof ${key} ; ${flags} }" >> "$tmp"
+			echo "add set inet $table sett${cnt} { typeof ${key} ; $timeout; ${flags} }" >> "$tmp"
+			echo "add map inet $table dmap_${cnt} { typeof ${key} : meta mark ; ${flags} }" >> "$tmp"
+			echo "add map inet $table dmapt${cnt} { typeof ${key} : meta mark ; $timeout ; ${flags} }" >> "$tmp"
+			echo "add map inet $table vmap_${cnt} { typeof ${key} : verdict ; ${flags} }" >> "$tmp"
+			echo "add map inet $table vmapt${cnt} { typeof ${key} : verdict; $timeout ; ${flags} }" >> "$tmp"
+		done
+	done
+
+	cnt=0
+	for key in "single" "concat"; do
+		for flags in "" "interval" ; do
+			want="${key}${flags}"
+			cnt=$((cnt+1))
+			maxip=$((RANDOM%256))
+
+			if [ $maxip -eq 0 ];then
+				maxip=1
+			fi
+
+			for e in $(seq 1 $maxip);do
+				case "$want" in
+				"single") element="10.1.1.$e"
+					;;
+				"concat")
+					element="10.1.2.$e . $((RANDOM%65536))"
+					;;
+				"singleinterval")
+					element="10.1.$e.0-10.1.$e.$e"
+					;;
+				"concatinterval")
+					element="10.1.$e.0-10.1.$e.$e . $((RANDOM%65536))"
+					;;
+				*)
+					echo "bogus key $want"
+					exit 111
+					;;
+				esac
+
+				echo "add element inet $table set_${cnt} { $element }" >> "$tmp"
+				echo "add element inet $table sett${cnt} { $element timeout $((RANDOM%60))s }" >> "$tmp"
+				echo "add element inet $table dmap_${cnt} { $element : $RANDOM }" >> "$tmp"
+				echo "add element inet $table dmapt${cnt} { $element timeout $((RANDOM%60))s : $RANDOM }" >> "$tmp"
+				echo "add element inet $table vmap_${cnt} { $element : `random_verdict $count` }" >> "$tmp"
+				echo "add element inet $table vmapt${cnt} { $element timeout $((RANDOM%60))s : `random_verdict $count` }" >> "$tmp"
+			done
+		done
+	done
+done
+}
+
+run_test()
+{
+	local time_now=$(date +%s)
+	local time_stop=$((time_now + $runtime))
+	local regen=30
+
+	while [ $time_now -lt $time_stop ]; do
+		if [ $regen -gt 0 ];then
+			sleep 1
+			time_now=$(date +%s)
+			regen=$((regen-1))
+			continue
+		fi
+
+		# This clobbers the previously generated ruleset, this is intentional.
+		gen_ruleset
+		regen=$((RANDOM%60))
+		regen=$((regen+2))
+		time_now=$(date +%s)
+	done
+}
+
+netns_add
+
+gen_ruleset
+ip netns exec "$testns" $NFT -f "$tmp" || exit 1
+
+failslab_defaults
+
+stress_all 2>/dev/null &
+
+randsleep
+
+floodping 2> /dev/null &
+
+run_test
+
+# this stops stress_all
+rm -f "$tmp"
+tmp=""
+sleep 4
+
+if [ "$NFT_TEST_HAVE_chain_binding" = n ] ; then
+	echo "Ran a modified version of the test due to NFT_TEST_HAVE_chain_binding=n"
+fi
diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop
new file mode 100755
index 0000000..2fd6181
--- /dev/null
+++ b/tests/shell/testcases/transactions/anon_chain_loop
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# anon chains with c1 -> c2 recursive jump, expect failure
+$NFT -f - <<EOF
+table ip t {
+ chain c2 { }
+ chain c1 { }
+}
+
+add t c1 ip saddr 127.0.0.1 jump { jump c2; }
+add t c2 ip saddr 127.0.0.1 jump { jump c1; }
+EOF
+
+if [ $? -eq 0 ] ; then
+        echo "E: able to load bad ruleset" >&2
+        exit 1
+fi
+
+exit 0
diff --git a/tests/shell/testcases/transactions/bad_expression b/tests/shell/testcases/transactions/bad_expression
new file mode 100755
index 0000000..794b625
--- /dev/null
+++ b/tests/shell/testcases/transactions/bad_expression
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# table with invalid expression (masquerade called from filter table).
