summaryrefslogtreecommitdiffstats
path: root/tests/py/inet
diff options
context:
space:
mode:
Diffstat (limited to 'tests/py/inet')
-rw-r--r--tests/py/inet/ah.t47
-rw-r--r--tests/py/inet/ah.t.json412
-rw-r--r--tests/py/inet/ah.t.payload182
-rw-r--r--tests/py/inet/comp.t30
-rw-r--r--tests/py/inet/comp.t.json244
-rw-r--r--tests/py/inet/comp.t.json.output170
-rw-r--r--tests/py/inet/comp.t.payload105
-rw-r--r--tests/py/inet/ct.t15
-rw-r--r--tests/py/inet/ct.t.json60
-rw-r--r--tests/py/inet/ct.t.json.output16
-rw-r--r--tests/py/inet/ct.t.payload17
-rw-r--r--tests/py/inet/dccp.t30
-rw-r--r--tests/py/inet/dccp.t.json276
-rw-r--r--tests/py/inet/dccp.t.json.output18
-rw-r--r--tests/py/inet/dccp.t.payload115
-rw-r--r--tests/py/inet/dnat.t22
-rw-r--r--tests/py/inet/dnat.t.json241
-rw-r--r--tests/py/inet/dnat.t.payload86
-rw-r--r--tests/py/inet/esp.t21
-rw-r--r--tests/py/inet/esp.t.json204
-rw-r--r--tests/py/inet/esp.t.payload91
-rw-r--r--tests/py/inet/ether-ip.t9
-rw-r--r--tests/py/inet/ether-ip.t.json92
-rw-r--r--tests/py/inet/ether-ip.t.json.output43
-rw-r--r--tests/py/inet/ether-ip.t.payload28
-rw-r--r--tests/py/inet/ether-ip.t.payload.netdev29
-rw-r--r--tests/py/inet/ether.t20
-rw-r--r--tests/py/inet/ether.t.json122
-rw-r--r--tests/py/inet/ether.t.json.output31
-rw-r--r--tests/py/inet/ether.t.payload52
-rw-r--r--tests/py/inet/ether.t.payload.bridge44
-rw-r--r--tests/py/inet/ether.t.payload.ip52
-rw-r--r--tests/py/inet/fib.t17
-rw-r--r--tests/py/inet/fib.t.json132
-rw-r--r--tests/py/inet/fib.t.json.output39
-rw-r--r--tests/py/inet/fib.t.payload32
-rw-r--r--tests/py/inet/geneve.t23
-rw-r--r--tests/py/inet/geneve.t.json344
-rw-r--r--tests/py/inet/geneve.t.payload114
-rw-r--r--tests/py/inet/gre.t22
-rw-r--r--tests/py/inet/gre.t.json177
-rw-r--r--tests/py/inet/gre.t.payload78
-rw-r--r--tests/py/inet/gretap.t21
-rw-r--r--tests/py/inet/gretap.t.json195
-rw-r--r--tests/py/inet/gretap.t.payload87
-rw-r--r--tests/py/inet/icmp.t18
-rw-r--r--tests/py/inet/icmp.t.json124
-rw-r--r--tests/py/inet/icmp.t.json.output32
-rw-r--r--tests/py/inet/icmp.t.payload54
-rw-r--r--tests/py/inet/icmpX.t10
-rw-r--r--tests/py/inet/icmpX.t.json125
-rw-r--r--tests/py/inet/icmpX.t.json.output84
-rw-r--r--tests/py/inet/icmpX.t.payload46
-rw-r--r--tests/py/inet/ip.t12
-rw-r--r--tests/py/inet/ip.t.json42
-rw-r--r--tests/py/inet/ip.t.payload11
-rw-r--r--tests/py/inet/ip.t.payload.bridge11
-rw-r--r--tests/py/inet/ip.t.payload.inet14
-rw-r--r--tests/py/inet/ip.t.payload.netdev14
-rw-r--r--tests/py/inet/ip_tcp.t21
-rw-r--r--tests/py/inet/ip_tcp.t.json170
-rw-r--r--tests/py/inet/ip_tcp.t.json.output142
-rw-r--r--tests/py/inet/ip_tcp.t.payload52
-rw-r--r--tests/py/inet/ip_tcp.t.payload.bridge51
-rw-r--r--tests/py/inet/ip_tcp.t.payload.netdev53
-rw-r--r--tests/py/inet/ipsec.t23
-rw-r--r--tests/py/inet/ipsec.t.json157
-rw-r--r--tests/py/inet/ipsec.t.payload45
-rw-r--r--tests/py/inet/map.t10
-rw-r--r--tests/py/inet/map.t.json66
-rw-r--r--tests/py/inet/map.t.json.output66
-rw-r--r--tests/py/inet/map.t.payload23
-rw-r--r--tests/py/inet/map.t.payload.ip19
-rw-r--r--tests/py/inet/map.t.payload.netdev23
-rw-r--r--tests/py/inet/meta.t32
-rw-r--r--tests/py/inet/meta.t.json528
-rw-r--r--tests/py/inet/meta.t.json.got86
-rw-r--r--tests/py/inet/meta.t.json.output53
-rw-r--r--tests/py/inet/meta.t.payload175
-rw-r--r--tests/py/inet/meta.t.payload.got40
-rw-r--r--tests/py/inet/osf.t18
-rw-r--r--tests/py/inet/osf.t.json170
-rw-r--r--tests/py/inet/osf.t.payload53
-rw-r--r--tests/py/inet/reject.t41
-rw-r--r--tests/py/inet/reject.t.json331
-rw-r--r--tests/py/inet/reject.t.json.output77
-rw-r--r--tests/py/inet/reject.t.payload.inet144
-rw-r--r--tests/py/inet/rt.t15
-rw-r--r--tests/py/inet/rt.t.json59
-rw-r--r--tests/py/inet/rt.t.json.output25
-rw-r--r--tests/py/inet/rt.t.payload18
-rw-r--r--tests/py/inet/sctp.t73
-rw-r--r--tests/py/inet/sctp.t.json928
-rw-r--r--tests/py/inet/sctp.t.payload351
-rw-r--r--tests/py/inet/sets.t25
-rw-r--r--tests/py/inet/sets.t.json136
-rw-r--r--tests/py/inet/sets.t.payload.bridge42
-rw-r--r--tests/py/inet/sets.t.payload.inet41
-rw-r--r--tests/py/inet/sets.t.payload.netdev41
-rw-r--r--tests/py/inet/snat.t21
-rw-r--r--tests/py/inet/snat.t.json131
-rw-r--r--tests/py/inet/snat.t.payload42
-rw-r--r--tests/py/inet/socket.t15
-rw-r--r--tests/py/inet/socket.t.json74
-rw-r--r--tests/py/inet/socket.t.payload24
-rw-r--r--tests/py/inet/synproxy.t13
-rw-r--r--tests/py/inet/synproxy.t.json64
-rw-r--r--tests/py/inet/synproxy.t.payload24
-rw-r--r--tests/py/inet/tcp.t115
-rw-r--r--tests/py/inet/tcp.t.json1799
-rw-r--r--tests/py/inet/tcp.t.json.output210
-rw-r--r--tests/py/inet/tcp.t.payload674
-rw-r--r--tests/py/inet/tproxy.t21
-rw-r--r--tests/py/inet/tproxy.t.json185
-rw-r--r--tests/py/inet/tproxy.t.payload63
-rw-r--r--tests/py/inet/udp.t45
-rw-r--r--tests/py/inet/udp.t.json583
-rw-r--r--tests/py/inet/udp.t.payload248
-rw-r--r--tests/py/inet/udplite.t38
-rw-r--r--tests/py/inet/udplite.t.json413
-rw-r--r--tests/py/inet/udplite.t.payload178
-rw-r--r--tests/py/inet/vmap.t10
-rw-r--r--tests/py/inet/vmap.t.json144
-rw-r--r--tests/py/inet/vmap.t.payload34
-rw-r--r--tests/py/inet/vmap.t.payload.netdev34
-rw-r--r--tests/py/inet/vxlan.t23
-rw-r--r--tests/py/inet/vxlan.t.json344
-rw-r--r--tests/py/inet/vxlan.t.payload114
128 files changed, 14908 insertions, 0 deletions
diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t
new file mode 100644
index 0000000..83b6202
--- /dev/null
+++ b/tests/py/inet/ah.t
@@ -0,0 +1,47 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+- ah nexthdr esp;ok
+- ah nexthdr ah;ok
+- ah nexthdr comp;ok
+- ah nexthdr udp;ok
+- ah nexthdr udplite;ok
+- ah nexthdr tcp;ok
+- ah nexthdr dccp;ok
+- ah nexthdr sctp;ok
+
+- ah nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;ah nexthdr { 6, 132, 50, 17, 136, 33, 51, 108}
+- ah nexthdr != { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+
+ah hdrlength 11-23;ok
+ah hdrlength != 11-23;ok
+ah hdrlength {11, 23, 44 };ok
+ah hdrlength != {11, 23, 44 };ok
+
+ah reserved 22;ok
+ah reserved != 233;ok
+ah reserved 33-45;ok
+ah reserved != 33-45;ok
+ah reserved {23, 100};ok
+ah reserved != {23, 100};ok
+
+ah spi 111;ok
+ah spi != 111;ok
+ah spi 111-222;ok
+ah spi != 111-222;ok
+ah spi {111, 122};ok
+ah spi != {111, 122};ok
+
+# sequence
+ah sequence 123;ok
+ah sequence != 123;ok
+ah sequence {23, 25, 33};ok
+ah sequence != {23, 25, 33};ok
+ah sequence 23-33;ok
+ah sequence != 23-33;ok
diff --git a/tests/py/inet/ah.t.json b/tests/py/inet/ah.t.json
new file mode 100644
index 0000000..217280b
--- /dev/null
+++ b/tests/py/inet/ah.t.json
@@ -0,0 +1,412 @@
+# ah hdrlength 11-23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 11, 23 ]
+ }
+ }
+ }
+]
+
+# ah hdrlength != 11-23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 11, 23 ]
+ }
+ }
+ }
+]
+
+# ah hdrlength {11, 23, 44 }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 11,
+ 23,
+ 44
+ ]
+ }
+ }
+ }
+]
+
+# ah hdrlength != {11, 23, 44 }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 11,
+ 23,
+ 44
+ ]
+ }
+ }
+ }
+]
+
+# ah reserved 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ah reserved != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# ah reserved 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# ah reserved != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# ah reserved {23, 100}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 23,
+ 100
+ ]
+ }
+ }
+ }
+]
+
+# ah reserved != {23, 100}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "reserved",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 23,
+ 100
+ ]
+ }
+ }
+ }
+]
+
+# ah spi 111
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": 111
+ }
+ }
+]
+
+# ah spi != 111
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": 111
+ }
+ }
+]
+
+# ah spi 111-222
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 111, 222 ]
+ }
+ }
+ }
+]
+
+# ah spi != 111-222
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 111, 222 ]
+ }
+ }
+ }
+]
+
+# ah spi {111, 122}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 111,
+ 122
+ ]
+ }
+ }
+ }
+]
+
+# ah spi != {111, 122}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 111,
+ 122
+ ]
+ }
+ }
+ }
+]
+
+# ah sequence 123
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": 123
+ }
+ }
+]
+
+# ah sequence != 123
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": 123
+ }
+ }
+]
+
+# ah sequence {23, 25, 33}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 23,
+ 25,
+ 33
+ ]
+ }
+ }
+ }
+]
+
+# ah sequence != {23, 25, 33}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 23,
+ 25,
+ 33
+ ]
+ }
+ }
+ }
+]
+
+# ah sequence 23-33
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 23, 33 ]
+ }
+ }
+ }
+]
+
+# ah sequence != 23-33
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "ah"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 23, 33 ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload
new file mode 100644
index 0000000..7ddd72d
--- /dev/null
+++ b/tests/py/inet/ah.t.payload
@@ -0,0 +1,182 @@
+# ah hdrlength 11-23
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp gte reg 1 0x0000000b ]
+ [ cmp lte reg 1 0x00000017 ]
+
+# ah hdrlength != 11-23
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ range neq reg 1 0x0000000b 0x00000017 ]
+
+# ah hdrlength {11, 23, 44 }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 0000000b : 0 [end] element 00000017 : 0 [end] element 0000002c : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah hdrlength != {11, 23, 44 }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 0000000b : 0 [end] element 00000017 : 0 [end] element 0000002c : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# ah reserved 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ah reserved != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# ah reserved 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# ah reserved != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# ah reserved {23, 100}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00006400 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah reserved != {23, 100}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00006400 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# ah spi 111
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x6f000000 ]
+
+# ah spi != 111
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp neq reg 1 0x6f000000 ]
+
+# ah spi 111-222
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x6f000000 ]
+ [ cmp lte reg 1 0xde000000 ]
+
+# ah spi != 111-222
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ range neq reg 1 0x6f000000 0xde000000 ]
+
+# ah spi {111, 122}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 6f000000 : 0 [end] element 7a000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah spi != {111, 122}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 6f000000 : 0 [end] element 7a000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# ah sequence 123
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x7b000000 ]
+
+# ah sequence != 123
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp neq reg 1 0x7b000000 ]
+
+# ah sequence {23, 25, 33}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 17000000 : 0 [end] element 19000000 : 0 [end] element 21000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ah sequence != {23, 25, 33}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 17000000 : 0 [end] element 19000000 : 0 [end] element 21000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# ah sequence 23-33
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp gte reg 1 0x17000000 ]
+ [ cmp lte reg 1 0x21000000 ]
+
+# ah sequence != 23-33
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000033 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ range neq reg 1 0x17000000 0x21000000 ]
+
diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t
new file mode 100644
index 0000000..2ef5382
--- /dev/null
+++ b/tests/py/inet/comp.t
@@ -0,0 +1,30 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+# BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
+- comp nexthdr esp;ok;comp nexthdr 50
+comp nexthdr != esp;ok;comp nexthdr != 50
+
+- comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp};ok
+# comp flags ## 8-bit field. Reserved for future use. MUST be set to zero.
+
+# Bug comp flags: to list. List the decimal value.