+# nft must return an error.  Also catch nfnetlink retry loops that
+# cause nft or kernel to spin.
+timeout 3 $NFT -f - <<EOF
+table ip t0 {
+	chain c { }
+	chain input {
+		type filter hook input priority 0;
+		jump c
+	}
+}
+
+table ip t1 {
+	chain a {
+		masquerade
+	}
+	chain input {
+		type filter hook input priority 1;
+		jump a
+	}
+}
+EOF
+
+rc=$?
+if [ $rc -eq 0 ]; then
+	echo "Ruleset should have failed" 1>&2
+	exit 111
+fi
+
+# 124 means 'command timed out', fail if this
+# happens.  Else, pass, failure is wanted here.
+if [ $rc -ne 124 ]; then
+	exit 0
+fi
+
+exit $rc
diff --git a/tests/shell/testcases/transactions/dumps/0001table_0.nft b/tests/shell/testcases/transactions/dumps/0001table_0.nft
new file mode 100644
index 0000000..e4e5f9b
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0001table_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+}
+table ip y {
+}
diff --git a/tests/shell/testcases/transactions/dumps/0002table_0.nft b/tests/shell/testcases/transactions/dumps/0002table_0.nft
new file mode 100644
index 0000000..429cbc3
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0002table_0.nft
@@ -0,0 +1,7 @@
+table ip x {
+	flags dormant
+
+	chain y {
+		type nat hook prerouting priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0003table_0.nft b/tests/shell/testcases/transactions/dumps/0003table_0.nft
new file mode 100644
index 0000000..e4e5f9b
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0003table_0.nft
@@ -0,0 +1,4 @@
+table ip x {
+}
+table ip y {
+}
diff --git a/tests/shell/testcases/transactions/dumps/0010chain_0.nft b/tests/shell/testcases/transactions/dumps/0010chain_0.nft
new file mode 100644
index 0000000..aa4a521
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0010chain_0.nft
@@ -0,0 +1,4 @@
+table ip w {
+	chain y {
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0011chain_0.nft b/tests/shell/testcases/transactions/dumps/0011chain_0.nft
new file mode 100644
index 0000000..df88ad4
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0011chain_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	chain y {
+		type filter hook input priority filter; policy drop;
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0012chain_0.nft b/tests/shell/testcases/transactions/dumps/0012chain_0.nft
new file mode 100644
index 0000000..b9f5e43
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0012chain_0.nft
@@ -0,0 +1,5 @@
+table ip w {
+	chain y {
+		type filter hook output priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0013chain_0.nft b/tests/shell/testcases/transactions/dumps/0013chain_0.nft
new file mode 100644
index 0000000..b9f5e43
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0013chain_0.nft
@@ -0,0 +1,5 @@
+table ip w {
+	chain y {
+		type filter hook output priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0014chain_1.nft b/tests/shell/testcases/transactions/dumps/0014chain_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0014chain_1.nft
diff --git a/tests/shell/testcases/transactions/dumps/0015chain_0.nft b/tests/shell/testcases/transactions/dumps/0015chain_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0015chain_0.nft
diff --git a/tests/shell/testcases/transactions/dumps/0020rule_0.nft b/tests/shell/testcases/transactions/dumps/0020rule_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0020rule_0.nft
diff --git a/tests/shell/testcases/transactions/dumps/0021rule_0.nft b/tests/shell/testcases/transactions/dumps/0021rule_0.nft
new file mode 100644
index 0000000..a6c4130
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0021rule_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	chain y {
+		ip saddr 2.2.2.2 counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0022rule_1.nft b/tests/shell/testcases/transactions/dumps/0022rule_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0022rule_1.nft
diff --git a/tests/shell/testcases/transactions/dumps/0023rule_1.nft b/tests/shell/testcases/transactions/dumps/0023rule_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0023rule_1.nft
diff --git a/tests/shell/testcases/transactions/dumps/0024rule_0.nft b/tests/shell/testcases/transactions/dumps/0024rule_0.nft
new file mode 100644
index 0000000..7860ff6
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0024rule_0.nft
@@ -0,0 +1,8 @@
+table ip x {
+	chain y {
+		accept comment "rule1"
+		accept comment "rule2"
+		accept comment "rule3"
+		accept comment "rule4"
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0025rule_0.nft b/tests/shell/testcases/transactions/dumps/0025rule_0.nft
new file mode 100644
index 0000000..dcb61ae
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0025rule_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+	chain y {
+		log
+		drop
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0030set_0.nft b/tests/shell/testcases/transactions/dumps/0030set_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0030set_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/transactions/dumps/0031set_0.nft b/tests/shell/testcases/transactions/dumps/0031set_0.nft
new file mode 100644
index 0000000..e3d4aee
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0031set_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	set y {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0032set_0.nft b/tests/shell/testcases/transactions/dumps/0032set_0.nft
new file mode 100644
index 0000000..7d11892
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0032set_0.nft
@@ -0,0 +1,5 @@
+table ip w {
+	set y {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0033set_0.nft b/tests/shell/testcases/transactions/dumps/0033set_0.nft
new file mode 100644
index 0000000..5d4d2ca
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0033set_0.nft
@@ -0,0 +1,2 @@
+table ip x {
+}
diff --git a/tests/shell/testcases/transactions/dumps/0034set_0.nft b/tests/shell/testcases/transactions/dumps/0034set_0.nft
new file mode 100644
index 0000000..e3d4aee
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0034set_0.nft
@@ -0,0 +1,5 @@
+table ip x {
+	set y {
+		type ipv4_addr
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0035set_0.nft b/tests/shell/testcases/transactions/dumps/0035set_0.nft
new file mode 100644
index 0000000..e111494
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0035set_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		elements = { 3.3.3.3 }
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0036set_1.nft b/tests/shell/testcases/transactions/dumps/0036set_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0036set_1.nft
diff --git a/tests/shell/testcases/transactions/dumps/0037set_0.nft b/tests/shell/testcases/transactions/dumps/0037set_0.nft
new file mode 100644
index 0000000..ca69cee
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0037set_0.nft
@@ -0,0 +1,6 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		flags interval
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0038set_0.nft b/tests/shell/testcases/transactions/dumps/0038set_0.nft
new file mode 100644
index 0000000..651a11b
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0038set_0.nft
@@ -0,0 +1,7 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.4.0/24 }
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0039set_0.nft b/tests/shell/testcases/transactions/dumps/0039set_0.nft
new file mode 100644
index 0000000..651a11b