+comp flags 0x0;ok
+comp flags != 0x23;ok
+comp flags 0x33-0x45;ok
+comp flags != 0x33-0x45;ok
+comp flags {0x33, 0x55, 0x67, 0x88};ok
+comp flags != {0x33, 0x55, 0x67, 0x88};ok
+
+comp cpi 22;ok
+comp cpi != 233;ok
+comp cpi 33-45;ok
+comp cpi != 33-45;ok
+comp cpi {33, 55, 67, 88};ok
+comp cpi != {33, 55, 67, 88};ok
diff --git a/tests/py/inet/comp.t.json b/tests/py/inet/comp.t.json
new file mode 100644
index 0000000..c9f6fca
--- /dev/null
+++ b/tests/py/inet/comp.t.json
@@ -0,0 +1,244 @@
+# comp nexthdr != esp
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": "esp"
+ }
+ }
+]
+
+# comp flags 0x0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": "0x0"
+ }
+ }
+]
+
+# comp flags != 0x23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": "0x23"
+ }
+ }
+]
+
+# comp flags 0x33-0x45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ "0x33", "0x45" ]
+ }
+ }
+ }
+]
+
+# comp flags != 0x33-0x45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ "0x33", "0x45" ]
+ }
+ }
+ }
+]
+
+# comp flags {0x33, 0x55, 0x67, 0x88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "0x33",
+ "0x55",
+ "0x67",
+ "0x88"
+ ]
+ }
+ }
+ }
+]
+
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ "0x33",
+ "0x55",
+ "0x67",
+ "0x88"
+ ]
+ }
+ }
+ }
+]
+
+# comp cpi 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# comp cpi != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# comp cpi 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# comp cpi != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# comp cpi {33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# comp cpi != {33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "cpi",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/comp.t.json.output b/tests/py/inet/comp.t.json.output
new file mode 100644
index 0000000..435c3de
--- /dev/null
+++ b/tests/py/inet/comp.t.json.output
@@ -0,0 +1,170 @@
+# comp nexthdr != esp
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": 50
+ }
+ }
+]
+
+# comp flags 0x0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ }
+]
+
+# comp flags != 0x23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": 35
+ }
+ }
+]
+
+# comp flags 0x33-0x45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 51, 69 ]
+ }
+ }
+ }
+]
+
+# comp flags != 0x33-0x45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 51, 69 ]
+ }
+ }
+ }
+]
+
+# comp flags {0x33, 0x55, 0x67, 0x88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 51,
+ 85,
+ 103,
+ 136
+ ]
+ }
+ }
+ }
+]
+
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 51,
+ 85,
+ 103,
+ 136
+ ]
+ }
+ }
+ }
+]
+
+# comp flags { 0x33-0x55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ { "range": [ 51, 85 ] }
+ ]
+ }
+ }
+ }
+]
+
+# comp flags != { 0x33-0x55}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "comp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ { "range": [ 51, 85 ] }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload
new file mode 100644
index 0000000..024e47c
--- /dev/null
+++ b/tests/py/inet/comp.t.payload
@@ -0,0 +1,105 @@
+# comp nexthdr != esp
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp neq reg 1 0x00000032 ]
+
+# comp flags 0x0
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# comp flags != 0x23
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp neq reg 1 0x00000023 ]
+
+# comp flags 0x33-0x45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ cmp gte reg 1 0x00000033 ]
+ [ cmp lte reg 1 0x00000045 ]
+
+# comp flags != 0x33-0x45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ range neq reg 1 0x00000033 0x00000045 ]
+
+# comp flags {0x33, 0x55, 0x67, 0x88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000033 : 0 [end] element 00000055 : 0 [end] element 00000067 : 0 [end] element 00000088 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000033 : 0 [end] element 00000055 : 0 [end] element 00000067 : 0 [end] element 00000088 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# comp cpi 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# comp cpi != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# comp cpi 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# comp cpi != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# comp cpi {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# comp cpi != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000006c ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t
new file mode 100644
index 0000000..5312b32
--- /dev/null
+++ b/tests/py/inet/ct.t
@@ -0,0 +1,15 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*inet;test-inet;input
+
+meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4
+ct original ip6 saddr ::1;ok
+
+ct original ip daddr 1.2.3.4 accept;ok
+
+# missing protocol context
+ct original saddr ::1;fail
+
+# wrong protocol context
+ct original ip saddr ::1;fail
diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json
new file mode 100644
index 0000000..223ac9e
--- /dev/null
+++ b/tests/py/inet/ct.t.json
@@ -0,0 +1,60 @@
+# meta nfproto ipv4 ct original saddr 1.2.3.4
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "ct": {
+ "dir": "original",
+ "key": "saddr"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ }
+]
+
+# ct original ip6 saddr ::1
+[
+ {
+ "match": {
+ "left": {
+ "ct": {
+ "dir": "original",
+ "key": "ip6 saddr"
+ }
+ },
+ "op": "==",
+ "right": "::1"
+ }
+ }
+]
+
+# ct original ip daddr 1.2.3.4 accept
+[
+ {
+ "match": {
+ "left": {
+ "ct": {
+ "dir": "original",
+ "key": "ip daddr"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
diff --git a/tests/py/inet/ct.t.json.output b/tests/py/inet/ct.t.json.output
new file mode 100644
index 0000000..74c436a
--- /dev/null
+++ b/tests/py/inet/ct.t.json.output
@@ -0,0 +1,16 @@
+# meta nfproto ipv4 ct original saddr 1.2.3.4
+[
+ {
+ "match": {
+ "left": {
+ "ct": {
+ "dir": "original",
+ "key": "saddr"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ }
+]
+
diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload
new file mode 100644
index 0000000..f7a2ef2
--- /dev/null
+++ b/tests/py/inet/ct.t.payload
@@ -0,0 +1,17 @@
+# meta nfproto ipv4 ct original saddr 1.2.3.4
+ip test-ip4 output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ ct load src => reg 1 , dir original ]
+ [ cmp eq reg 1 0x04030201 ]
+
+# ct original ip6 saddr ::1
+inet test-inet input
+ [ ct load src_ip6 => reg 1 , dir original ]
+ [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
+
+# ct original ip daddr 1.2.3.4 accept
+inet test-inet input
+ [ ct load dst_ip => reg 1 , dir original ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ immediate reg 0 accept ]
diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t
new file mode 100644
index 0000000..99cddbe
--- /dev/null
+++ b/tests/py/inet/dccp.t
@@ -0,0 +1,30 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+dccp sport 21-35;ok
+dccp sport != 21-35;ok
+dccp sport {23, 24, 25};ok
+dccp sport != {23, 24, 25};ok
+
+dccp sport 20-50;ok
+
+# dccp dport 21-35;ok
+# dccp dport != 21-35;ok
+dccp dport {23, 24, 25};ok
+dccp dport != {23, 24, 25};ok
+
+dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+dccp type request;ok
+dccp type != request;ok
+
+dccp option 0 exists;ok
+dccp option 43 missing;ok
+dccp option 255 exists;ok
+dccp option 256 exists;fail
diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json
new file mode 100644
index 0000000..9f47e97
--- /dev/null
+++ b/tests/py/inet/dccp.t.json
@@ -0,0 +1,276 @@
+# dccp sport 21-35
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 21, 35 ]
+ }
+ }
+ }
+]
+
+# dccp sport != 21-35
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 21, 35 ]
+ }
+ }
+ }
+]
+
+# dccp sport {23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# dccp sport != {23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# dccp sport 20-50
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 20, 50 ]
+ }
+ }
+ }
+]
+
+# dccp dport {23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# dccp dport != {23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "request",
+ "response",
+ "data",
+ "ack",
+ "dataack",
+ "closereq",
+ "close",
+ "reset",
+ "sync",
+ "syncack"
+ ]
+ }
+ }
+ }
+]
+
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "dccp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ "request",
+ "response",
+ "data",
+ "ack",
+ "dataack",
+ "closereq",
+ "close",
+ "reset",
+ "sync",
+ "syncack"
+ ]
+ }
+ }
+ }
+]
+
+# dccp type request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": "request"
+ }
+ }
+]
+
+# dccp type != request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "dccp"
+ }
+ },
+ "op": "!=",
+ "right": "request"
+ }
+ }
+]
+
+# dccp option 0 exists
+[
+ {
+ "match": {
+ "left": {
+ "dccp option": {
+ "type": 0
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# dccp option 43 missing
+[
+ {
+ "match": {
+ "left": {
+ "dccp option": {
+ "type": 43
+ }
+ },
+ "op": "==",
+ "right": false
+ }
+ }
+]
+
+# dccp option 255 exists
+[
+ {
+ "match": {
+ "left": {
+ "dccp option": {
+ "type": 255
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
diff --git a/tests/py/inet/dccp.t.json.output b/tests/py/inet/dccp.t.json.output
new file mode 100644
index 0000000..146741d
--- /dev/null
+++ b/tests/py/inet/dccp.t.json.output
@@ -0,0 +1,18 @@
+# dccp sport ftp-data - re-mail-ck
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "dccp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 20, 50 ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload
new file mode 100644
index 0000000..c0b87be
--- /dev/null
+++ b/tests/py/inet/dccp.t.payload
@@ -0,0 +1,115 @@
+# dccp sport 21-35
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp gte reg 1 0x00001500 ]
+ [ cmp lte reg 1 0x00002300 ]
+
+# dccp sport != 21-35
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ range neq reg 1 0x00001500 0x00002300 ]
+
+# dccp sport {23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dccp sport != {23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# dccp sport 20-50
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp gte reg 1 0x00001400 ]
+ [ cmp lte reg 1 0x00003200 ]
+
+# dccp dport {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# dccp dport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00000010 : 0 [end] element 00000012 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 1b @ transport header + 8 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d ]
+
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00000010 : 0 [end] element 00000012 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 1b @ transport header + 8 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# dccp type request
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 1b @ transport header + 8 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# dccp type != request
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000021 ]
+ [ payload load 1b @ transport header + 8 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000000 ]
+
+# dccp option 0 exists
+ip test-inet input
+ [ exthdr load 1b @ 0 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# dccp option 43 missing
+ip test-inet input
+ [ exthdr load 1b @ 43 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# dccp option 255 exists
+ip test-inet input
+ [ exthdr load 1b @ 255 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
new file mode 100644
index 0000000..e4e169f
--- /dev/null
+++ b/tests/py/inet/dnat.t
@@ -0,0 +1,22 @@
+:prerouting;type nat hook prerouting priority 0
+
+*inet;test-inet;prerouting
+
+iifname "foo" tcp dport 80 redirect to :8080;ok
+
+iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
+iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
+meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
+
+dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
+dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
+
+dnat ip6 to 1.2.3.4;fail
+dnat to 1.2.3.4;fail
+dnat ip6 to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};fail
+ip6 daddr dead::beef dnat to 10.1.2.3;fail
+
+meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80;ok;meta l4proto { 6, 17} dnat ip to 1.1.1.1:80
+ip protocol { tcp, udp } dnat ip to 1.1.1.1:80;ok;ip protocol { 6, 17} dnat ip to 1.1.1.1:80
+meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail
+ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
new file mode 100644
index 0000000..c341a04
--- /dev/null
+++ b/tests/py/inet/dnat.t.json
@@ -0,0 +1,241 @@
+# iifname "foo" tcp dport 80 redirect to :8080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "foo"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 80
+ }
+ },
+ {
+ "redirect": {
+ "port": 8080
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 443
+ }
+ },
+ {
+ "dnat": {
+ "addr": "192.168.3.2",
+ "family": "ip"
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 443
+ }
+ },
+ {
+ "dnat": {
+ "addr": "dead::beef",
+ "family": "ip6",
+ "port": 4443
+ }
+ }
+]
+
+# dnat ip to ct mark map { 0x00000014 : 1.2.3.4}
+[
+ {
+ "dnat": {
+ "addr": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ 20,
+ "1.2.3.4"
+ ]
+ ]
+ },
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ }
+ }
+ },
+ "family": "ip"
+ }
+ }
+]
+
+# dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+[
+ {
+ "dnat": {
+ "addr": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ {
+ "concat": [
+ 20,
+ "1.1.1.1"
+ ]
+ },
+ "1.2.3.4"
+ ]
+ ]
+ },
+ "key": {
+ "concat": [
+ {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ }
+ ]
+ }
+ }
+ },
+ "family": "ip"
+ }
+ }
+]
+
+# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 6,
+ 17
+ ]
+ }
+ }
+ },
+ {
+ "dnat": {
+ "addr": "1.1.1.1",
+ "family": "ip",
+ "port": 80
+ }
+ }
+]
+
+# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 6,
+ 17
+ ]
+ }
+ }
+ },
+ {
+ "dnat": {
+ "addr": "1.1.1.1",
+ "family": "ip",
+ "port": 80
+ }
+ }
+]
+
+# meta l4proto tcp dnat to :80
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "dnat": {
+ "port": 80
+ }
+ }
+]
+
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
new file mode 100644
index 0000000..ce1601a
--- /dev/null
+++ b/tests/py/inet/dnat.t.payload
@@ -0,0 +1,86 @@
+# iifname "foo" tcp dport 80 redirect to :8080
+inet test-inet prerouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005000 ]
+ [ immediate reg 1 0x0000901f ]
+ [ redir proto_min reg 1 flags 0x2 ]
+
+# iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2
+inet test-inet prerouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000bb01 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat dnat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443
+inet test-inet prerouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000bb01 ]
+ [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+ [ immediate reg 2 0x00005b11 ]
+ [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# dnat ip to ct mark map { 0x00000014 : 1.2.3.4}
+__map%d test-inet b size 1
+__map%d test-inet 0
+ element 00000014 : 04030201 0 [end]
+inet test-inet prerouting
+ [ ct load mark => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ nat dnat ip addr_min reg 1 ]
+
+# dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4}
+__map%d test-inet b size 1
+__map%d test-inet 0
+ element 00000014 01010101 : 04030201 0 [end]
+inet test-inet prerouting
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ ct load mark => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ nat dnat ip addr_min reg 1 ]
+
+# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000006 : 0 [end] element 00000011 : 0 [end]
+inet
+ [ meta load l4proto => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 1 0x01010101 ]
+ [ immediate reg 2 0x00005000 ]
+ [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000006 : 0 [end] element 00000011 : 0 [end]
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 1 0x01010101 ]
+ [ immediate reg 2 0x00005000 ]
+ [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
+
+# meta l4proto tcp dnat to :80
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x00005000 ]
+ [ nat dnat inet proto_min reg 1 flags 0x2 ]
+
diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t
new file mode 100644
index 0000000..536260c
--- /dev/null
+++ b/tests/py/inet/esp.t
@@ -0,0 +1,21 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+esp spi 100;ok
+esp spi != 100;ok
+esp spi 111-222;ok
+esp spi != 111-222;ok
+esp spi { 100, 102};ok
+esp spi != { 100, 102};ok
+
+esp sequence 22;ok
+esp sequence 22-24;ok
+esp sequence != 22-24;ok
+esp sequence { 22, 24};ok
+esp sequence != { 22, 24};ok
diff --git a/tests/py/inet/esp.t.json b/tests/py/inet/esp.t.json
new file mode 100644
index 0000000..a9dedd6
--- /dev/null
+++ b/tests/py/inet/esp.t.json
@@ -0,0 +1,204 @@
+# esp spi 100
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": 100
+ }
+ }
+]
+
+# esp spi != 100
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "esp"
+ }
+ },
+ "op": "!=",
+ "right": 100
+ }
+ }
+]
+
+# esp spi 111-222
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 111, 222 ]
+ }
+ }
+ }
+]
+
+# esp spi != 111-222
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "esp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 111, 222 ]
+ }
+ }
+ }
+]
+
+# esp spi { 100, 102}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 100,
+ 102
+ ]
+ }
+ }
+ }
+]
+
+# esp spi != { 100, 102}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "spi",
+ "protocol": "esp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 100,
+ 102
+ ]
+ }
+ }
+ }
+]
+
+# esp sequence 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# esp sequence 22-24
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 22, 24 ]
+ }
+ }
+ }
+]
+
+# esp sequence != 22-24
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "esp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 22, 24 ]
+ }
+ }
+ }
+]
+
+# esp sequence { 22, 24}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "esp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 22,
+ 24
+ ]
+ }
+ }
+ }
+]
+
+# esp sequence != { 22, 24}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "esp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 22,
+ 24
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload
new file mode 100644
index 0000000..0353b05
--- /dev/null
+++ b/tests/py/inet/esp.t.payload
@@ -0,0 +1,91 @@
+# esp spi 100
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x64000000 ]
+
+# esp spi != 100
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ cmp neq reg 1 0x64000000 ]
+
+# esp spi 111-222
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ cmp gte reg 1 0x6f000000 ]
+ [ cmp lte reg 1 0xde000000 ]
+
+# esp spi != 111-222
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ range neq reg 1 0x6f000000 0xde000000 ]
+
+# esp spi { 100, 102}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 64000000 : 0 [end] element 66000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# esp spi != { 100, 102}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 64000000 : 0 [end] element 66000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# esp sequence 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x16000000 ]
+
+# esp sequence 22-24
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x16000000 ]
+ [ cmp lte reg 1 0x18000000 ]
+
+# esp sequence != 22-24
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ range neq reg 1 0x16000000 0x18000000 ]
+
+# esp sequence { 22, 24}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 16000000 : 0 [end] element 18000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# esp sequence != { 22, 24}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 16000000 : 0 [end] element 18000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000032 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/ether-ip.t b/tests/py/inet/ether-ip.t
new file mode 100644
index 0000000..759124d
--- /dev/null
+++ b/tests/py/inet/ether-ip.t
@@ -0,0 +1,9 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept
+tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok
diff --git a/tests/py/inet/ether-ip.t.json b/tests/py/inet/ether-ip.t.json
new file mode 100644
index 0000000..8f35b3d
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.json
@@ -0,0 +1,92 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "iiftype" }
+ },
+ "op": "==",
+ "right": "ether"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:0f:54:0c:11:04"
+ }
+ }
+]
+
diff --git a/tests/py/inet/ether-ip.t.json.output b/tests/py/inet/ether-ip.t.json.output
new file mode 100644
index 0000000..f659113
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.json.output
@@ -0,0 +1,43 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
diff --git a/tests/py/inet/ether-ip.t.payload b/tests/py/inet/ether-ip.t.payload
new file mode 100644
index 0000000..62e37a5
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.payload
@@ -0,0 +1,28 @@
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 8b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ immediate reg 0 accept ]
+
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