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0039set_0.nft
@@ -0,0 +1,7 @@
+table ip x {
+	set y {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.4.0/24 }
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0040set_0.nft b/tests/shell/testcases/transactions/dumps/0040set_0.nft
new file mode 100644
index 0000000..a29232b
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0040set_0.nft
@@ -0,0 +1,14 @@
+table ip filter {
+	map client_to_any {
+		type ipv4_addr : verdict
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		goto client_to_any
+	}
+
+	chain client_to_any {
+		ip saddr vmap @client_to_any
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft
new file mode 100644
index 0000000..b718001
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0041nat_restore_0.nft
@@ -0,0 +1,5 @@
+table ip t {
+	chain c {
+		type nat hook postrouting priority filter; policy accept;
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft
new file mode 100644
index 0000000..e5cc63f
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0042_stateful_expr_0.nft
@@ -0,0 +1,5 @@
+table ip filter {
+	map m1 {
+		type ipv4_addr : counter
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0043set_1.nft b/tests/shell/testcases/transactions/dumps/0043set_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0043set_1.nft
diff --git a/tests/shell/testcases/transactions/dumps/0044rule_0.nft b/tests/shell/testcases/transactions/dumps/0044rule_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0044rule_0.nft
diff --git a/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0045anon-unbind_0.nft
diff --git a/tests/shell/testcases/transactions/dumps/0046set_0.nft b/tests/shell/testcases/transactions/dumps/0046set_0.nft
new file mode 100644
index 0000000..eb39c44
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0046set_0.nft
@@ -0,0 +1,2 @@
+table ip filter {
+}
diff --git a/tests/shell/testcases/transactions/dumps/0047set_0.nft b/tests/shell/testcases/transactions/dumps/0047set_0.nft
new file mode 100644
index 0000000..4da397b
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0047set_0.nft
@@ -0,0 +1,11 @@
+table ip filter {
+	map group_10060 {
+		type ipv4_addr : classid
+		flags interval
+		elements = { 10.1.26.2 : 1:bbf8, 10.1.26.3 : 1:c1ad,
+			     10.1.26.4 : 1:b2d7, 10.1.26.5 : 1:f705,
+			     10.1.26.6 : 1:b895, 10.1.26.7 : 1:ec4c,
+			     10.1.26.8 : 1:de78, 10.1.26.9 : 1:b4f3,
+			     10.1.26.10 : 1:dec6, 10.1.26.11 : 1:b4c0 }
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0048helpers_0.nft b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft
new file mode 100644
index 0000000..eb39c44
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0048helpers_0.nft
@@ -0,0 +1,2 @@
+table ip filter {
+}
diff --git a/tests/shell/testcases/transactions/dumps/0049huge_0.nft b/tests/shell/testcases/transactions/dumps/0049huge_0.nft
new file mode 100644
index 0000000..96f5a38
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0049huge_0.nft
@@ -0,0 +1,749 @@
+table inet firewalld {
+	chain raw_PREROUTING {
+		type filter hook prerouting priority raw + 10; policy accept;
+		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+		meta nfproto ipv6 fib saddr . iif oif missing drop
+		jump raw_PREROUTING_ZONES
+	}
+
+	chain raw_PREROUTING_ZONES {
+		iifname "perm_dummy" goto raw_PRE_work
+		iifname "perm_dummy2" goto raw_PRE_trusted
+		goto raw_PRE_public
+	}
+
+	chain mangle_PREROUTING {
+		type filter hook prerouting priority mangle + 10; policy accept;
+		jump mangle_PREROUTING_ZONES
+	}
+
+	chain mangle_PREROUTING_ZONES {
+		iifname "perm_dummy" goto mangle_PRE_work
+		iifname "perm_dummy2" goto mangle_PRE_trusted