diff --git a/tests/py/inet/ether-ip.t.payload.netdev b/tests/py/inet/ether-ip.t.payload.netdev
new file mode 100644
index 0000000..b0fa6d8
--- /dev/null
+++ b/tests/py/inet/ether-ip.t.payload.netdev
@@ -0,0 +1,29 @@
+# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+
+# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 8b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00080411 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ immediate reg 0 accept ]
+
diff --git a/tests/py/inet/ether.t b/tests/py/inet/ether.t
new file mode 100644
index 0000000..8625f70
--- /dev/null
+++ b/tests/py/inet/ether.t
@@ -0,0 +1,20 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept;ok
+
+ether saddr 00:0f:54:0c:11:04 accept;ok
+
+vlan id 1;ok
+ether type vlan vlan id 2;ok;vlan id 2
+
+# invalid dependency
+ether type ip vlan id 1;fail
diff --git a/tests/py/inet/ether.t.json b/tests/py/inet/ether.t.json
new file mode 100644
index 0000000..c7a7f88
--- /dev/null
+++ b/tests/py/inet/ether.t.json
@@ -0,0 +1,122 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "iiftype" }
+ },
+ "op": "==",
+ "right": "ether"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# vlan id 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# ether type vlan vlan id 2
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
diff --git a/tests/py/inet/ether.t.json.output b/tests/py/inet/ether.t.json.output
new file mode 100644
index 0000000..9ae8c44
--- /dev/null
+++ b/tests/py/inet/ether.t.json.output
@@ -0,0 +1,31 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:0f:54:0c:11:04"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
diff --git a/tests/py/inet/ether.t.payload b/tests/py/inet/ether.t.payload
new file mode 100644
index 0000000..8b74a78
--- /dev/null
+++ b/tests/py/inet/ether.t.payload
@@ -0,0 +1,52 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+inet test-inet input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# vlan id 1
+netdev test-netdev ingress
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+
+# ether type vlan vlan id 2
+netdev test-netdev ingress
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000200 ]
+
diff --git a/tests/py/inet/ether.t.payload.bridge b/tests/py/inet/ether.t.payload.bridge
new file mode 100644
index 0000000..0128d5f
--- /dev/null
+++ b/tests/py/inet/ether.t.payload.bridge
@@ -0,0 +1,44 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+bridge test-bridge input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+bridge test-bridge input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+bridge test-bridge input
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# vlan id 1
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+
+# ether type vlan vlan id 2
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000200 ]
+
diff --git a/tests/py/inet/ether.t.payload.ip b/tests/py/inet/ether.t.payload.ip
new file mode 100644
index 0000000..7c91f41
--- /dev/null
+++ b/tests/py/inet/ether.t.payload.ip
@@ -0,0 +1,52 @@
+# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# ether saddr 00:0f:54:0c:11:04 accept
+ip test-ip4 input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 6b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0c540f00 0x00000411 ]
+ [ immediate reg 0 accept ]
+
+# vlan id 1
+ip test-ip4 input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000100 ]
+
+# ether type vlan vlan id 2
+ip test-ip4 input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000200 ]
+
diff --git a/tests/py/inet/fib.t b/tests/py/inet/fib.t
new file mode 100644
index 0000000..dbe45d9
--- /dev/null
+++ b/tests/py/inet/fib.t
@@ -0,0 +1,17 @@
+:prerouting;type filter hook prerouting priority 0
+
+*ip;test-ip;prerouting
+*ip6;test-ip6;prerouting
+
+fib saddr . daddr oif lo;fail
+fib iif . oif . daddr oif lo;fail
+fib mark oif lo;fail
+fib saddr . iif oif ne 0;ok;fib saddr . iif oif != 0
+fib saddr . iif oifname "lo";ok
+
+fib daddr . iif type local;ok
+fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept };ok
+fib daddr . oif type local;fail
+
+fib daddr oif exists;ok
+fib daddr oif missing;ok
diff --git a/tests/py/inet/fib.t.json b/tests/py/inet/fib.t.json
new file mode 100644
index 0000000..c298915
--- /dev/null
+++ b/tests/py/inet/fib.t.json
@@ -0,0 +1,132 @@
+# fib saddr . iif oif ne 0
+[
+ {
+ "match": {
+ "left": {
+ "fib": {
+ "flags": [
+ "saddr",
+ "iif"
+ ],
+ "result": "oif"
+ }
+ },
+ "op": "!=",
+ "right": "0"
+ }
+ }
+]
+
+# fib saddr . iif oifname "lo"
+[
+ {
+ "match": {
+ "left": {
+ "fib": {
+ "flags": [
+ "saddr",
+ "iif"
+ ],
+ "result": "oifname"
+ }
+ },
+ "op": "==",
+ "right": "lo"
+ }
+ }
+]
+
+# fib daddr . iif type local
+[
+ {
+ "match": {
+ "left": {
+ "fib": {
+ "flags": [
+ "daddr",
+ "iif"
+ ],
+ "result": "type"
+ }
+ },
+ "op": "==",
+ "right": "local"
+ }
+ }
+]
+
+# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept }
+[
+ {
+ "vmap": {
+ "key": {
+ "fib": {
+ "flags": [
+ "daddr",
+ "iif"
+ ],
+ "result": "type"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "blackhole",
+ {
+ "drop": null
+ }
+ ],
+ [
+ "prohibit",
+ {
+ "drop": null
+ }
+ ],
+ [
+ "unicast",
+ {
+ "accept": null
+ }
+ ]
+ ]
+ }
+ }
+ }
+]
+
+# fib daddr oif exists
+[
+ {
+ "match": {
+ "left": {
+ "fib": {
+ "flags": [
+ "daddr"
+ ],
+ "result": "oif"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# fib daddr oif missing
+[
+ {
+ "match": {
+ "left": {
+ "fib": {
+ "flags": [
+ "daddr"
+ ],
+ "result": "oif"
+ }
+ },
+ "op": "==",
+ "right": false
+ }
+ }
+]
+
diff --git a/tests/py/inet/fib.t.json.output b/tests/py/inet/fib.t.json.output
new file mode 100644
index 0000000..52cd46b
--- /dev/null
+++ b/tests/py/inet/fib.t.json.output
@@ -0,0 +1,39 @@
+# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept }
+[
+ {
+ "vmap": {
+ "key": {
+ "fib": {
+ "flags": [
+ "daddr",
+ "iif"
+ ],
+ "result": "type"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "unicast",
+ {
+ "accept": null
+ }
+ ],
+ [
+ "blackhole",
+ {
+ "drop": null
+ }
+ ],
+ [
+ "prohibit",
+ {
+ "drop": null
+ }
+ ]
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload
new file mode 100644
index 0000000..050857d
--- /dev/null
+++ b/tests/py/inet/fib.t.payload
@@ -0,0 +1,32 @@
+# fib saddr . iif oif ne 0
+ip test-ip prerouting
+ [ fib saddr . iif oif => reg 1 ]
+ [ cmp neq reg 1 0x00000000 ]
+
+# fib saddr . iif oifname "lo"
+ip test-ip prerouting
+ [ fib saddr . iif oifname => reg 1 ]
+ [ cmp eq reg 1 0x00006f6c 0x00000000 0x00000000 0x00000000 ]
+
+# fib daddr . iif type local
+ip test-ip prerouting
+ [ fib daddr . iif type => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+
+# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept }
+__map%d test-ip b
+__map%d test-ip 0
+ element 00000006 : drop 0 [end] element 00000008 : drop 0 [end] element 00000001 : accept 0 [end]
+ip test-ip prerouting
+ [ fib daddr . iif type => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
+# fib daddr oif exists
+ip test-ip prerouting
+ [ fib daddr oif present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# fib daddr oif missing
+ip test-ip prerouting
+ [ fib daddr oif present => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
diff --git a/tests/py/inet/geneve.t b/tests/py/inet/geneve.t
new file mode 100644
index 0000000..101f6df
--- /dev/null
+++ b/tests/py/inet/geneve.t
@@ -0,0 +1,23 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+geneve vni 10;fail
+udp dport 6081 geneve vni 10;ok
+udp dport 6081 geneve ip saddr 10.141.11.2;ok
+udp dport 6081 geneve ip saddr 10.141.11.0/24;ok
+udp dport 6081 geneve ip protocol 1;ok
+udp dport 6081 geneve udp sport 8888;ok
+udp dport 6081 geneve icmp type echo-reply;ok
+udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05;ok
+udp dport 6081 geneve vlan id 10;ok
+udp dport 6081 geneve ip dscp 0x02;ok
+udp dport 6081 geneve ip dscp 0x02;ok
+udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+udp dport 6081 geneve ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/geneve.t.json b/tests/py/inet/geneve.t.json
new file mode 100644
index 0000000..a299fcd
--- /dev/null
+++ b/tests/py/inet/geneve.t.json
@@ -0,0 +1,344 @@
+# udp dport 6081 geneve vni 10
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vni",
+ "protocol": "geneve",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": 10
+ }
+ }
+]
+
+# udp dport 6081 geneve ip saddr 10.141.11.2
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": "10.141.11.2"
+ }
+ }
+]
+
+# udp dport 6081 geneve ip saddr 10.141.11.0/24
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": {
+ "prefix": {
+ "addr": "10.141.11.0",
+ "len": 24
+ }
+ }
+ }
+ }
+]
+
+# udp dport 6081 geneve ip protocol 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# udp dport 6081 geneve udp sport 8888
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": 8888
+ }
+ }
+]
+
+# udp dport 6081 geneve icmp type echo-reply
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": "echo-reply"
+ }
+ }
+]
+
+# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": "62:87:4d:d6:19:05"
+ }
+ }
+]
+
+# udp dport 6081 geneve vlan id 10
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": 10
+ }
+ }
+]
+
+# udp dport 6081 geneve ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# udp dport 6081 geneve ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "geneve"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6081
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "geneve"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip",
+ "tunnel": "geneve"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ "4.3.2.1"
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/geneve.t.payload b/tests/py/inet/geneve.t.payload
new file mode 100644
index 0000000..1ce54de
--- /dev/null
+++ b/tests/py/inet/geneve.t.payload
@@ -0,0 +1,114 @@
+# udp dport 6081 geneve vni 10
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
+ [ cmp eq reg 1 0x000a0000 ]
+
+# udp dport 6081 geneve ip saddr 10.141.11.2
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x020b8d0a ]
+
+# udp dport 6081 geneve ip saddr 10.141.11.0/24
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x000b8d0a ]
+
+# udp dport 6081 geneve ip protocol 1
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# udp dport 6081 geneve udp sport 8888
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x0000b822 ]
+
+# udp dport 6081 geneve icmp type echo-reply
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ]
+ [ cmp eq reg 1 0xd64d8762 0x00000519 ]
+
+# udp dport 6081 geneve vlan id 10
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000a00 ]
+
+# udp dport 6081 geneve ip dscp 0x02
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-ip4 3 size 1
+__set%d test-ip4 0
+ element 04030201 01020304 : 0 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000c117 ]
+ [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ]
+ [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/gre.t b/tests/py/inet/gre.t
new file mode 100644
index 0000000..a3e046a
--- /dev/null
+++ b/tests/py/inet/gre.t
@@ -0,0 +1,22 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+gre version 0;ok
+gre ip saddr 10.141.11.2;ok
+gre ip saddr 10.141.11.0/24;ok
+gre ip protocol 1;ok
+gre udp sport 8888;ok
+gre icmp type echo-reply;ok
+gre ether saddr 62:87:4d:d6:19:05;fail
+gre vlan id 10;fail
+gre ip dscp 0x02;ok
+gre ip dscp 0x02;ok
+gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+gre ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/gre.t.json b/tests/py/inet/gre.t.json
new file mode 100644
index 0000000..c443176
--- /dev/null
+++ b/tests/py/inet/gre.t.json
@@ -0,0 +1,177 @@
+# gre version 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "version",
+ "protocol": "gre"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ }
+]
+
+# gre ip saddr 10.141.11.2
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "gre"
+ }
+ },
+ "op": "==",
+ "right": "10.141.11.2"
+ }
+ }
+]
+
+# gre ip saddr 10.141.11.0/24
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "gre"
+ }
+ },
+ "op": "==",
+ "right": {
+ "prefix": {
+ "addr": "10.141.11.0",
+ "len": 24
+ }
+ }
+ }
+ }
+]
+
+# gre ip protocol 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip",
+ "tunnel": "gre"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# gre udp sport 8888
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp",
+ "tunnel": "gre"
+ }
+ },
+ "op": "==",
+ "right": 8888
+ }
+ }
+]
+
+# gre icmp type echo-reply
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp",
+ "tunnel": "gre"
+ }
+ },
+ "op": "==",
+ "right": "echo-reply"
+ }
+ }
+]
+
+# gre ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "gre"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# gre ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "gre"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "gre"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip",
+ "tunnel": "gre"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ "4.3.2.1"
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/gre.t.payload b/tests/py/inet/gre.t.payload
new file mode 100644
index 0000000..333133e
--- /dev/null
+++ b/tests/py/inet/gre.t.payload
@@ -0,0 +1,78 @@
+# gre version 0
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ payload load 1b @ transport header + 1 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000007 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# gre ip saddr 10.141.11.2
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x020b8d0a ]
+
+# gre ip saddr 10.141.11.0/24
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 3b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x000b8d0a ]
+
+# gre ip protocol 1
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 9 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# gre udp sport 8888
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 2b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x0000b822 ]
+
+# gre icmp type echo-reply
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 1b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# gre ip dscp 0x02
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 1 => reg 1 ] ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-ip4 3 size 1
+__set%d test-ip4 0
+ element 04030201 01020304 : 0 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 16 => reg 9 ] ]
+ [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/gretap.t b/tests/py/inet/gretap.t
new file mode 100644
index 0000000..cd7ee21
--- /dev/null
+++ b/tests/py/inet/gretap.t
@@ -0,0 +1,21 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+gretap ip saddr 10.141.11.2;ok
+gretap ip saddr 10.141.11.0/24;ok
+gretap ip protocol 1;ok
+gretap udp sport 8888;ok
+gretap icmp type echo-reply;ok
+gretap ether saddr 62:87:4d:d6:19:05;ok
+gretap vlan id 10;ok
+gretap ip dscp 0x02;ok
+gretap ip dscp 0x02;ok
+gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+gretap ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/gretap.t.json b/tests/py/inet/gretap.t.json
new file mode 100644
index 0000000..36fa978
--- /dev/null
+++ b/tests/py/inet/gretap.t.json
@@ -0,0 +1,195 @@
+# gretap ip saddr 10.141.11.2
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": "10.141.11.2"
+ }
+ }
+]
+
+# gretap ip saddr 10.141.11.0/24
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": {
+ "prefix": {
+ "addr": "10.141.11.0",
+ "len": 24
+ }
+ }
+ }
+ }
+]
+
+# gretap ip protocol 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# gretap udp sport 8888
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": 8888
+ }
+ }
+]
+
+# gretap icmp type echo-reply
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": "echo-reply"
+ }
+ }
+]
+
+# gretap ether saddr 62:87:4d:d6:19:05
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": "62:87:4d:d6:19:05"
+ }
+ }
+]
+
+# gretap vlan id 10
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": 10
+ }
+ }
+]
+
+# gretap ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# gretap ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "gretap"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "gretap"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip",
+ "tunnel": "gretap"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ "4.3.2.1"
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/gretap.t.payload b/tests/py/inet/gretap.t.payload
new file mode 100644
index 0000000..654c71e
--- /dev/null
+++ b/tests/py/inet/gretap.t.payload
@@ -0,0 +1,87 @@
+# gretap ip saddr 10.141.11.2
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x020b8d0a ]
+
+# gretap ip saddr 10.141.11.0/24
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 3b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x000b8d0a ]
+
+# gretap ip protocol 1
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 9 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# gretap udp sport 8888
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 2b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x0000b822 ]
+
+# gretap icmp type echo-reply
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 1b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# gretap ether saddr 62:87:4d:d6:19:05
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 6b @ link header + 6 => reg 1 ] ]
+ [ cmp eq reg 1 0xd64d8762 0x00000519 ]
+
+# gretap vlan id 10
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 14 => reg 1 ] ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000a00 ]
+
+# gretap ip dscp 0x02
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 1 => reg 1 ] ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-ip4 3 size 1
+__set%d test-ip4 0
+ element 04030201 01020304 : 0 [end]
+ip test-ip4 input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000002f ]
+ [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 16 => reg 9 ] ]
+ [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/icmp.t b/tests/py/inet/icmp.t
new file mode 100644
index 0000000..9014f84
--- /dev/null
+++ b/tests/py/inet/icmp.t
@@ -0,0 +1,18 @@
+:output;type filter hook output priority 0
+
+*inet;test-inet;output
+
+# without nfproto specified, these should add an implicit dependency on
+# the likely l3 proto (i.e., IPv6 for icmpv6 and IPv4 for icmp)
+
+icmp type echo-request;ok
+icmpv6 type echo-request;ok
+
+# make sure only those nfproto matches are dropped if
+# the next statement would add it as a dependency anyway
+
+meta nfproto ipv4 icmp type echo-request;ok;icmp type echo-request
+meta nfproto ipv4 icmpv6 type echo-request;ok
+
+meta nfproto ipv6 icmp type echo-request;ok
+meta nfproto ipv6 icmpv6 type echo-request;ok;icmpv6 type echo-request
diff --git a/tests/py/inet/icmp.t.json b/tests/py/inet/icmp.t.json
new file mode 100644
index 0000000..64be2b3
--- /dev/null
+++ b/tests/py/inet/icmp.t.json
@@ -0,0 +1,124 @@
+# icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# meta nfproto ipv4 icmp type echo-request
+[
+ {
+ "match": {
+ "left": { "meta": { "key": "nfproto" } },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# meta nfproto ipv4 icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": { "meta": { "key": "nfproto" } },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# meta nfproto ipv6 icmp type echo-request
+[
+ {
+ "match": {
+ "left": { "meta": { "key": "nfproto" } },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# meta nfproto ipv6 icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": { "meta": { "key": "nfproto" } },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
diff --git a/tests/py/inet/icmp.t.json.output b/tests/py/inet/icmp.t.json.output
new file mode 100644
index 0000000..062c82f
--- /dev/null
+++ b/tests/py/inet/icmp.t.json.output
@@ -0,0 +1,32 @@
+# meta nfproto ipv4 icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# meta nfproto ipv6 icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
diff --git a/tests/py/inet/icmp.t.payload b/tests/py/inet/icmp.t.payload
new file mode 100644
index 0000000..f98cfc3
--- /dev/null
+++ b/tests/py/inet/icmp.t.payload
@@ -0,0 +1,54 @@
+# icmp type echo-request
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# icmpv6 type echo-request
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000080 ]
+
+# meta nfproto ipv4 icmp type echo-request
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# meta nfproto ipv4 icmpv6 type echo-request
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000080 ]
+
+# meta nfproto ipv6 icmp type echo-request
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# meta nfproto ipv6 icmpv6 type echo-request
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000080 ]
+
diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t
new file mode 100644
index 0000000..9430b3d
--- /dev/null
+++ b/tests/py/inet/icmpX.t
@@ -0,0 +1,10 @@
+:input;type filter hook input priority 0
+
+*inet;test-inet;input
+
+ip protocol icmp icmp type echo-request;ok;ip protocol 1 icmp type echo-request
+icmp type echo-request;ok
+ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;ip6 nexthdr 58 icmpv6 type echo-request
+icmpv6 type echo-request;ok
+# must not remove 'ip protocol' dependency, this explicitly matches icmpv6-in-ipv4.
+ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 icmpv6 type destination-unreachable
diff --git a/tests/py/inet/icmpX.t.json b/tests/py/inet/icmpX.t.json
new file mode 100644
index 0000000..8e13091
--- /dev/null
+++ b/tests/py/inet/icmpX.t.json
@@ -0,0 +1,125 @@
+# ip protocol icmp icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "icmp"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "protocol": "ip6"
+ }
+ },
+ "op": "==",
+ "right": "icmpv6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "ipv6-icmp"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "l4proto" }
+ },
+ "op": "==",
+ "right": "ipv6-icmp"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
diff --git a/tests/py/inet/icmpX.t.json.output b/tests/py/inet/icmpX.t.json.output
new file mode 100644
index 0000000..7765cd9
--- /dev/null
+++ b/tests/py/inet/icmpX.t.json.output
@@ -0,0 +1,84 @@
+# ip protocol icmp icmp type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "nexthdr",
+ "protocol": "ip6"
+ }
+ },
+ "op": "==",
+ "right": 58
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-request"
+ }
+ }
+]
+
+# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 58
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "destination-unreachable"
+ }
+ }
+]
+
diff --git a/tests/py/inet/icmpX.t.payload b/tests/py/inet/icmpX.t.payload
new file mode 100644
index 0000000..9a761ee
--- /dev/null
+++ b/tests/py/inet/icmpX.t.payload
@@ -0,0 +1,46 @@
+# ip protocol icmp icmp type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# icmp type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# ip6 nexthdr icmpv6 icmpv6 type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000080 ]
+
+# icmpv6 type echo-request
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000080 ]
+
+# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1
+inet filter input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t
new file mode 100644
index 0000000..bdb3330
--- /dev/null
+++ b/tests/py/inet/ip.t
@@ -0,0 +1,12 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok
+ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail
+ip saddr vmap { 3.3.3.3-3.3.3.4 : accept, 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail
diff --git a/tests/py/inet/ip.t.json b/tests/py/inet/ip.t.json
new file mode 100644
index 0000000..638fb7d
--- /dev/null
+++ b/tests/py/inet/ip.t.json
@@ -0,0 +1,42 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.1.1.1",
+ "2.2.2.2",
+ "ca:fe:ca:fe:ca:fe"
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/ip.t.payload b/tests/py/inet/ip.t.payload
new file mode 100644
index 0000000..589a5cd
--- /dev/null
+++ b/tests/py/inet/ip.t.payload
@@ -0,0 +1,11 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 01010101 02020202 fecafeca 0000feca : 0 [end]
+inet test-ip input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 6b @ link header + 6 => reg 10 ]
+ [ lookup reg 1 set __set%d ]
diff --git a/tests/py/inet/ip.t.payload.bridge b/tests/py/inet/ip.t.payload.bridge
new file mode 100644
index 0000000..57dbc9e
--- /dev/null
+++ b/tests/py/inet/ip.t.payload.bridge
@@ -0,0 +1,11 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-bridge 3
+__set%d test-bridge 0
+ element 01010101 02020202 fecafeca 0000feca : 0 [end]
+bridge test-bridge input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 6b @ link header + 6 => reg 10 ]
+ [ lookup reg 1 set __set%d ]
diff --git a/tests/py/inet/ip.t.payload.inet b/tests/py/inet/ip.t.payload.inet
new file mode 100644
index 0000000..8df41de
--- /dev/null
+++ b/tests/py/inet/ip.t.payload.inet
@@ -0,0 +1,14 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 01010101 02020202 fecafeca 0000feca : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 6b @ link header + 6 => reg 10 ]
+ [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/ip.t.payload.netdev b/tests/py/inet/ip.t.payload.netdev
new file mode 100644
index 0000000..95be919
--- /dev/null
+++ b/tests/py/inet/ip.t.payload.netdev
@@ -0,0 +1,14 @@
+# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }
+__set%d test-netdev 3
+__set%d test-netdev 0
+ element 01010101 02020202 fecafeca 0000feca : 0 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 6b @ link header + 6 => reg 10 ]
+ [ lookup reg 1 set __set%d ]
+
diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t
new file mode 100644
index 0000000..03bafc0
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t
@@ -0,0 +1,21 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*bridge;test-bridge;input
+*netdev;test-netdev;ingress,egress
+
+# must not remove ip dependency -- ONLY ipv4 packets should be matched
+ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22
+
+# could in principle remove it here since ipv4 is implied via saddr.
+ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 ip saddr 1.2.3.4 tcp dport 22
+
+# but not here.
+ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 counter ip saddr 1.2.3.4 tcp dport 22
+
+# or here.
+ip protocol tcp counter tcp dport 22;ok;ip protocol 6 counter tcp dport 22
+
+ether type ip tcp dport 22;ok
diff --git a/tests/py/inet/ip_tcp.t.json b/tests/py/inet/ip_tcp.t.json
new file mode 100644
index 0000000..87cb9bf
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.json
@@ -0,0 +1,170 @@
+# ip protocol tcp tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "tcp"
+ }
+ },
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ip protocol tcp counter tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "tcp"
+ }
+ },
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ether type ip tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "ip"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
diff --git a/tests/py/inet/ip_tcp.t.json.output b/tests/py/inet/ip_tcp.t.json.output
new file mode 100644
index 0000000..acad8b1
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.json.output
@@ -0,0 +1,142 @@
+# ip protocol tcp tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# ip protocol tcp counter tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
diff --git a/tests/py/inet/ip_tcp.t.payload b/tests/py/inet/ip_tcp.t.payload
new file mode 100644
index 0000000..1e16f85
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.payload
@@ -0,0 +1,52 @@
+# ip protocol tcp tcp dport 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ counter pkts 0 bytes 0 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter tcp dport 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ counter pkts 0 bytes 0 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ether type ip tcp dport 22
+inet test-inet input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
diff --git a/tests/py/inet/ip_tcp.t.payload.bridge b/tests/py/inet/ip_tcp.t.payload.bridge
new file mode 100644
index 0000000..0344cd6
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.payload.bridge
@@ -0,0 +1,51 @@
+# ip protocol tcp tcp dport 22
+bridge test-bridge input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+bridge test-bridge input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+bridge test-bridge input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ counter pkts 0 bytes 0 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter tcp dport 22
+bridge test-bridge input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ counter pkts 0 bytes 0 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ether type ip tcp dport 22
+bridge test-bridge input
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
diff --git a/tests/py/inet/ip_tcp.t.payload.netdev b/tests/py/inet/ip_tcp.t.payload.netdev
new file mode 100644
index 0000000..915a787
--- /dev/null
+++ b/tests/py/inet/ip_tcp.t.payload.netdev
@@ -0,0 +1,53 @@
+# ip protocol tcp tcp dport 22
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ counter pkts 0 bytes 0 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ip protocol tcp counter tcp dport 22
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ counter pkts 0 bytes 0 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# ether type ip tcp dport 22
+netdev test-netdev ingress
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t
new file mode 100644
index 0000000..b18df39
--- /dev/null
+++ b/tests/py/inet/ipsec.t
@@ -0,0 +1,23 @@
+:ipsec-forw;type filter hook forward priority 0
+
+*ip;ipsec-ip4;ipsec-forw
+*ip6;ipsec-ip6;ipsec-forw
+*inet;ipsec-inet;ipsec-forw
+
+ipsec in reqid 1;ok
+ipsec in spnum 0 reqid 1;ok;ipsec in reqid 1
+
+ipsec out reqid 0xffffffff;ok;ipsec out reqid 4294967295
+ipsec out spnum 0x100000000;fail
+
+ipsec i reqid 1;fail
+
+ipsec out spi 1-561;ok
+
+ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 };ok
+ipsec in ip6 daddr dead::beef;ok
+ipsec out ip6 saddr dead::feed;ok
+
+ipsec in spnum 256 reqid 1;fail
+
+counter ipsec out ip daddr 192.168.1.2;ok
diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json
new file mode 100644
index 0000000..18a64f3
--- /dev/null
+++ b/tests/py/inet/ipsec.t.json
@@ -0,0 +1,157 @@
+# ipsec in reqid 1
+[
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "in",
+ "key": "reqid",
+ "spnum": 0
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# ipsec in spnum 0 reqid 1
+[
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "in",
+ "key": "reqid",
+ "spnum": 0
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# ipsec out reqid 0xffffffff
+[
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "out",
+ "key": "reqid",
+ "spnum": 0
+ }
+ },
+ "op": "==",
+ "right": 4294967295
+ }
+ }
+]
+
+# ipsec out spi 1-561
+[
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "out",
+ "key": "spi",
+ "spnum": 0
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [
+ 1,
+ 561
+ ]
+ }
+ }
+ }
+]
+
+# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 }
+[
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "in",
+ "family": "ip",
+ "key": "saddr",
+ "spnum": 2
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "1.2.3.4",
+ {
+ "prefix": {
+ "addr": "10.6.0.0",
+ "len": 16
+ }
+ }
+ ]
+ }
+ }
+ }
+]
+
+# ipsec in ip6 daddr dead::beef
+[
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "in",
+ "family": "ip6",
+ "key": "daddr",
+ "spnum": 0
+ }
+ },
+ "op": "==",
+ "right": "dead::beef"
+ }
+ }
+]
+
+# ipsec out ip6 saddr dead::feed
+[
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "out",
+ "family": "ip6",
+ "key": "saddr",
+ "spnum": 0
+ }
+ },
+ "op": "==",
+ "right": "dead::feed"
+ }
+ }
+]
+
+# counter ipsec out ip daddr 192.168.1.2
+[
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "ipsec": {
+ "dir": "out",
+ "family": "ip",
+ "key": "daddr",
+ "spnum": 0
+ }
+ },
+ "op": "==",
+ "right": "192.168.1.2"
+ }
+ }
+]
diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload
new file mode 100644
index 0000000..9648255
--- /dev/null
+++ b/tests/py/inet/ipsec.t.payload
@@ -0,0 +1,45 @@
+# ipsec in reqid 1
+ip ipsec-ip4 ipsec-input
+ [ xfrm load in 0 reqid => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# ipsec in spnum 0 reqid 1
+ip ipsec-ip4 ipsec-input
+ [ xfrm load in 0 reqid => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# ipsec out reqid 0xffffffff
+ip ipsec-ip4 ipsec-input
+ [ xfrm load out 0 reqid => reg 1 ]
+ [ cmp eq reg 1 0xffffffff ]
+
+# ipsec out spi 1-561
+inet ipsec-inet ipsec-post
+ [ xfrm load out 0 spi => reg 1 ]
+ [ cmp gte reg 1 0x01000000 ]
+ [ cmp lte reg 1 0x31020000 ]
+
+# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 }
+__set%d ipsec-ip4 7 size 5
+__set%d ipsec-ip4 0
+ element 00000000 : 1 [end] element 04030201 : 0 [end] element 05030201 : 1 [end] element 0000060a : 0 [end] element 0000070a : 1 [end]
+ip ipsec-ip4 ipsec-input
+ [ xfrm load in 2 saddr4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ipsec in ip6 daddr dead::beef
+ip ipsec-ip4 ipsec-forw
+ [ xfrm load in 0 daddr6 => reg 1 ]
+ [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+
+# ipsec out ip6 saddr dead::feed
+ip ipsec-ip4 ipsec-forw
+ [ xfrm load out 0 saddr6 => reg 1 ]
+ [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ]
+
+# counter ipsec out ip daddr 192.168.1.2
+ip ipsec-ip4 ipsec-forw
+ [ counter pkts 0 bytes 0 ]
+ [ xfrm load out 0 daddr4 => reg 1 ]
+ [ cmp eq reg 1 0x0201a8c0 ]
+
diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t
new file mode 100644
index 0000000..5a7161b
--- /dev/null
+++ b/tests/py/inet/map.t
@@ -0,0 +1,10 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a}
+mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017}
diff --git a/tests/py/inet/map.t.json b/tests/py/inet/map.t.json
new file mode 100644
index 0000000..1cb28e0
--- /dev/null
+++ b/tests/py/inet/map.t.json
@@ -0,0 +1,66 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": { "key": "mark" }
+ },
+ "value": {
+ "map": {
+ "key": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "10.2.3.2",
+ "0x0000002a"
+ ],
+ [
+ "10.2.3.1",
+ "0x00000017"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ }
+]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": { "key": "mark" }
+ },
+ "value": {
+ "map": {
+ "key": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ip"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ 5,
+ "0x00000017"
+ ],
+ [
+ 4,
+ "0x00000001"
+ ]
+ ]
+ }
+ }
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/map.t.json.output b/tests/py/inet/map.t.json.output
new file mode 100644
index 0000000..b0bb7dd
--- /dev/null
+++ b/tests/py/inet/map.t.json.output
@@ -0,0 +1,66 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": { "key": "mark" }
+ },
+ "value": {
+ "map": {
+ "key": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ "10.2.3.1",
+ 23
+ ],
+ [
+ "10.2.3.2",
+ 42
+ ]
+ ]
+ }
+ }
+ }
+ }
+ }
+]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": { "key": "mark" }
+ },
+ "value": {
+ "map": {
+ "key": {
+ "payload": {
+ "field": "hdrlength",
+ "protocol": "ip"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ 4,
+ 1
+ ],
+ [
+ 5,
+ 23
+ ]
+ ]
+ }
+ }
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/map.t.payload b/tests/py/inet/map.t.payload
new file mode 100644
index 0000000..50344ad
--- /dev/null
+++ b/tests/py/inet/map.t.payload
@@ -0,0 +1,23 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+__map%d test-inet b
+__map%d test-inet 0
+ element 0203020a : 0000002a 0 [end] element 0103020a : 00000017 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+__map%d test-inet b
+__map%d test-inet 0
+ element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/map.t.payload.ip b/tests/py/inet/map.t.payload.ip
new file mode 100644
index 0000000..3e45667
--- /dev/null
+++ b/tests/py/inet/map.t.payload.ip
@@ -0,0 +1,19 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+__map%d test-ip4 b
+__map%d test-ip4 0
+ element 0203020a : 0000002a 0 [end] element 0103020a : 00000017 0 [end]
+ip test-ip4 input
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+__map%d test-ip4 b
+__map%d test-ip4 0
+ element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end]
+ip test-ip4 input
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/map.t.payload.netdev b/tests/py/inet/map.t.payload.netdev
new file mode 100644
index 0000000..2e60f09
--- /dev/null
+++ b/tests/py/inet/map.t.payload.netdev
@@ -0,0 +1,23 @@
+# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}
+__map%d test-netdev b
+__map%d test-netdev 0
+ element 0203020a : 0000002a 0 [end] element 0103020a : 00000017 0 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
+# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}
+__map%d test-netdev b
+__map%d test-netdev 0
+ element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 1b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
new file mode 100644
index 0000000..5c062b3
--- /dev/null
+++ b/tests/py/inet/meta.t
@@ -0,0 +1,32 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+
+*inet;test-inet;input
+
+meta nfproto ipv4;ok
+meta nfproto ipv6;ok
+meta nfproto {ipv4, ipv6};ok
+meta nfproto != {ipv4, ipv6};ok
+meta nfproto ipv6 tcp dport 22;ok
+meta nfproto ipv4 tcp dport 22;ok
+meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4
+meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6
+meta nfproto ipv4 counter ip saddr 1.2.3.4;ok
+
+meta protocol ip udp dport 67;ok
+meta protocol ip6 udp dport 67;ok
+
+meta ipsec exists;ok
+meta secpath missing;ok;meta ipsec missing
+meta ibrname "br0";fail
+meta obrname "br0";fail
+meta mark set ct mark >> 8;ok
+
+meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
+ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
+ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok
+
+meta mark set ip dscp;ok
+meta mark set ip dscp | 0x40;ok
+meta mark set ip6 dscp;ok
+meta mark set ip6 dscp | 0x40;ok
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
new file mode 100644
index 0000000..3ba0fd1
--- /dev/null
+++ b/tests/py/inet/meta.t.json
@@ -0,0 +1,528 @@
+# meta nfproto ipv4
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ }
+]
+
+# meta nfproto ipv6
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ }
+]
+
+# meta nfproto {ipv4, ipv6}
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "ipv4",
+ "ipv6"
+ ]
+ }
+ }
+ }
+]
+
+# meta nfproto != {ipv4, ipv6}
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ "ipv4",
+ "ipv6"
+ ]
+ }
+ }
+ }
+]
+
+# meta nfproto ipv6 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# meta nfproto ipv4 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# meta nfproto ipv4 ip saddr 1.2.3.4
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ }
+]
+
+# meta nfproto ipv6 meta l4proto tcp
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "l4proto" }
+ },
+ "op": "==",
+ "right": "tcp"
+ }
+ }
+]
+
+# meta nfproto ipv4 counter ip saddr 1.2.3.4
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ }
+]
+
+# meta ipsec exists
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "ipsec"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# meta secpath missing
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "secpath" }
+ },
+ "op": "==",
+ "right": false
+ }
+ }
+]
+
+# meta mark set ct mark >> 8
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ ">>": [
+ {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ 8
+ ]
+ }
+ }
+ }
+]
+
+# meta protocol ip udp dport 67
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "protocol"
+ }
+ },
+ "op": "==",
+ "right": "ip"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 67
+ }
+ }
+]
+
+# meta protocol ip6 udp dport 67
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "protocol"
+ }
+ },
+ "op": "==",
+ "right": "ip6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 67
+ }
+ }
+]
+
+# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ {
+ "range": [
+ 10,
+ 20
+ ]
+ },
+ {
+ "range": [
+ 80,
+ 90
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "range": [
+ 1048576,
+ 1048867
+ ]
+ },
+ {
+ "range": [
+ 100,
+ 120
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "meta": {
+ "key": "mark"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ 256
+ ]
+ },
+ {
+ "concat": [
+ {
+ "range": [
+ "1.2.3.6",
+ "1.2.3.8"
+ ]
+ },
+ {
+ "range": [
+ 512,
+ 768
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "meta": {
+ "key": "mark"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ 256
+ ]
+ },
+ {
+ "concat": [
+ "5.6.7.8",
+ 512
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# meta mark set ip dscp
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip"
+ }
+ }
+ }
+ }
+]
+
+# meta mark set ip dscp | 0x40
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "|": [
+ {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip"
+ }
+ },
+ 64
+ ]
+ }
+ }
+ }
+]
+
+# meta mark set ip6 dscp
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip6"
+ }
+ }
+ }
+ }
+]
+
+# meta mark set ip6 dscp | 0x40
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "|": [
+ {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip6"
+ }
+ },
+ 64
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/meta.t.json.got b/tests/py/inet/meta.t.json.got
new file mode 100644
index 0000000..f2fad0b
--- /dev/null
+++ b/tests/py/inet/meta.t.json.got
@@ -0,0 +1,86 @@
+# meta mark set ip dscp
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip"
+ }
+ }
+ }
+ }
+]
+
+# meta mark set ip dscp | 0x40
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "|": [
+ {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip"
+ }
+ },
+ 64
+ ]
+ }
+ }
+ }
+]
+
+# meta mark set ip6 dscp
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip6"
+ }
+ }
+ }
+ }
+]
+
+# meta mark set ip6 dscp | 0x40
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "|": [
+ {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip6"
+ }
+ },
+ 64
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output
new file mode 100644
index 0000000..3e7dd21
--- /dev/null
+++ b/tests/py/inet/meta.t.json.output
@@ -0,0 +1,53 @@
+# meta nfproto ipv4 ip saddr 1.2.3.4
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ }
+]
+
+# meta nfproto ipv6 meta l4proto tcp
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "l4proto" }
+ },
+ "op": "==",
+ "right": 6
+ }
+ }
+]
+
+# meta secpath missing
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "ipsec"
+ }
+ },
+ "op": "==",
+ "right": false
+ }
+ }
+]
+
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