+		goto mangle_PRE_public
+	}
+
+	chain filter_INPUT {
+		type filter hook input priority filter + 10; policy accept;
+		ct state { established, related } accept
+		ct status dnat accept
+		iifname "lo" accept
+		jump filter_INPUT_ZONES
+		ct state invalid drop
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_FORWARD {
+		type filter hook forward priority filter + 10; policy accept;
+		ct state { established, related } accept
+		ct status dnat accept
+		iifname "lo" accept
+		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+		jump filter_FORWARD_IN_ZONES
+		jump filter_FORWARD_OUT_ZONES
+		ct state invalid drop
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_OUTPUT {
+		type filter hook output priority filter + 10; policy accept;
+		oifname "lo" accept
+		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+	}
+
+	chain filter_INPUT_ZONES {
+		iifname "perm_dummy" goto filter_IN_work
+		iifname "perm_dummy2" goto filter_IN_trusted
+		goto filter_IN_public
+	}
+
+	chain filter_FORWARD_IN_ZONES {
+		iifname "perm_dummy" goto filter_FWDI_work
+		iifname "perm_dummy2" goto filter_FWDI_trusted
+		goto filter_FWDI_public
+	}
+
+	chain filter_FORWARD_OUT_ZONES {
+		oifname "perm_dummy" goto filter_FWDO_work
+		oifname "perm_dummy2" goto filter_FWDO_trusted
+		goto filter_FWDO_public
+	}
+
+	chain raw_PRE_public {
+		jump raw_PRE_public_pre
+		jump raw_PRE_public_log
+		jump raw_PRE_public_deny
+		jump raw_PRE_public_allow
+		jump raw_PRE_public_post
+	}
+
+	chain raw_PRE_public_pre {
+	}
+
+	chain raw_PRE_public_log {
+	}
+
+	chain raw_PRE_public_deny {
+	}
+
+	chain raw_PRE_public_allow {
+	}
+
+	chain raw_PRE_public_post {
+	}
+
+	chain filter_IN_public {
+		jump filter_IN_public_pre
+		jump filter_IN_public_log
+		jump filter_IN_public_deny
+		jump filter_IN_public_allow
+		jump filter_IN_public_post
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_public_pre {
+	}
+
+	chain filter_IN_public_log {
+	}
+
+	chain filter_IN_public_deny {
+	}
+
+	chain filter_IN_public_allow {
+		tcp dport 22 ct state { new, untracked } accept
+		ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
+	}
+
+	chain filter_IN_public_post {
+	}
+
+	chain filter_FWDI_public {
+		jump filter_FWDI_public_pre
+		jump filter_FWDI_public_log
+		jump filter_FWDI_public_deny
+		jump filter_FWDI_public_allow
+		jump filter_FWDI_public_post
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_public_pre {
+	}
+
+	chain filter_FWDI_public_log {
+	}
+
+	chain filter_FWDI_public_deny {
+	}
+
+	chain filter_FWDI_public_allow {
+	}
+
+	chain filter_FWDI_public_post {
+	}
+
+	chain mangle_PRE_public {
+		jump mangle_PRE_public_pre
+		jump mangle_PRE_public_log
+		jump mangle_PRE_public_deny
+		jump mangle_PRE_public_allow
+		jump mangle_PRE_public_post
+	}
+
+	chain mangle_PRE_public_pre {
+	}
+
+	chain mangle_PRE_public_log {
+	}
+
+	chain mangle_PRE_public_deny {
+	}
+
+	chain mangle_PRE_public_allow {
+	}
+
+	chain mangle_PRE_public_post {
+	}
+
+	chain filter_FWDO_public {
+		jump filter_FWDO_public_pre
+		jump filter_FWDO_public_log
+		jump filter_FWDO_public_deny
+		jump filter_FWDO_public_allow
+		jump filter_FWDO_public_post
+	}
+
+	chain filter_FWDO_public_pre {
+	}
+
+	chain filter_FWDO_public_log {
+	}
+
+	chain filter_FWDO_public_deny {
+	}
+
+	chain filter_FWDO_public_allow {
+	}
+
+	chain filter_FWDO_public_post {
+	}
+
+	chain raw_PRE_trusted {
+		jump raw_PRE_trusted_pre
+		jump raw_PRE_trusted_log
+		jump raw_PRE_trusted_deny
+		jump raw_PRE_trusted_allow
+		jump raw_PRE_trusted_post
+	}
+
+	chain raw_PRE_trusted_pre {
+	}
+
+	chain raw_PRE_trusted_log {
+	}
+
+	chain raw_PRE_trusted_deny {
+	}
+
+	chain raw_PRE_trusted_allow {
+	}
+
+	chain raw_PRE_trusted_post {
+	}
+
+	chain mangle_PRE_trusted {
+		jump mangle_PRE_trusted_pre
+		jump mangle_PRE_trusted_log
+		jump mangle_PRE_trusted_deny
+		jump mangle_PRE_trusted_allow
+		jump mangle_PRE_trusted_post
+	}
+
+	chain mangle_PRE_trusted_pre {
+	}
+
+	chain mangle_PRE_trusted_log {
+	}
+
+	chain mangle_PRE_trusted_deny {
+	}
+
+	chain mangle_PRE_trusted_allow {
+	}
+
+	chain mangle_PRE_trusted_post {
+	}
+
+	chain filter_IN_trusted {
+		jump filter_IN_trusted_pre
+		jump filter_IN_trusted_log
+		jump filter_IN_trusted_deny
+		jump filter_IN_trusted_allow
+		jump filter_IN_trusted_post
+		accept
+	}
+
+	chain filter_IN_trusted_pre {
+	}
+
+	chain filter_IN_trusted_log {
+	}
+
+	chain filter_IN_trusted_deny {
+	}
+
+	chain filter_IN_trusted_allow {
+	}
+
+	chain filter_IN_trusted_post {
+	}
+
+	chain filter_FWDI_trusted {
+		jump filter_FWDI_trusted_pre
+		jump filter_FWDI_trusted_log
+		jump filter_FWDI_trusted_deny
+		jump filter_FWDI_trusted_allow
+		jump filter_FWDI_trusted_post
+		accept
+	}
+
+	chain filter_FWDI_trusted_pre {
+	}
+
+	chain filter_FWDI_trusted_log {
+	}
+
+	chain filter_FWDI_trusted_deny {
+	}
+
+	chain filter_FWDI_trusted_allow {
+	}
+
+	chain filter_FWDI_trusted_post {
+	}
+
+	chain filter_FWDO_trusted {
+		jump filter_FWDO_trusted_pre
+		jump filter_FWDO_trusted_log
+		jump filter_FWDO_trusted_deny
+		jump filter_FWDO_trusted_allow
+		jump filter_FWDO_trusted_post
+		accept
+	}
+
+	chain filter_FWDO_trusted_pre {
+	}
+
+	chain filter_FWDO_trusted_log {
+	}
+
+	chain filter_FWDO_trusted_deny {
+	}
+
+	chain filter_FWDO_trusted_allow {
+	}
+
+	chain filter_FWDO_trusted_post {
+	}
+
+	chain raw_PRE_work {
+		jump raw_PRE_work_pre
+		jump raw_PRE_work_log
+		jump raw_PRE_work_deny
+		jump raw_PRE_work_allow
+		jump raw_PRE_work_post
+	}
+
+	chain raw_PRE_work_pre {
+	}
+
+	chain raw_PRE_work_log {
+	}
+
+	chain raw_PRE_work_deny {
+	}
+
+	chain raw_PRE_work_allow {
+	}
+
+	chain raw_PRE_work_post {
+	}
+
+	chain filter_IN_work {
+		jump filter_IN_work_pre
+		jump filter_IN_work_log
+		jump filter_IN_work_deny
+		jump filter_IN_work_allow
+		jump filter_IN_work_post
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_work_pre {
+	}
+
+	chain filter_IN_work_log {
+	}
+
+	chain filter_IN_work_deny {
+	}
+
+	chain filter_IN_work_allow {
+		tcp dport 22 ct state { new, untracked } accept
+		ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
+	}
+
+	chain filter_IN_work_post {
+	}
+
+	chain mangle_PRE_work {
+		jump mangle_PRE_work_pre
+		jump mangle_PRE_work_log
+		jump mangle_PRE_work_deny
+		jump mangle_PRE_work_allow
+		jump mangle_PRE_work_post
+	}
+
+	chain mangle_PRE_work_pre {
+	}
+
+	chain mangle_PRE_work_log {
+	}
+
+	chain mangle_PRE_work_deny {
+	}
+
+	chain mangle_PRE_work_allow {
+	}
+
+	chain mangle_PRE_work_post {
+	}
+
+	chain filter_FWDI_work {
+		jump filter_FWDI_work_pre
+		jump filter_FWDI_work_log
+		jump filter_FWDI_work_deny
+		jump filter_FWDI_work_allow
+		jump filter_FWDI_work_post
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_FWDI_work_pre {
+	}
+
+	chain filter_FWDI_work_log {
+	}
+
+	chain filter_FWDI_work_deny {
+	}
+
+	chain filter_FWDI_work_allow {
+	}
+
+	chain filter_FWDI_work_post {
+	}
+
+	chain filter_FWDO_work {
+		jump filter_FWDO_work_pre
+		jump filter_FWDO_work_log
+		jump filter_FWDO_work_deny
+		jump filter_FWDO_work_allow
+		jump filter_FWDO_work_post
+	}
+
+	chain filter_FWDO_work_pre {
+	}
+
+	chain filter_FWDO_work_log {
+	}
+
+	chain filter_FWDO_work_deny {
+	}
+
+	chain filter_FWDO_work_allow {
+	}
+
+	chain filter_FWDO_work_post {
+	}
+}
+table ip firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "perm_dummy" goto nat_PRE_work