new file mode 100644
index 0000000..c53b507
--- /dev/null
+++ b/tests/py/inet/meta.t.payload
@@ -0,0 +1,175 @@
+# meta nfproto ipv4
+ip test-ip4 input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+
+# meta nfproto ipv6
+ip test-ip4 input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+
+# meta nfproto {ipv4, ipv6}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000002 : 0 [end] element 0000000a : 0 [end]
+ip test-ip4 input
+ [ meta load nfproto => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# meta nfproto != {ipv4, ipv6}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00000002 : 0 [end] element 0000000a : 0 [end]
+ip test-ip4 input
+ [ meta load nfproto => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# meta nfproto ipv6 tcp dport 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# meta nfproto ipv4 tcp dport 22
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# meta nfproto ipv4 ip saddr 1.2.3.4
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+
+# meta nfproto ipv6 meta l4proto tcp
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+
+# meta nfproto ipv4 counter ip saddr 1.2.3.4
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ counter pkts 0 bytes 0 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x04030201 ]
+
+# meta ipsec exists
+inet test-inet input
+ [ meta load secpath => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# meta secpath missing
+inet test-inet input
+ [ meta load secpath => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# meta mark set ct mark >> 8
+inet test-inet input
+ [ ct load mark => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ]
+ [ meta set mark with reg 1 ]
+
+# meta protocol ip udp dport 67
+inet test-inet input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00004300 ]
+
+# meta protocol ip6 udp dport 67
+inet test-inet input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x0000dd86 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00004300 ]
+
+# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 }
+__set%d test-inet 87 size 1
+__set%d test-inet 0
+ element 0a000000 00005000 - 14000000 00005a00 : 0 [end] element 00001000 00006400 - 23011000 00007800 : 0 [end]
+ip test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ meta load mark => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 }
+__set%d test-inet 87 size 2
+__set%d test-inet 0
+ element 04030201 00010000 - 04030201 00010000 : 0 [end] element 06030201 00020000 - 08030201 00030000 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ meta load mark => reg 9 ]
+ [ byteorder reg 9 = hton(reg 9, 4, 4) ]
+ [ lookup reg 1 set __set%d ]
+
+# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 }
+__set%d test-inet 3 size 2
+__set%d test-inet 0
+ element 04030201 00000100 : 0 [end] element 08070605 00000200 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ meta load mark => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# meta mark set ip dscp
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip dscp | 0x40
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp | 0x40
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+ [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/meta.t.payload.got b/tests/py/inet/meta.t.payload.got
new file mode 100644
index 0000000..be3f566
--- /dev/null
+++ b/tests/py/inet/meta.t.payload.got
@@ -0,0 +1,40 @@
+# meta mark set ip dscp
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip dscp | 0x40
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp | 0x40
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+ [ meta set mark with reg 1 ]
+
diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t
new file mode 100644
index 0000000..c828541
--- /dev/null
+++ b/tests/py/inet/osf.t
@@ -0,0 +1,18 @@
+:osfchain;type filter hook input priority 0
+
+*ip;osfip;osfchain
+*ip6;osfip6;osfchain
+*inet;osfinet;osfchain
+
+osf name "Linux";ok
+osf ttl loose name "Linux";ok
+osf ttl skip name "Linux";ok
+osf ttl skip version "Linux:3.0";ok
+osf ttl skip version "morethan:sixteenbytes";fail
+osf ttl nottl name "Linux";fail
+osf name "morethansixteenbytes";fail
+osf name ;fail
+osf name { "Windows", "MacOs" };ok
+osf version { "Windows:XP", "MacOs:Sierra" };ok
+ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok
+ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok
diff --git a/tests/py/inet/osf.t.json b/tests/py/inet/osf.t.json
new file mode 100644
index 0000000..cedb7f6
--- /dev/null
+++ b/tests/py/inet/osf.t.json
@@ -0,0 +1,170 @@
+# osf name "Linux"
+[
+ {
+ "match": {
+ "left": {
+ "osf": {
+ "key": "name"
+ }
+ },
+ "op": "==",
+ "right": "Linux"
+ }
+ }
+]
+
+# osf ttl loose name "Linux"
+[
+ {
+ "match": {
+ "left": {
+ "osf": {
+ "key": "name",
+ "ttl": "loose"
+ }
+ },
+ "op": "==",
+ "right": "Linux"
+ }
+ }
+]
+
+# osf ttl skip name "Linux"
+[
+ {
+ "match": {
+ "left": {
+ "osf": {
+ "key": "name",
+ "ttl": "skip"
+ }
+ },
+ "op": "==",
+ "right": "Linux"
+ }
+ }
+]
+
+# osf ttl skip version "Linux:3.0"
+[
+ {
+ "match": {
+ "left": {
+ "osf": {
+ "key": "version",
+ "ttl": "skip"
+ }
+ },
+ "op": "==",
+ "right": "Linux:3.0"
+ }
+ }
+]
+
+# osf name { "Windows", "MacOs" }
+[
+ {
+ "match": {
+ "left": {
+ "osf": {
+ "key": "name"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "MacOs",
+ "Windows"
+ ]
+ }
+ }
+ }
+]
+
+# osf version { "Windows:XP", "MacOs:Sierra" }
+[
+ {
+ "match": {
+ "left": {
+ "osf": {
+ "key": "version"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "Windows:XP",
+ "MacOs:Sierra"
+ ]
+ }
+ }
+ }
+]
+
+# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }
+[
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ "MacOs",
+ 2
+ ],
+ [
+ "Windows",
+ 1
+ ]
+ ]
+ },
+ "key": {
+ "osf": {
+ "key": "name"
+ }
+ }
+ }
+ }
+ }
+ }
+]
+
+# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }
+[
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ "Windows:XP",
+ 3
+ ],
+ [
+ "MacOs:Sierra",
+ 4
+ ]
+ ]
+ },
+ "key": {
+ "osf": {
+ "key": "version"
+ }
+ }
+ }
+ }
+ }
+ }
+]
diff --git a/tests/py/inet/osf.t.payload b/tests/py/inet/osf.t.payload
new file mode 100644
index 0000000..6ddab97
--- /dev/null
+++ b/tests/py/inet/osf.t.payload
@@ -0,0 +1,53 @@
+# osf name "Linux"
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ]
+
+# osf ttl loose name "Linux"
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ]
+
+# osf ttl skip name "Linux"
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ]
+
+# osf ttl skip version "Linux:3.0"
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ]
+
+# osf name { "Windows", "MacOs" }
+__set%d osfinet 3 size 2
+__set%d osfinet 0
+ element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end]
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# osf version { "Windows:XP", "MacOs:Sierra" }
+__set%d osfinet 3 size 2
+__set%d osfinet 0
+ element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end]
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }
+__map%d osfinet b size 2
+__map%d osfinet 0
+ element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end]
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ ct set mark with reg 1 ]
+
+# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }
+__map%d osfinet b size 2
+__map%d osfinet 0
+ element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end]
+inet osfinet osfchain
+ [ osf dreg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ ct set mark with reg 1 ]
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t
new file mode 100644
index 0000000..61a6d55
--- /dev/null
+++ b/tests/py/inet/reject.t
@@ -0,0 +1,41 @@
+:input;type filter hook input priority 0
+
+*inet;test-inet;input
+
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
+
+mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset
+
+reject;ok
+meta nfproto ipv4 reject;ok;reject with icmp port-unreachable
+meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable
+
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
+reject with icmpx 3;ok;reject with icmpx admin-prohibited
+
+meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable
+meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route
+
+meta nfproto ipv6 reject with icmp host-unreachable;fail
+meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail
+meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail
+meta l4proto udp reject with tcp reset;fail
+
+meta nfproto ipv4 reject with icmpx admin-prohibited;ok
+meta nfproto ipv6 reject with icmpx admin-prohibited;ok
+
+ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject;ok;ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject with icmp port-unreachable
diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json
new file mode 100644
index 0000000..02ac900
--- /dev/null
+++ b/tests/py/inet/reject.t.json
@@ -0,0 +1,331 @@
+# reject with icmp host-unreachable
+[
+ {
+ "reject": {
+ "expr": "host-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp net-unreachable
+[
+ {
+ "reject": {
+ "expr": "net-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp prot-unreachable
+[
+ {
+ "reject": {
+ "expr": "prot-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp port-unreachable
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp net-prohibited
+[
+ {
+ "reject": {
+ "expr": "net-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp host-prohibited
+[
+ {
+ "reject": {
+ "expr": "host-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmp admin-prohibited
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmp"
+ }
+ }
+]
+
+# reject with icmpv6 no-route
+[
+ {
+ "reject": {
+ "expr": "no-route",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 admin-prohibited
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 addr-unreachable
+[
+ {
+ "reject": {
+ "expr": "addr-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# reject with icmpv6 port-unreachable
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# mark 12345 reject with tcp reset
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "mark" }
+ },
+ "op": "==",
+ "right": 12345
+ }
+ },
+ {
+ "reject": {
+ "type": "tcp reset"
+ }
+ }
+]
+
+# reject
+[
+ {
+ "reject": null
+ }
+]
+
+# meta nfproto ipv4 reject
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "reject": null
+ }
+]
+
+# meta nfproto ipv6 reject
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "reject": null
+ }
+]
+
+# reject with icmpx host-unreachable
+[
+ {
+ "reject": {
+ "expr": "host-unreachable",
+ "type": "icmpx"
+ }
+ }
+]
+
+# reject with icmpx no-route
+[
+ {
+ "reject": {
+ "expr": "no-route",
+ "type": "icmpx"
+ }
+ }
+]
+
+# reject with icmpx admin-prohibited
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# reject with icmpx port-unreachable
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpx"
+ }
+ }
+]
+
+# reject with icmpx 3
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "reject": {
+ "expr": "host-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# meta nfproto ipv6 reject with icmpv6 no-route
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "reject": {
+ "expr": "no-route",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# meta nfproto ipv4 reject with icmpx admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "nfproto"
+ }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# meta nfproto ipv6 reject with icmpx admin-prohibited
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "nfproto"
+ }
+ },
+ "op": "==",
+ "right": "ipv6"
+ }
+ },
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "aa:bb:cc:dd:ee:ff"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "192.168.0.1"
+ }
+ },
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output
new file mode 100644
index 0000000..496ce55
--- /dev/null
+++ b/tests/py/inet/reject.t.json.output
@@ -0,0 +1,77 @@
+# mark 12345 reject with tcp reset
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "l4proto" }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "mark" }
+ },
+ "op": "==",
+ "right": 12345
+ }
+ },
+ {
+ "reject": {
+ "type": "tcp reset"
+ }
+ }
+]
+
+# reject
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpx"
+ }
+ }
+]
+
+# meta nfproto ipv4 reject
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# meta nfproto ipv6 reject
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
+[
+ {
+ "reject": {
+ "expr": "host-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
+# meta nfproto ipv6 reject with icmpv6 no-route
+[
+ {
+ "reject": {
+ "expr": "no-route",
+ "type": "icmpv6"
+ }
+ }
+]
+
diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet
new file mode 100644
index 0000000..828cb83
--- /dev/null
+++ b/tests/py/inet/reject.t.payload.inet
@@ -0,0 +1,144 @@
+# reject with icmp host-unreachable
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 1 ]
+
+# reject with icmp net-unreachable
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 0 ]
+
+# reject with icmp prot-unreachable
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 2 ]
+
+# reject with icmp port-unreachable
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 3 ]
+
+# reject with icmp net-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 9 ]
+
+# reject with icmp host-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 10 ]
+
+# reject with icmp admin-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 13 ]
+
+# reject with icmpv6 no-route
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 0 code 0 ]
+
+# reject with icmpv6 admin-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 0 code 1 ]
+
+# reject with icmpv6 addr-unreachable
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 0 code 3 ]
+
+# reject with icmpv6 port-unreachable
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 0 code 4 ]
+
+# mark 12345 reject with tcp reset
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ meta load mark => reg 1 ]
+ [ cmp eq reg 1 0x00003039 ]
+ [ reject type 1 code 0 ]
+
+# reject
+inet test-inet input
+ [ reject type 2 code 1 ]
+
+# meta nfproto ipv4 reject
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 3 ]
+
+# meta nfproto ipv6 reject
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 0 code 4 ]
+
+# reject with icmpx host-unreachable
+inet test-inet input
+ [ reject type 2 code 2 ]
+
+# reject with icmpx no-route
+inet test-inet input
+ [ reject type 2 code 0 ]
+
+# reject with icmpx admin-prohibited
+inet test-inet input
+ [ reject type 2 code 3 ]
+
+# reject with icmpx port-unreachable
+inet test-inet input
+ [ reject type 2 code 1 ]
+
+# reject with icmpx 3
+inet test-inet input
+ [ reject type 2 code 3 ]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 0 code 1 ]
+
+# meta nfproto ipv6 reject with icmpv6 no-route
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 0 code 0 ]
+
+# meta nfproto ipv4 reject with icmpx admin-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ reject type 2 code 3 ]
+
+# meta nfproto ipv6 reject with icmpx admin-prohibited
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ reject type 2 code 3 ]
+
+# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject
+inet test-inet input
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 8b @ link header + 6 => reg 1 ]
+ [ cmp eq reg 1 0xddccbbaa 0x0008ffee ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x0100a8c0 ]
+ [ reject type 0 code 3 ]
+
diff --git a/tests/py/inet/rt.t b/tests/py/inet/rt.t
new file mode 100644
index 0000000..a0e0d00
--- /dev/null
+++ b/tests/py/inet/rt.t
@@ -0,0 +1,15 @@
+:output;type filter hook output priority 0
+
+*inet;test-inet;output
+
+meta nfproto ipv4 rt nexthop 192.168.0.1;ok;meta nfproto ipv4 rt ip nexthop 192.168.0.1
+rt ip6 nexthop fd00::1;ok
+
+# missing context
+rt nexthop 192.168.0.1;fail
+rt nexthop fd00::1;fail
+
+# wrong context
+rt ip nexthop fd00::1;fail
+
+tcp option maxseg size set rt mtu;ok
diff --git a/tests/py/inet/rt.t.json b/tests/py/inet/rt.t.json
new file mode 100644
index 0000000..6dbea41
--- /dev/null
+++ b/tests/py/inet/rt.t.json
@@ -0,0 +1,59 @@
+# meta nfproto ipv4 rt nexthop 192.168.0.1
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "rt": {
+ "key": "nexthop"
+ }
+ },
+ "op": "==",
+ "right": "192.168.0.1"
+ }
+ }
+]
+
+# rt ip6 nexthop fd00::1
+[
+ {
+ "match": {
+ "left": {
+ "rt": {
+ "family": "ip6",
+ "key": "nexthop"
+ }
+ },
+ "op": "==",
+ "right": "fd00::1"
+ }
+ }
+]
+
+# tcp option maxseg size set rt mtu
+[
+ {
+ "mangle": {
+ "key": {
+ "tcp option": {
+ "field": "size",
+ "name": "maxseg"
+ }
+ },
+ "value": {
+ "rt": {
+ "key": "mtu"
+ }
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/rt.t.json.output b/tests/py/inet/rt.t.json.output
new file mode 100644
index 0000000..382ef87
--- /dev/null
+++ b/tests/py/inet/rt.t.json.output
@@ -0,0 +1,25 @@
+# meta nfproto ipv4 rt nexthop 192.168.0.1
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "nfproto" }
+ },
+ "op": "==",
+ "right": "ipv4"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "rt": {
+ "family": "ip",
+ "key": "nexthop"
+ }
+ },
+ "op": "==",
+ "right": "192.168.0.1"
+ }
+ }
+]
+
diff --git a/tests/py/inet/rt.t.payload b/tests/py/inet/rt.t.payload
new file mode 100644
index 0000000..84dea12
--- /dev/null
+++ b/tests/py/inet/rt.t.payload
@@ -0,0 +1,18 @@
+# meta nfproto ipv4 rt nexthop 192.168.0.1
+inet test-inet output
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ rt load nexthop4 => reg 1 ]
+ [ cmp eq reg 1 0x0100a8c0 ]
+
+# rt ip6 nexthop fd00::1
+inet test-inet output
+ [ rt load nexthop6 => reg 1 ]
+ [ cmp eq reg 1 0x000000fd 0x00000000 0x00000000 0x01000000 ]
+
+# tcp option maxseg size set rt mtu
+inet test-inet output
+ [ rt load tcpmss => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 2, 2) ]
+ [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ]
+
diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t
new file mode 100644
index 0000000..016173b
--- /dev/null
+++ b/tests/py/inet/sctp.t
@@ -0,0 +1,73 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+sctp sport 23;ok
+sctp sport != 23;ok
+sctp sport 23-44;ok
+sctp sport != 23-44;ok
+sctp sport { 23, 24, 25};ok
+sctp sport != { 23, 24, 25};ok
+
+sctp dport 23;ok
+sctp dport != 23;ok
+sctp dport 23-44;ok
+sctp dport != 23-44;ok
+sctp dport { 23, 24, 25};ok
+sctp dport != { 23, 24, 25};ok
+
+sctp checksum 1111;ok
+sctp checksum != 11;ok
+sctp checksum 21-333;ok
+sctp checksum != 32-111;ok
+sctp checksum { 22, 33, 44};ok
+sctp checksum != { 22, 33, 44};ok
+
+sctp vtag 22;ok
+sctp vtag != 233;ok
+sctp vtag 33-45;ok
+sctp vtag != 33-45;ok
+sctp vtag {33, 55, 67, 88};ok
+sctp vtag != {33, 55, 67, 88};ok
+
+# assert all chunk types are recognized
+sctp chunk data exists;ok
+sctp chunk init exists;ok
+sctp chunk init-ack exists;ok
+sctp chunk sack exists;ok
+sctp chunk heartbeat exists;ok
+sctp chunk heartbeat-ack exists;ok
+sctp chunk abort exists;ok
+sctp chunk shutdown exists;ok
+sctp chunk shutdown-ack exists;ok
+sctp chunk error exists;ok
+sctp chunk cookie-echo exists;ok
+sctp chunk cookie-ack exists;ok
+sctp chunk ecne exists;ok
+sctp chunk cwr exists;ok
+sctp chunk shutdown-complete exists;ok
+sctp chunk asconf-ack exists;ok
+sctp chunk forward-tsn exists;ok
+sctp chunk asconf exists;ok
+
+# test common header fields in random chunk types
+sctp chunk data type 0;ok
+sctp chunk init flags 23;ok
+sctp chunk init-ack length 42;ok
+
+# test one custom field in every applicable chunk type
+sctp chunk data stream 1337;ok
+sctp chunk init initial-tsn 5;ok
+sctp chunk init-ack num-outbound-streams 3;ok
+sctp chunk sack a-rwnd 1;ok
+sctp chunk shutdown cum-tsn-ack 65535;ok
+sctp chunk ecne lowest-tsn 5;ok
+sctp chunk cwr lowest-tsn 8;ok
+sctp chunk asconf-ack seqno 12345;ok
+sctp chunk forward-tsn new-cum-tsn 31337;ok
+sctp chunk asconf seqno 12345;ok
diff --git a/tests/py/inet/sctp.t.json b/tests/py/inet/sctp.t.json
new file mode 100644
index 0000000..75a9b01
--- /dev/null
+++ b/tests/py/inet/sctp.t.json
@@ -0,0 +1,928 @@
+# sctp sport 23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": 23
+ }
+ }
+]
+
+# sctp sport != 23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": 23
+ }
+ }
+]
+
+# sctp sport 23-44
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 23, 44 ]
+ }
+ }
+ }
+]
+
+# sctp sport != 23-44
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 23, 44 ]
+ }
+ }
+ }
+]
+
+# sctp sport { 23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# sctp sport != { 23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# sctp dport 23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": 23
+ }
+ }
+]
+
+# sctp dport != 23
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": 23
+ }
+ }
+]
+
+# sctp dport 23-44
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 23, 44 ]
+ }
+ }
+ }
+]
+
+# sctp dport != 23-44
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 23, 44 ]
+ }
+ }
+ }
+]
+
+# sctp dport { 23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# sctp dport != { 23, 24, 25}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 23,
+ 24,
+ 25
+ ]
+ }
+ }
+ }
+]
+
+# sctp checksum 1111
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": 1111
+ }
+ }
+]
+
+# sctp checksum != 11
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": 11
+ }
+ }
+]
+
+# sctp checksum 21-333