+		iifname "perm_dummy2" goto nat_PRE_trusted
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "perm_dummy" goto nat_POST_work
+		oifname "perm_dummy2" goto nat_POST_trusted
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_pre
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+		jump nat_PRE_public_post
+	}
+
+	chain nat_PRE_public_pre {
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_PRE_public_post {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_pre
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+		jump nat_POST_public_post
+	}
+
+	chain nat_POST_public_pre {
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_POST_public_post {
+	}
+
+	chain nat_PRE_trusted {
+		jump nat_PRE_trusted_pre
+		jump nat_PRE_trusted_log
+		jump nat_PRE_trusted_deny
+		jump nat_PRE_trusted_allow
+		jump nat_PRE_trusted_post
+	}
+
+	chain nat_PRE_trusted_pre {
+	}
+
+	chain nat_PRE_trusted_log {
+	}
+
+	chain nat_PRE_trusted_deny {
+	}
+
+	chain nat_PRE_trusted_allow {
+	}
+
+	chain nat_PRE_trusted_post {
+	}
+
+	chain nat_POST_trusted {
+		jump nat_POST_trusted_pre
+		jump nat_POST_trusted_log
+		jump nat_POST_trusted_deny
+		jump nat_POST_trusted_allow
+		jump nat_POST_trusted_post
+	}
+
+	chain nat_POST_trusted_pre {
+	}
+
+	chain nat_POST_trusted_log {
+	}
+
+	chain nat_POST_trusted_deny {
+	}
+
+	chain nat_POST_trusted_allow {
+	}
+
+	chain nat_POST_trusted_post {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_pre
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+		jump nat_PRE_work_post
+	}
+
+	chain nat_PRE_work_pre {
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_PRE_work_post {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_pre
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+		jump nat_POST_work_post
+	}
+
+	chain nat_POST_work_pre {
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+
+	chain nat_POST_work_post {
+	}
+}
+table ip6 firewalld {
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_ZONES
+	}
+
+	chain nat_PREROUTING_ZONES {
+		iifname "perm_dummy" goto nat_PRE_work
+		iifname "perm_dummy2" goto nat_PRE_trusted
+		goto nat_PRE_public
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_ZONES
+	}
+
+	chain nat_POSTROUTING_ZONES {
+		oifname "perm_dummy" goto nat_POST_work
+		oifname "perm_dummy2" goto nat_POST_trusted
+		goto nat_POST_public
+	}
+
+	chain nat_PRE_public {
+		jump nat_PRE_public_pre
+		jump nat_PRE_public_log
+		jump nat_PRE_public_deny
+		jump nat_PRE_public_allow
+		jump nat_PRE_public_post
+	}
+
+	chain nat_PRE_public_pre {
+	}
+
+	chain nat_PRE_public_log {
+	}
+
+	chain nat_PRE_public_deny {
+	}
+
+	chain nat_PRE_public_allow {
+	}
+
+	chain nat_PRE_public_post {
+	}
+
+	chain nat_POST_public {
+		jump nat_POST_public_pre
+		jump nat_POST_public_log
+		jump nat_POST_public_deny
+		jump nat_POST_public_allow
+		jump nat_POST_public_post
+	}
+
+	chain nat_POST_public_pre {
+	}
+
+	chain nat_POST_public_log {
+	}
+
+	chain nat_POST_public_deny {
+	}
+
+	chain nat_POST_public_allow {
+	}
+
+	chain nat_POST_public_post {
+	}
+
+	chain nat_PRE_trusted {
+		jump nat_PRE_trusted_pre
+		jump nat_PRE_trusted_log
+		jump nat_PRE_trusted_deny
+		jump nat_PRE_trusted_allow
+		jump nat_PRE_trusted_post
+	}
+
+	chain nat_PRE_trusted_pre {
+	}
+
+	chain nat_PRE_trusted_log {
+	}
+
+	chain nat_PRE_trusted_deny {
+	}
+
+	chain nat_PRE_trusted_allow {
+	}
+
+	chain nat_PRE_trusted_post {
+	}
+
+	chain nat_POST_trusted {
+		jump nat_POST_trusted_pre
+		jump nat_POST_trusted_log
+		jump nat_POST_trusted_deny
+		jump nat_POST_trusted_allow
+		jump nat_POST_trusted_post
+	}
+
+	chain nat_POST_trusted_pre {
+	}
+
+	chain nat_POST_trusted_log {
+	}
+