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 21, 333 ]
+ }
+ }
+ }
+]
+
+# sctp checksum != 32-111
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 32, 111 ]
+ }
+ }
+ }
+]
+
+# sctp checksum { 22, 33, 44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 22,
+ 33,
+ 44
+ ]
+ }
+ }
+ }
+]
+
+# sctp checksum != { 22, 33, 44}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 22,
+ 33,
+ 44
+ ]
+ }
+ }
+ }
+]
+
+# sctp vtag 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# sctp vtag != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# sctp vtag 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# sctp vtag != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# sctp vtag {33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# sctp vtag != {33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vtag",
+ "protocol": "sctp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# sctp chunk data exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "data"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk init exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "init"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk init-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "init-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk sack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "sack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk heartbeat exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "heartbeat"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk heartbeat-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "heartbeat-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk abort exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "abort"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk shutdown exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "shutdown"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk shutdown-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "shutdown-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk error exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "error"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk cookie-echo exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "cookie-echo"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk cookie-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "cookie-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk ecne exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "ecne"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk cwr exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "cwr"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk shutdown-complete exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "shutdown-complete"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk asconf-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "asconf-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk forward-tsn exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "forward-tsn"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk asconf exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "asconf"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk data type 0
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "type",
+ "name": "data"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ }
+]
+
+# sctp chunk init flags 23
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "flags",
+ "name": "init"
+ }
+ },
+ "op": "==",
+ "right": 23
+ }
+ }
+]
+
+# sctp chunk init-ack length 42
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "length",
+ "name": "init-ack"
+ }
+ },
+ "op": "==",
+ "right": 42
+ }
+ }
+]
+
+# sctp chunk data stream 1337
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "stream",
+ "name": "data"
+ }
+ },
+ "op": "==",
+ "right": 1337
+ }
+ }
+]
+
+# sctp chunk init initial-tsn 5
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "initial-tsn",
+ "name": "init"
+ }
+ },
+ "op": "==",
+ "right": 5
+ }
+ }
+]
+
+# sctp chunk init-ack num-outbound-streams 3
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "num-outbound-streams",
+ "name": "init-ack"
+ }
+ },
+ "op": "==",
+ "right": 3
+ }
+ }
+]
+
+# sctp chunk sack a-rwnd 1
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "a-rwnd",
+ "name": "sack"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# sctp chunk shutdown cum-tsn-ack 65535
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "cum-tsn-ack",
+ "name": "shutdown"
+ }
+ },
+ "op": "==",
+ "right": 65535
+ }
+ }
+]
+
+# sctp chunk ecne lowest-tsn 5
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "lowest-tsn",
+ "name": "ecne"
+ }
+ },
+ "op": "==",
+ "right": 5
+ }
+ }
+]
+
+# sctp chunk cwr lowest-tsn 8
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "lowest-tsn",
+ "name": "cwr"
+ }
+ },
+ "op": "==",
+ "right": 8
+ }
+ }
+]
+
+# sctp chunk asconf-ack seqno 12345
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "seqno",
+ "name": "asconf-ack"
+ }
+ },
+ "op": "==",
+ "right": 12345
+ }
+ }
+]
+
+# sctp chunk forward-tsn new-cum-tsn 31337
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "new-cum-tsn",
+ "name": "forward-tsn"
+ }
+ },
+ "op": "==",
+ "right": 31337
+ }
+ }
+]
+
+# sctp chunk asconf seqno 12345
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "seqno",
+ "name": "asconf"
+ }
+ },
+ "op": "==",
+ "right": 12345
+ }
+ }
+]
+
diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload
new file mode 100644
index 0000000..7337e2e
--- /dev/null
+++ b/tests/py/inet/sctp.t.payload
@@ -0,0 +1,351 @@
+# sctp sport 23
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00001700 ]
+
+# sctp sport != 23
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp neq reg 1 0x00001700 ]
+
+# sctp sport 23-44
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp gte reg 1 0x00001700 ]
+ [ cmp lte reg 1 0x00002c00 ]
+
+# sctp sport != 23-44
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ range neq reg 1 0x00001700 0x00002c00 ]
+
+# sctp sport { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp sport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp dport 23
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001700 ]
+
+# sctp dport != 23
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x00001700 ]
+
+# sctp dport 23-44
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00001700 ]
+ [ cmp lte reg 1 0x00002c00 ]
+
+# sctp dport != 23-44
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ range neq reg 1 0x00001700 0x00002c00 ]
+
+# sctp dport { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp dport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp checksum 1111
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x57040000 ]
+
+# sctp checksum != 11
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp neq reg 1 0x0b000000 ]
+
+# sctp checksum 21-333
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp gte reg 1 0x15000000 ]
+ [ cmp lte reg 1 0x4d010000 ]
+
+# sctp checksum != 32-111
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ range neq reg 1 0x20000000 0x6f000000 ]
+
+# sctp checksum { 22, 33, 44}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 16000000 : 0 [end] element 21000000 : 0 [end] element 2c000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp checksum != { 22, 33, 44}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 16000000 : 0 [end] element 21000000 : 0 [end] element 2c000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp vtag 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x16000000 ]
+
+# sctp vtag != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp neq reg 1 0xe9000000 ]
+
+# sctp vtag 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x21000000 ]
+ [ cmp lte reg 1 0x2d000000 ]
+
+# sctp vtag != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# sctp vtag {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# sctp vtag != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000084 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# sctp chunk data exists
+ip
+ [ exthdr load 1b @ 0 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk init exists
+ip
+ [ exthdr load 1b @ 1 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk init-ack exists
+ip
+ [ exthdr load 1b @ 2 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk sack exists
+ip
+ [ exthdr load 1b @ 3 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk heartbeat exists
+ip
+ [ exthdr load 1b @ 4 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk heartbeat-ack exists
+ip
+ [ exthdr load 1b @ 5 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk abort exists
+ip
+ [ exthdr load 1b @ 6 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown exists
+ip
+ [ exthdr load 1b @ 7 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown-ack exists
+ip
+ [ exthdr load 1b @ 8 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk error exists
+ip
+ [ exthdr load 1b @ 9 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cookie-echo exists
+ip
+ [ exthdr load 1b @ 10 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cookie-ack exists
+ip
+ [ exthdr load 1b @ 11 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk ecne exists
+ip
+ [ exthdr load 1b @ 12 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cwr exists
+ip
+ [ exthdr load 1b @ 13 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown-complete exists
+ip
+ [ exthdr load 1b @ 14 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk asconf-ack exists
+ip
+ [ exthdr load 1b @ 128 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk forward-tsn exists
+ip
+ [ exthdr load 1b @ 192 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk asconf exists
+ip
+ [ exthdr load 1b @ 193 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk data type 0
+ip
+ [ exthdr load 1b @ 0 + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# sctp chunk init flags 23
+ip
+ [ exthdr load 1b @ 1 + 1 => reg 1 ]
+ [ cmp eq reg 1 0x00000017 ]
+
+# sctp chunk init-ack length 42
+ip
+ [ exthdr load 2b @ 2 + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00002a00 ]
+
+# sctp chunk data stream 1337
+ip
+ [ exthdr load 2b @ 0 + 8 => reg 1 ]
+ [ cmp eq reg 1 0x00003905 ]
+
+# sctp chunk init initial-tsn 5
+ip
+ [ exthdr load 4b @ 1 + 16 => reg 1 ]
+ [ cmp eq reg 1 0x05000000 ]
+
+# sctp chunk init-ack num-outbound-streams 3
+ip
+ [ exthdr load 2b @ 2 + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000300 ]
+
+# sctp chunk sack a-rwnd 1
+ip
+ [ exthdr load 4b @ 3 + 8 => reg 1 ]
+ [ cmp eq reg 1 0x01000000 ]
+
+# sctp chunk shutdown cum-tsn-ack 65535
+ip
+ [ exthdr load 4b @ 7 + 4 => reg 1 ]
+ [ cmp eq reg 1 0xffff0000 ]
+
+# sctp chunk ecne lowest-tsn 5
+ip
+ [ exthdr load 4b @ 12 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x05000000 ]
+
+# sctp chunk cwr lowest-tsn 8
+ip
+ [ exthdr load 4b @ 13 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x08000000 ]
+
+# sctp chunk asconf-ack seqno 12345
+ip
+ [ exthdr load 4b @ 128 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x39300000 ]
+
+# sctp chunk forward-tsn new-cum-tsn 31337
+ip
+ [ exthdr load 4b @ 192 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x697a0000 ]
+
+# sctp chunk asconf seqno 12345
+ip
+ [ exthdr load 4b @ 193 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x39300000 ]
+
diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t
new file mode 100644
index 0000000..5b22e1f
--- /dev/null
+++ b/tests/py/inet/sets.t
@@ -0,0 +1,25 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*bridge;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+!set1 type ipv4_addr timeout 60s;ok
+?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok
+
+!set2 type ipv6_addr timeout 23d23h59m59s;ok
+?set2 dead::beef timeout 5s;ok
+
+ip saddr @set1 drop;ok
+ip saddr != @set2 drop;fail
+
+ip6 daddr != @set2 accept;ok
+ip6 daddr @set1 drop;fail
+
+!set3 type ipv4_addr . ipv4_addr . inet_service flags interval;ok
+?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok
+
+ip saddr . ip daddr . tcp dport @set3 accept;ok
+ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok
diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json
new file mode 100644
index 0000000..b44ffc2
--- /dev/null
+++ b/tests/py/inet/sets.t.json
@@ -0,0 +1,136 @@
+# ip saddr @set1 drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "@set1"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# ip6 daddr != @set2 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip6"
+ }
+ },
+ "op": "!=",
+ "right": "@set2"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": "@set3"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ {
+ "prefix": {
+ "addr": "10.0.0.0",
+ "len": 8
+ }
+ },
+ {
+ "range": [
+ 10,
+ 23
+ ]
+ }
+ ]
+ },
+ {
+ "concat": [
+ {
+ "range": [
+ "192.168.1.1",
+ "192.168.3.8"
+ ]
+ },
+ {
+ "range": [
+ 80,
+ 443
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge
new file mode 100644
index 0000000..3dd9d57
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.bridge
@@ -0,0 +1,42 @@
+# ip saddr @set1 drop
+bridge test-inet input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set set1 ]
+ [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+bridge test-inet input
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x0000dd86 ]
+ [ payload load 16b @ network header + 24 => reg 1 ]
+ [ lookup reg 1 set set2 0x1 ]
+ [ immediate reg 0 accept ]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+bridge
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 2b @ transport header + 2 => reg 10 ]
+ [ lookup reg 1 set set3 ]
+ [ immediate reg 0 accept ]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-inet 87
+__set%d test-inet 0
+ element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end]
+bridge
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet
new file mode 100644
index 0000000..53c6b18
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.inet
@@ -0,0 +1,41 @@
+# ip saddr @set1 drop
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set set1 ]
+ [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 16b @ network header + 24 => reg 1 ]
+ [ lookup reg 1 set set2 0x1 ]
+ [ immediate reg 0 accept ]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 2b @ transport header + 2 => reg 10 ]
+ [ lookup reg 1 set set3 ]
+ [ immediate reg 0 accept ]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-inet 87
+__set%d test-inet 0
+ element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end]
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev
new file mode 100644
index 0000000..e31aeb9
--- /dev/null
+++ b/tests/py/inet/sets.t.payload.netdev
@@ -0,0 +1,41 @@
+# ip saddr @set1 drop
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set set1 ]
+ [ immediate reg 0 drop ]
+
+# ip6 daddr != @set2 accept
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x0000dd86 ]
+ [ payload load 16b @ network header + 24 => reg 1 ]
+ [ lookup reg 1 set set2 0x1 ]
+ [ immediate reg 0 accept ]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+netdev
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 2b @ transport header + 2 => reg 10 ]
+ [ lookup reg 1 set set3 ]
+ [ immediate reg 0 accept ]
+
+# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept
+__set%d test-netdev 87
+__set%d test-netdev 0
+ element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end]
+netdev
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
diff --git a/tests/py/inet/snat.t b/tests/py/inet/snat.t
new file mode 100644
index 0000000..cf23b5c
--- /dev/null
+++ b/tests/py/inet/snat.t
@@ -0,0 +1,21 @@
+:postrouting;type nat hook postrouting priority 0
+
+*inet;test-inet;postrouting
+
+# explicit family: 'snat to ip':
+iifname "eth0" tcp dport 81 snat ip to 192.168.3.2;ok
+
+# infer snat target family from network header base:
+iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2;ok;iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat ip to 192.168.3.2
+iifname "eth0" tcp dport 81 snat ip6 to dead::beef;ok
+
+iifname "foo" masquerade random;ok
+
+
+snat to 192.168.3.2;fail
+snat ip6 to 192.168.3.2;fail
+snat to dead::beef;fail
+snat ip to dead::beef;fail
+snat ip daddr 1.2.3.4 to dead::beef;fail
+snat ip daddr 1.2.3.4 ip6 to dead::beef;fail
+snat ip6 saddr dead::beef to 1.2.3.4;fail
diff --git a/tests/py/inet/snat.t.json b/tests/py/inet/snat.t.json
new file mode 100644
index 0000000..4671625
--- /dev/null
+++ b/tests/py/inet/snat.t.json
@@ -0,0 +1,131 @@
+# iifname "eth0" tcp dport 81 snat ip to 192.168.3.2
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 81
+ }
+ },
+ {
+ "snat": {
+ "addr": "192.168.3.2",
+ "family": "ip"
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 81
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "10.1.1.1"
+ }
+ },
+ {
+ "snat": {
+ "addr": "192.168.3.2",
+ "family": "ip"
+ }
+ }
+]
+
+# iifname "eth0" tcp dport 81 snat ip6 to dead::beef
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "eth0"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 81
+ }
+ },
+ {
+ "snat": {
+ "addr": "dead::beef",
+ "family": "ip6"
+ }
+ }
+]
+
+# iifname "foo" masquerade random
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "op": "==",
+ "right": "foo"
+ }
+ },
+ {
+ "masquerade": {
+ "flags": "random"
+ }
+ }
+]
+
diff --git a/tests/py/inet/snat.t.payload b/tests/py/inet/snat.t.payload
new file mode 100644
index 0000000..50519c6
--- /dev/null
+++ b/tests/py/inet/snat.t.payload
@@ -0,0 +1,42 @@
+# iifname "eth0" tcp dport 81 snat ip to 192.168.3.2
+inet test-inet postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005100 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2
+inet test-inet postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005100 ]
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x0101010a ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ nat snat ip addr_min reg 1 ]
+
+# iifname "eth0" tcp dport 81 snat ip6 to dead::beef
+inet test-inet postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005100 ]
+ [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+ [ nat snat ip6 addr_min reg 1 ]
+
+# iifname "foo" masquerade random
+inet test-inet postrouting
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ]
+ [ masq flags 0x4 ]
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
new file mode 100644
index 0000000..05e9ebb
--- /dev/null
+++ b/tests/py/inet/socket.t
@@ -0,0 +1,15 @@
+:sockchain;type filter hook prerouting priority -150
+
+*ip;sockip4;sockchain
+*ip6;sockip6;sockchain
+*inet;sockin;sockchain
+
+socket transparent 0;ok
+socket transparent 1;ok
+socket transparent 2;fail
+
+socket mark 0x00000005;ok
+
+socket wildcard 0;ok
+socket wildcard 1;ok
+socket wildcard 2;fail
diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json
new file mode 100644
index 0000000..fa48e79
--- /dev/null
+++ b/tests/py/inet/socket.t.json
@@ -0,0 +1,74 @@
+# socket transparent 0
+[
+ {
+ "match": {
+ "left": {
+ "socket": {
+ "key": "transparent"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ }
+]
+
+# socket transparent 1
+[
+ {
+ "match": {
+ "left": {
+ "socket": {
+ "key": "transparent"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# socket mark 0x00000005
+[
+ {
+ "match": {
+ "left": {
+ "socket": {
+ "key": "mark"
+ }
+ },
+ "op": "==",
+ "right": 5
+ }
+ }
+]
+
+# socket wildcard 0
+[
+ {
+ "match": {
+ "left": {
+ "socket": {
+ "key": "wildcard"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ }
+]
+
+# socket wildcard 1
+[
+ {
+ "match": {
+ "left": {
+ "socket": {
+ "key": "wildcard"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
new file mode 100644
index 0000000..e66ccbf
--- /dev/null
+++ b/tests/py/inet/socket.t.payload
@@ -0,0 +1,24 @@
+# socket transparent 0
+inet sockin sockchain
+ [ socket load transparent => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# socket transparent 1
+inet sockin sockchain
+ [ socket load transparent => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# socket mark 0x00000005
+inet sockin sockchain
+ [ socket load mark => reg 1 ]
+ [ cmp eq reg 1 0x00000005 ]
+
+# socket wildcard 0
+inet sockin sockchain
+ [ socket load wildcard => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# socket wildcard 1
+inet sockin sockchain
+ [ socket load wildcard => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
diff --git a/tests/py/inet/synproxy.t b/tests/py/inet/synproxy.t
new file mode 100644
index 0000000..55a05e1
--- /dev/null
+++ b/tests/py/inet/synproxy.t
@@ -0,0 +1,13 @@
+:synproxychain;type filter hook input priority 0
+
+*ip;synproxyip;synproxychain
+*ip6;synproxyip6;synproxychain
+*inet;synproxyinet;synproxychain
+
+synproxy;ok
+synproxy mss 1460 wscale 7;ok
+synproxy mss 1460 wscale 5 timestamp sack-perm;ok
+synproxy timestamp sack-perm;ok
+synproxy timestamp;ok
+synproxy sack-perm;ok
+
diff --git a/tests/py/inet/synproxy.t.json b/tests/py/inet/synproxy.t.json
new file mode 100644
index 0000000..1dd85a6
--- /dev/null
+++ b/tests/py/inet/synproxy.t.json
@@ -0,0 +1,64 @@
+# synproxy
+[
+ {
+ "synproxy":null
+ }
+]
+
+# synproxy mss 1460 wscale 7
+[
+ {
+ "synproxy": {
+ "mss": 1460,
+ "wscale": 7
+ }
+ }
+]
+
+# synproxy timestamp
+[
+ {
+ "synproxy": {
+ "flags": [
+ "timestamp"
+ ]
+ }
+ }
+]
+
+# synproxy timestamp sack-perm
+[
+ {
+ "synproxy": {
+ "flags": [
+ "timestamp",
+ "sack-perm"
+ ]
+ }
+ }
+]
+
+# synproxy mss 1460 wscale 5 timestamp sack-perm
+[
+ {
+ "synproxy": {
+ "flags": [
+ "timestamp",
+ "sack-perm"
+ ],
+ "mss": 1460,
+ "wscale": 5
+ }
+ }
+]
+
+# synproxy sack-perm
+[
+ {
+ "synproxy": {
+ "flags": [
+ "sack-perm"
+ ]
+ }
+ }
+]
diff --git a/tests/py/inet/synproxy.t.payload b/tests/py/inet/synproxy.t.payload
new file mode 100644
index 0000000..dd318b9
--- /dev/null
+++ b/tests/py/inet/synproxy.t.payload
@@ -0,0 +1,24 @@
+# synproxy
+inet synproxyinet synproxychain
+ [ synproxy mss 0 wscale 0 ]
+
+# synproxy mss 1460 wscale 7
+inet synproxyinet synproxychain
+ [ synproxy mss 1460 wscale 7 ]
+
+# synproxy mss 1460 wscale 5 timestamp sack-perm
+inet synproxyinet synproxychain
+ [ synproxy mss 1460 wscale 5 ]
+
+# synproxy timestamp sack-perm
+inet synproxyinet synproxychain
+ [ synproxy mss 0 wscale 0 ]
+
+# synproxy timestamp
+inet synproxyinet synproxychain
+ [ synproxy mss 0 wscale 0 ]
+
+# synproxy sack-perm
+inet synproxyinet synproxychain
+ [ synproxy mss 0 wscale 0 ]
+
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
new file mode 100644
index 0000000..f51ebd3
--- /dev/null
+++ b/tests/py/inet/tcp.t
@@ -0,0 +1,115 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+tcp dport set {1, 2, 3};fail
+
+tcp dport 22;ok
+tcp dport != 233;ok
+tcp dport 33-45;ok
+tcp dport != 33-45;ok
+tcp dport { 33, 55, 67, 88};ok
+tcp dport != { 33, 55, 67, 88};ok
+tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept
+tcp dport vmap { 22 : accept, 23 : drop };ok
+tcp dport vmap { 25:accept, 28:drop };ok
+tcp dport { 22, 53, 80, 110 };ok
+tcp dport != { 22, 53, 80, 110 };ok
+# BUG: invalid expression type set
+# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+
+tcp sport 22;ok
+tcp sport != 233;ok
+tcp sport 33-45;ok
+tcp sport != 33-45;ok
+tcp sport { 33, 55, 67, 88};ok
+tcp sport != { 33, 55, 67, 88};ok
+tcp sport vmap { 25:accept, 28:drop };ok
+
+tcp sport 8080 drop;ok
+tcp sport 1024 tcp dport 22;ok
+tcp sport 1024 tcp dport 22 tcp sequence 0;ok
+
+tcp sequence 0 tcp sport 1024 tcp dport 22;ok
+tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok;tcp sequence 0 tcp sport { 1022, 1024} tcp dport 22
+
+tcp sequence 22;ok
+tcp sequence != 233;ok
+tcp sequence 33-45;ok
+tcp sequence != 33-45;ok
+tcp sequence { 33, 55, 67, 88};ok
+tcp sequence != { 33, 55, 67, 88};ok
+
+tcp ackseq 42949672 drop;ok
+tcp ackseq 22;ok
+tcp ackseq != 233;ok
+tcp ackseq 33-45;ok
+tcp ackseq != 33-45;ok
+tcp ackseq { 33, 55, 67, 88};ok
+tcp ackseq != { 33, 55, 67, 88};ok
+
+- tcp doff 22;ok
+- tcp doff != 233;ok
+- tcp doff 33-45;ok
+- tcp doff != 33-45;ok
+- tcp doff { 33, 55, 67, 88};ok
+- tcp doff != { 33, 55, 67, 88};ok
+
+# BUG reserved
+# BUG: It is accepted but it is not shown then. tcp reserver
+
+tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop;ok
+tcp flags != { fin, urg, ecn, cwr} drop;ok
+tcp flags cwr;ok
+tcp flags != cwr;ok
+tcp flags == syn;ok
+tcp flags fin,syn / fin,syn;ok
+tcp flags != syn / fin,syn;ok
+tcp flags & syn != 0;ok;tcp flags syn
+tcp flags & syn == 0;ok;tcp flags ! syn
+tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack
+tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack
+# it should be possible to transform this to: tcp flags syn
+tcp flags & syn == syn;ok
+tcp flags & syn != syn;ok
+tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) == syn;ok;tcp flags syn / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) == (syn | ack);ok;tcp flags syn,ack / fin,syn,rst,ack
+tcp flags & (fin | syn | rst | ack) != (syn | ack);ok;tcp flags != syn,ack / fin,syn,rst,ack
+tcp flags & (syn | ack) == (syn | ack);ok;tcp flags syn,ack / syn,ack
+tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff
+tcp flags { syn, syn | ack };ok
+tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok
+tcp flags ! fin,rst;ok
+tcp flags & (fin | syn | rst | ack) ! syn;fail
+
+tcp window 22222;ok
+tcp window 22;ok
+tcp window != 233;ok
+tcp window 33-45;ok
+tcp window != 33-45;ok
+tcp window { 33, 55, 67, 88};ok
+tcp window != { 33, 55, 67, 88};ok
+
+tcp checksum 22;ok
+tcp checksum != 233;ok
+tcp checksum 33-45;ok
+tcp checksum != 33-45;ok
+tcp checksum { 33, 55, 67, 88};ok
+tcp checksum != { 33, 55, 67, 88};ok
+
+tcp urgptr 1234 accept;ok
+tcp urgptr 22;ok
+tcp urgptr != 233;ok
+tcp urgptr 33-45;ok
+tcp urgptr != 33-45;ok
+tcp urgptr { 33, 55, 67, 88};ok
+tcp urgptr != { 33, 55, 67, 88};ok
+
+tcp doff 8;ok
diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
new file mode 100644
index 0000000..8439c2b
--- /dev/null
+++ b/tests/py/inet/tcp.t.json
@@ -0,0 +1,1799 @@
+# tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp dport != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# tcp dport 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp dport != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp dport { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp dport != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp dport {telnet, http, https} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "telnet",
+ "http",
+ "https"
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# tcp dport vmap { 22 : accept, 23 : drop }
+[
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ 22,
+ {
+ "accept": null
+ }
+ ],
+ [
+ 23,
+ {
+ "drop": null
+ }
+ ]
+ ]
+ }
+ }
+ }
+]
+
+# tcp dport vmap { 25:accept, 28:drop }
+[
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ 25,
+ {
+ "accept": null
+ }
+ ],
+ [
+ 28,
+ {
+ "drop": null
+ }
+ ]
+ ]
+ }
+ }
+ }
+]
+
+# tcp dport { 22, 53, 80, 110 }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 22,
+ 53,
+ 80,
+ 110
+ ]
+ }
+ }
+ }
+]
+
+# tcp dport != { 22, 53, 80, 110 }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 22,
+ 53,
+ 80,
+ 110
+ ]
+ }
+ }
+ }
+]
+
+# tcp sport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp sport != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# tcp sport 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp sport != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp sport { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp sport != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp sport vmap { 25:accept, 28:drop }
+[
+ {
+ "vmap": {
+ "key": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "data": {
+ "set": [
+ [
+ 25,
+ {
+ "accept": null
+ }
+ ],
+ [
+ 28,
+ {
+ "drop": null
+ }
+ ]
+ ]
+ }
+ }
+ }
+]
+
+# tcp sport 8080 drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 8080
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# tcp sport 1024 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 1024
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp sport 1024 tcp dport 22 tcp sequence 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 1024
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ }
+]
+
+# tcp sequence 0 tcp sport 1024 tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 1024
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 1024,
+ 1022
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp sequence 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp sequence != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# tcp sequence 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp sequence != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp sequence { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp sequence != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp ackseq 42949672 drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 42949672
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# tcp ackseq 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp ackseq != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# tcp ackseq 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp ackseq != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp ackseq { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp ackseq != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "ackseq",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "fin",
+ "syn",
+ "rst",
+ "psh",
+ "ack",
+ "urg",
+ "ecn",
+ "cwr"
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# tcp flags != { fin, urg, ecn, cwr} drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ "fin",
+ "urg",
+ "ecn",
+ "cwr"
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# tcp flags cwr
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "in",
+ "right": "cwr"
+ }
+ }
+]
+
+# tcp flags != cwr
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": "cwr"
+ }
+ }
+]
+
+# tcp flags == syn
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & (syn|fin) == (syn|fin)
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ {
+ "|": [
+ "syn",
+ "fin"
+ ]
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "|": [
+ "syn",
+ "fin"
+ ]
+ }
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ {
+ "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ]
+ }
+ ]
+ },
+ "op": "==",
+ "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] }
+ }
+ }
+]
+
+# tcp window 22222
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22222
+ }
+ }
+]
+
+# tcp window 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp window != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# tcp window 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp window != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp window { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp window != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "window",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp checksum 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp checksum != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# tcp checksum 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp checksum != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp checksum { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp checksum != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp urgptr 1234 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 1234
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# tcp urgptr 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp urgptr != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# tcp urgptr 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp urgptr != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# tcp urgptr { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp urgptr != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "urgptr",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# tcp doff 8
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "doff",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 8
+ }
+ }
+]
+
+# tcp flags { syn, syn | ack }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "|": [
+ "syn",
+ "ack"
+ ]
+ },
+ "syn"
+ ]
+ }
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ {
+ "|": [
+ {
+ "|": [
+ {
+ "|": [
+ {
+ "|": [
+ {
+ "|": [
+ "fin",
+ "syn"
+ ]
+ },
+ "rst"
+ ]
+ },
+ "psh"
+ ]
+ },
+ "ack"
+ ]
+ },
+ "urg"
+ ]
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "|": [
+ {
+ "|": [
+ "fin",
+ "psh"
+ ]
+ },
+ "ack"
+ ]
+ },
+ "fin",
+ {
+ "|": [
+ "psh",
+ "ack"
+ ]
+ },
+ "ack"
+ ]
+ }
+ }
+ }
+]
+
+# tcp flags ! fin,rst
+[
+ {
+ "match": {
+ "op": "!",
+ "left": {
+ "payload": {
+ "protocol": "tcp",
+ "field": "flags"
+ }
+ },
+ "right": [
+ "fin",
+ "rst"
+ ]
+ }
+ }
+]
+
+# tcp flags fin,syn / fin,syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn"
+ ]
+ ]
+ },
+ "op": "==",
+ "right": [
+ "fin",
+ "syn"
+ ]
+ }
+ }
+]
+
+# tcp flags != syn / fin,syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn"
+ ]
+ ]
+ },
+ "op": "!=",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & syn == 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & syn != 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "in",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & (syn | ack) != 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "in",
+ "right": [
+ "syn",
+ "ack"
+ ]
+ }
+ }
+]
+
+# tcp flags & (syn | ack) == 0
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "!",
+ "right": [
+ "syn",
+ "ack"
+ ]
+ }
+ }
+]
+
+# tcp flags & syn == syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "syn"
+ ]
+ },
+ "op": "==",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & syn != syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "syn"
+ ]
+ },
+ "op": "!=",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | ack) syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn",
+ "rst",
+ "ack"
+ ]
+ ]
+ },
+ "op": "==",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | ack) == syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn",
+ "rst",
+ "ack"
+ ]
+ ]
+ },
+ "op": "==",
+ "right": "syn"
+ }
+ }
+]
+
+
+# tcp flags & (fin | syn | rst | ack) != syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn",
+ "rst",
+ "ack"
+ ]
+ ]
+ },
+ "op": "!=",
+ "right": "syn"
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | ack) == (syn | ack)
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn",
+ "rst",
+ "ack"
+ ]
+ ]
+ },
+ "op": "==",
+ "right": [
+ "syn",
+ "ack"
+ ]
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | ack) != (syn | ack)
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn",
+ "rst",
+ "ack"
+ ]
+ ]
+ },
+ "op": "!=",
+ "right": [
+ "syn",
+ "ack"
+ ]
+ }
+ }
+]
+
+# tcp flags & (syn | ack) == (syn | ack)
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "syn",
+ "ack"
+ ]
+ ]
+ },
+ "op": "==",
+ "right": [
+ "syn",
+ "ack"
+ ]
+ }
+ }
+]
+
diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output
new file mode 100644
index 0000000..c471e8d
--- /dev/null
+++ b/tests/py/inet/tcp.t.json.output
@@ -0,0 +1,210 @@
+# tcp dport {telnet, http, https} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 23,
+ 80,
+ 443
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sequence",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 1022,
+ 1024
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# tcp flags & (syn|fin) == (syn|fin)
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ {
+ "|": [
+ "fin",
+ "syn"
+ ]
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "|": [
+ "fin",
+ "syn"
+ ]
+ }
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": 255
+ }
+ }
+]
+
+# tcp flags { syn, syn | ack }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "syn",
+ {
+ "|": [
+ "syn",
+ "ack"
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ {
+ "|": [
+ {
+ "|": [
+ {
+ "|": [
+ {
+ "|": [
+ {
+ "|": [
+ "fin",
+ "syn"
+ ]
+ },
+ "rst"
+ ]
+ },
+ "psh"
+ ]
+ },
+ "ack"
+ ]
+ },
+ "urg"
+ ]
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ "fin",
+ {
+ "|": [
+ {
+ "|": [
+ "fin",
+ "psh"
+ ]
+ },
+ "ack"
+ ]
+ },
+ {
+ "|": [
+ "psh",
+ "ack"
+ ]
+ },
+ "ack"
+ ]
+ }
+ }
+ }
+]
diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload
new file mode 100644
index 0000000..1cfe500
--- /dev/null
+++ b/tests/py/inet/tcp.t.payload
@@ -0,0 +1,674 @@
+# tcp dport 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# tcp dport != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# tcp dport 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# tcp dport != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp dport { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp dport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp dport {telnet, http, https} accept
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001700 : 0 [end] element 00005000 : 0 [end] element 0000bb01 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
+# tcp dport vmap { 22 : accept, 23 : drop }
+__map%d test-inet b
+__map%d test-inet 0
+ element 00001600 : accept 0 [end] element 00001700 : drop 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
+# tcp dport vmap { 25:accept, 28:drop }
+__map%d test-inet b
+__map%d test-inet 0
+ element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
+# tcp dport { 22, 53, 80, 110 }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001600 : 0 [end] element 00003500 : 0 [end] element 00005000 : 0 [end] element 00006e00 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp dport != { 22, 53, 80, 110 }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00001600 : 0 [end] element 00003500 : 0 [end] element 00005000 : 0 [end] element 00006e00 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp sport 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# tcp sport != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# tcp sport 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# tcp sport != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp sport { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp sport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp sport vmap { 25:accept, 28:drop }
+__map%d test-inet b
+__map%d test-inet 0
+ element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
+# tcp sport 8080 drop
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x0000901f ]
+ [ immediate reg 0 drop ]
+
+# tcp sport 1024 tcp dport 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x16000004 ]
+
+# tcp sport 1024 tcp dport 22 tcp sequence 0
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x16000004 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# tcp sequence 0 tcp sport 1024 tcp dport 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ payload load 4b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x16000004 ]
+
+# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000004 : 0 [end] element 0000fe03 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# tcp sequence 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x16000000 ]
+
+# tcp sequence != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp neq reg 1 0xe9000000 ]
+
+# tcp sequence 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x21000000 ]
+ [ cmp lte reg 1 0x2d000000 ]
+
+# tcp sequence != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# tcp sequence { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp sequence != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp ackseq 42949672 drop
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x285c8f02 ]
+ [ immediate reg 0 drop ]
+
+# tcp ackseq 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp eq reg 1 0x16000000 ]
+
+# tcp ackseq != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp neq reg 1 0xe9000000 ]
+
+# tcp ackseq 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ cmp gte reg 1 0x21000000 ]
+ [ cmp lte reg 1 0x2d000000 ]
+
+# tcp ackseq != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ range neq reg 1 0x21000000 0x2d000000 ]
+
+# tcp ackseq { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp ackseq != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ transport header + 8 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000001 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000008 : 0 [end] element 00000010 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000080 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 drop ]
+
+# tcp flags != { fin, urg, ecn, cwr} drop
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000001 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000080 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 drop ]
+
+# tcp flags cwr
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000000 ]
+
+# tcp flags != cwr
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ cmp neq reg 1 0x00000080 ]
+
+# tcp flags == syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags fin,syn / fin,syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000003 ]
+
+# tcp flags != syn / fin,syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000002 ]
+
+# tcp flags & syn != 0
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000000 ]
+
+# tcp flags & syn == 0
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# tcp flags & (syn | ack) != 0
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000000 ]
+
+# tcp flags & (syn | ack) == 0
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# tcp flags & syn == syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags & syn != syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) == syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) != syn
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000002 ]
+
+# tcp flags & (fin | syn | rst | ack) == (syn | ack)
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000012 ]
+
+# tcp flags & (fin | syn | rst | ack) != (syn | ack)
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
+ [ cmp neq reg 1 0x00000012 ]
+
+# tcp flags & (syn | ack) == (syn | ack)
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000012 ]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x000000ff ]
+
+# tcp window 22222
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 14 => reg 1 ]
+ [ cmp eq reg 1 0x0000ce56 ]
+