+	chain nat_POST_trusted_deny {
+	}
+
+	chain nat_POST_trusted_allow {
+	}
+
+	chain nat_POST_trusted_post {
+	}
+
+	chain nat_PRE_work {
+		jump nat_PRE_work_pre
+		jump nat_PRE_work_log
+		jump nat_PRE_work_deny
+		jump nat_PRE_work_allow
+		jump nat_PRE_work_post
+	}
+
+	chain nat_PRE_work_pre {
+	}
+
+	chain nat_PRE_work_log {
+	}
+
+	chain nat_PRE_work_deny {
+	}
+
+	chain nat_PRE_work_allow {
+	}
+
+	chain nat_PRE_work_post {
+	}
+
+	chain nat_POST_work {
+		jump nat_POST_work_pre
+		jump nat_POST_work_log
+		jump nat_POST_work_deny
+		jump nat_POST_work_allow
+		jump nat_POST_work_post
+	}
+
+	chain nat_POST_work_pre {
+	}
+
+	chain nat_POST_work_log {
+	}
+
+	chain nat_POST_work_deny {
+	}
+
+	chain nat_POST_work_allow {
+	}
+
+	chain nat_POST_work_post {
+	}
+}
diff --git a/tests/shell/testcases/transactions/dumps/0050rule_1.nft b/tests/shell/testcases/transactions/dumps/0050rule_1.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0050rule_1.nft
diff --git a/tests/shell/testcases/transactions/dumps/0051map_0.nodump b/tests/shell/testcases/transactions/dumps/0051map_0.nodump
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/0051map_0.nodump
diff --git a/tests/shell/testcases/transactions/dumps/30s-stress.nft b/tests/shell/testcases/transactions/dumps/30s-stress.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/30s-stress.nft
diff --git a/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/anon_chain_loop.nft
diff --git a/tests/shell/testcases/transactions/dumps/bad_expression.nft b/tests/shell/testcases/transactions/dumps/bad_expression.nft
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/bad_expression.nft
diff --git a/tests/shell/testcases/transactions/dumps/table_onoff.nft b/tests/shell/testcases/transactions/dumps/table_onoff.nft
new file mode 100644
index 0000000..038be1c
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/table_onoff.nft
@@ -0,0 +1,8 @@
+table ip t {
+	flags dormant
+
+	chain c {
+		type filter hook input priority filter; policy accept;
+		ip daddr 127.0.0.42 counter packets 0 bytes 0
+	}
+}
diff --git a/tests/shell/testcases/transactions/table_onoff b/tests/shell/testcases/transactions/table_onoff
new file mode 100755
index 0000000..831d461
--- /dev/null
+++ b/tests/shell/testcases/transactions/table_onoff
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# attempt to re-awaken a table that is flagged dormant within
+# same transaction
+$NFT -f - <<EOF
+add table ip t
+add table ip t { flags dormant; }
+add chain ip t c { type filter hook input priority 0; }
+add table ip t
+delete table ip t
+EOF
+
+if [ $? -eq 0 ]; then
+	exit 1
+fi
+
+set -e
+
+ip link set lo up
+
+# add a dormant table, then wake it up in same
+# transaction.
+$NFT -f - <<EOF
+add table ip t { flags dormant; }
+add chain ip t c { type filter hook input priority 0; }
+add rule ip t c ip daddr 127.0.0.42 counter
+add table ip t
+EOF
+
+# check table is indeed active.
+ping -c 1 127.0.0.42
+$NFT list chain ip t c | grep "counter packets 1"
+$NFT delete table ip t
+
+# allow to flag table dormant.
+$NFT -f - <<EOF
+add table ip t
+add chain ip t c { type filter hook input priority 0; }
+add rule ip t c ip daddr 127.0.0.42 counter
+add table ip t { flags dormant; }
+EOF
+
+ping -c 1 127.0.0.42
+# expect run-tests.sh to complain if counter isn't 0.
diff --git a/tests/shell/x b/tests/shell/x
new file mode 100644
index 0000000..4170e0a
--- /dev/null
+++ b/tests/shell/x
@@ -0,0 +1,5 @@
+testcases/json/dumps/0001set_statements_0.nft
+testcases/nft-f/0025empty_dynset_0
+testcases/sets/dumps/0022type_selective_flush_0.nft
+testcases/sets/dumps/0038meter_list_0.nft
+testcases/sets/dumps/0060set_multistmt_0.nft