+# tcp window 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 14 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# tcp window != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 14 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# tcp window 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 14 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# tcp window != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 14 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp window { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 14 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp window != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 14 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp checksum 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 16 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# tcp checksum != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 16 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# tcp checksum 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 16 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# tcp checksum != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 16 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp checksum { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 16 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp urgptr 1234 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ cmp eq reg 1 0x0000d204 ]
+ [ immediate reg 0 accept ]
+
+# tcp urgptr 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# tcp urgptr != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# tcp urgptr 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# tcp urgptr != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# tcp urgptr { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp urgptr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 18 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# tcp doff 8
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 12 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000080 ]
+
+# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000001 : 0 [end] element 00000010 : 0 [end] element 00000018 : 0 [end] element 00000019 : 0 [end]
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp flags { syn, syn | ack }
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00000002 : 0 [end] element 00000012 : 0 [end]
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# tcp flags ! fin,rst
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 1b @ transport header + 13 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000005 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t
new file mode 100644
index 0000000..d23bbcb
--- /dev/null
+++ b/tests/py/inet/tproxy.t
@@ -0,0 +1,21 @@
+:y;type filter hook prerouting priority -150
+
+*inet;x;y
+
+tproxy;fail
+meta l4proto 17 tproxy to 192.0.2.1;fail
+meta l4proto 6 tproxy to 192.0.2.1:50080;fail
+meta l4proto 17 tproxy ip to 192.0.2.1;ok
+meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok
+ip protocol 6 tproxy ip6 to [2001:db8::1];fail
+
+meta l4proto 6 tproxy to [2001:db8::1];fail
+meta l4proto 17 tproxy to [2001:db8::1]:50080;fail
+meta l4proto 6 tproxy ip6 to [2001:db8::1];ok
+meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok
+ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail
+
+meta l4proto 17 tproxy ip to :50080;ok
+meta l4proto 17 tproxy ip6 to :50080;ok
+meta l4proto 17 tproxy to :50080;ok
+ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok
diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json
new file mode 100644
index 0000000..7b3b11c
--- /dev/null
+++ b/tests/py/inet/tproxy.t.json
@@ -0,0 +1,185 @@
+# meta l4proto 17 tproxy ip to 192.0.2.1
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "192.0.2.1",
+ "family": "ip"
+ }
+ }
+]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "192.0.2.1",
+ "family": "ip",
+ "port": 50080
+ }
+ }
+]
+
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "2001:db8::1",
+ "family": "ip6"
+ }
+ }
+]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "addr": "2001:db8::1",
+ "family": "ip6",
+ "port": 50080
+ }
+ }
+]
+
+# meta l4proto 17 tproxy ip to :50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip",
+ "port": 50080
+ }
+ }
+]
+
+# meta l4proto 17 tproxy ip6 to :50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip6",
+ "port": 50080
+ }
+ }
+]
+
+# meta l4proto 17 tproxy to :50080
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 17
+ }
+ },
+ {
+ "tproxy": {
+ "port": 50080
+ }
+ }
+]
+
+# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": {
+ "prefix": {
+ "addr": "0.0.0.0",
+ "len": 0
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "tproxy": {
+ "family": "ip",
+ "port": 2000
+ }
+ }
+]
diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload
new file mode 100644
index 0000000..24bf8f6
--- /dev/null
+++ b/tests/py/inet/tproxy.t.payload
@@ -0,0 +1,63 @@
+# meta l4proto 17 tproxy ip to 192.0.2.1
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x010200c0 ]
+ [ tproxy ip addr reg 1 ]
+
+# meta l4proto 6 tproxy ip to 192.0.2.1:50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x010200c0 ]
+ [ immediate reg 2 0x0000a0c3 ]
+ [ tproxy ip addr reg 1 port reg 2 ]
+
+# meta l4proto 6 tproxy ip6 to [2001:db8::1]
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+ [ tproxy ip6 addr reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ]
+ [ immediate reg 2 0x0000a0c3 ]
+ [ tproxy ip6 addr reg 1 port reg 2 ]
+
+# meta l4proto 17 tproxy to :50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy port reg 1 ]
+
+# meta l4proto 17 tproxy ip to :50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip port reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to :50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip6 port reg 1 ]
+
+# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000
+inet x y
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000000 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x0000d007 ]
+ [ tproxy ip port reg 1 ]
+
diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t
new file mode 100644
index 0000000..7f21c8e
--- /dev/null
+++ b/tests/py/inet/udp.t
@@ -0,0 +1,45 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+udp sport 80 accept;ok
+udp sport != 60 accept;ok
+udp sport 50-70 accept;ok
+udp sport != 50-60 accept;ok
+udp sport { 49, 50} drop;ok
+udp sport != { 50, 60} accept;ok
+
+udp dport set {1, 2, 3};fail
+
+udp dport 80 accept;ok
+udp dport != 60 accept;ok
+udp dport 70-75 accept;ok
+udp dport != 50-60 accept;ok
+udp dport { 49, 50} drop;ok
+udp dport != { 50, 60} accept;ok
+
+udp length 6666;ok
+udp length != 6666;ok
+udp length 50-65 accept;ok
+udp length != 50-65 accept;ok
+udp length { 50, 65} accept;ok
+udp length != { 50, 65} accept;ok
+
+udp checksum 6666 drop;ok
+udp checksum != { 444, 555} accept;ok
+
+udp checksum 22;ok
+udp checksum != 233;ok
+udp checksum 33-45;ok
+udp checksum != 33-45;ok
+udp checksum { 33, 55, 67, 88};ok
+udp checksum != { 33, 55, 67, 88};ok
+
+# limit impact to lo
+iif "lo" udp checksum set 0;ok
+iif "lo" udp dport set 65535;ok
diff --git a/tests/py/inet/udp.t.json b/tests/py/inet/udp.t.json
new file mode 100644
index 0000000..665998e
--- /dev/null
+++ b/tests/py/inet/udp.t.json
@@ -0,0 +1,583 @@
+# udp sport 80 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 80
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp sport != 60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": 60
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp sport 50-70 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 50, 70 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp sport != 50-60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 50, 60 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp sport { 49, 50} drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 49,
+ 50
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# udp sport != { 50, 60} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 50,
+ 60
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp dport 80 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 80
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp dport != 60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": 60
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp dport 70-75 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 70, 75 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp dport != 50-60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 50, 60 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp dport { 49, 50} drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 49,
+ 50
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# udp dport != { 50, 60} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 50,
+ 60
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp length 6666
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6666
+ }
+ }
+]
+
+# udp length != 6666
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": 6666
+ }
+ }
+]
+
+# udp length 50-65 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 50, 65 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp length != 50-65 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 50, 65 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp length { 50, 65} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 50,
+ 65
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp length != { 50, 65} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 50,
+ 65
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp checksum 6666 drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 6666
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# udp checksum != { 444, 555} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 444,
+ 555
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udp checksum 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# udp checksum != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# udp checksum 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# udp checksum != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# udp checksum { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# udp checksum != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# iif "lo" udp checksum set 0
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "iif" }
+ },
+ "op": "==",
+ "right": "lo"
+ }
+ },
+ {
+ "mangle": {
+ "key": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udp"
+ }
+ },
+ "value": 0
+ }
+ }
+]
+
+# iif "lo" udp dport set 65535
+[
+ {
+ "match": {
+ "left": {
+ "meta": { "key": "iif" }
+ },
+ "op": "==",
+ "right": "lo"
+ }
+ },
+ {
+ "mangle": {
+ "key": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "value": 65535
+ }
+ }
+]
+
diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload
new file mode 100644
index 0000000..e6beda7
--- /dev/null
+++ b/tests/py/inet/udp.t.payload
@@ -0,0 +1,248 @@
+# udp sport 80 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00005000 ]
+ [ immediate reg 0 accept ]
+
+# udp sport != 60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp neq reg 1 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udp sport 50-70 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp gte reg 1 0x00003200 ]
+ [ cmp lte reg 1 0x00004600 ]
+ [ immediate reg 0 accept ]
+
+# udp sport != 50-60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ range neq reg 1 0x00003200 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udp sport { 49, 50} drop
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00003100 : 0 [end] element 00003200 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 drop ]
+
+# udp sport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00003200 : 0 [end] element 00003c00 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
+# udp dport 80 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005000 ]
+ [ immediate reg 0 accept ]
+
+# udp dport != 60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udp dport 70-75 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00004600 ]
+ [ cmp lte reg 1 0x00004b00 ]
+ [ immediate reg 0 accept ]
+
+# udp dport != 50-60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ range neq reg 1 0x00003200 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udp dport { 49, 50} drop
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00003100 : 0 [end] element 00003200 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 drop ]
+
+# udp dport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00003200 : 0 [end] element 00003c00 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
+# udp length 6666
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00000a1a ]
+
+# udp length != 6666
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp neq reg 1 0x00000a1a ]
+
+# udp length 50-65 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp gte reg 1 0x00003200 ]
+ [ cmp lte reg 1 0x00004100 ]
+ [ immediate reg 0 accept ]
+
+# udp length != 50-65 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ range neq reg 1 0x00003200 0x00004100 ]
+ [ immediate reg 0 accept ]
+
+# udp length { 50, 65} accept
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00003200 : 0 [end] element 00004100 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 accept ]
+
+# udp length != { 50, 65} accept
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00003200 : 0 [end] element 00004100 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
+# udp checksum 6666 drop
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00000a1a ]
+ [ immediate reg 0 drop ]
+
+# udp checksum != { 444, 555} accept
+__set%d test-inet 3
+__set%d test-inet 0
+ element 0000bc01 : 0 [end] element 00002b02 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
+# udp checksum 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# udp checksum != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# udp checksum 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# udp checksum != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# udp checksum { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# udp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
+# iif "lo" udp checksum set 0
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x00000000 ]
+ [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 csum_flags 0x0 ]
+
+# iif "lo" udp dport set 65535
+inet test-inet input
+ [ meta load iif => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000ffff ]
+ [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 csum_flags 0x0 ]
diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t
new file mode 100644
index 0000000..6a54709
--- /dev/null
+++ b/tests/py/inet/udplite.t
@@ -0,0 +1,38 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+udplite sport 80 accept;ok
+udplite sport != 60 accept;ok
+udplite sport 50-70 accept;ok
+udplite sport != 50-60 accept;ok
+udplite sport { 49, 50} drop;ok
+udplite sport != { 49, 50} accept;ok
+
+udplite dport 80 accept;ok
+udplite dport != 60 accept;ok
+udplite dport 70-75 accept;ok
+udplite dport != 50-60 accept;ok
+udplite dport { 49, 50} drop;ok
+udplite dport != { 49, 50} accept;ok
+
+- udplite csumcov 6666;ok
+- udplite csumcov != 6666;ok
+- udplite csumcov 50-65 accept;ok
+- udplite csumcov != 50-65 accept;ok
+- udplite csumcov { 50, 65} accept;ok
+- udplite csumcov != { 50, 65} accept;ok
+
+udplite checksum 6666 drop;ok
+udplite checksum != { 444, 555} accept;ok
+udplite checksum 22;ok
+udplite checksum != 233;ok
+udplite checksum 33-45;ok
+udplite checksum != 33-45;ok
+udplite checksum { 33, 55, 67, 88};ok
+udplite checksum != { 33, 55, 67, 88};ok
diff --git a/tests/py/inet/udplite.t.json b/tests/py/inet/udplite.t.json
new file mode 100644
index 0000000..713a534
--- /dev/null
+++ b/tests/py/inet/udplite.t.json
@@ -0,0 +1,413 @@
+# udplite sport 80 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": 80
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite sport != 60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": 60
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite sport 50-70 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 50, 70 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite sport != 50-60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 50, 60 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite sport { 49, 50} drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 49,
+ 50
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# udplite sport != { 49, 50} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 49,
+ 50
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite dport 80 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": 80
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite dport != 60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": 60
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite dport 70-75 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 70, 75 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite dport != 50-60 accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 50, 60 ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite dport { 49, 50} drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 49,
+ 50
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# udplite dport != { 49, 50} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 49,
+ 50
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite checksum 6666 drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": 6666
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# udplite checksum != { 444, 555} accept
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 444,
+ 555
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# udplite checksum 22
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": 22
+ }
+ }
+]
+
+# udplite checksum != 233
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": 233
+ }
+ }
+]
+
+# udplite checksum 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# udplite checksum != 33-45
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "range": [ 33, 45 ]
+ }
+ }
+ }
+]
+
+# udplite checksum { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
+# udplite checksum != { 33, 55, 67, 88}
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "checksum",
+ "protocol": "udplite"
+ }
+ },
+ "op": "!=",
+ "right": {
+ "set": [
+ 33,
+ 55,
+ 67,
+ 88
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload
new file mode 100644
index 0000000..de9d09e
--- /dev/null
+++ b/tests/py/inet/udplite.t.payload
@@ -0,0 +1,178 @@
+# udplite sport 80 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00005000 ]
+ [ immediate reg 0 accept ]
+
+# udplite sport != 60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp neq reg 1 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udplite sport 50-70 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp gte reg 1 0x00003200 ]
+ [ cmp lte reg 1 0x00004600 ]
+ [ immediate reg 0 accept ]
+
+# udplite sport != 50-60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ range neq reg 1 0x00003200 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udplite sport { 49, 50} drop
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00003100 : 0 [end] element 00003200 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 drop ]
+
+# udplite sport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00003100 : 0 [end] element 00003200 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
+# udplite dport 80 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005000 ]
+ [ immediate reg 0 accept ]
+
+# udplite dport != 60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp neq reg 1 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udplite dport 70-75 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00004600 ]
+ [ cmp lte reg 1 0x00004b00 ]
+ [ immediate reg 0 accept ]
+
+# udplite dport != 50-60 accept
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ range neq reg 1 0x00003200 0x00003c00 ]
+ [ immediate reg 0 accept ]
+
+# udplite dport { 49, 50} drop
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00003100 : 0 [end] element 00003200 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+ [ immediate reg 0 drop ]
+
+# udplite dport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00003100 : 0 [end] element 00003200 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
+# udplite checksum 6666 drop
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00000a1a ]
+ [ immediate reg 0 drop ]
+
+# udplite checksum != { 444, 555} accept
+__set%d test-inet 3
+__set%d test-inet 0
+ element 0000bc01 : 0 [end] element 00002b02 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+ [ immediate reg 0 accept ]
+
+# udplite checksum 22
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00001600 ]
+
+# udplite checksum != 233
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp neq reg 1 0x0000e900 ]
+
+# udplite checksum 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ cmp gte reg 1 0x00002100 ]
+ [ cmp lte reg 1 0x00002d00 ]
+
+# udplite checksum != 33-45
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ range neq reg 1 0x00002100 0x00002d00 ]
+
+# udplite checksum { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d ]
+
+# udplite checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end]
+inet test-inet input
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000088 ]
+ [ payload load 2b @ transport header + 6 => reg 1 ]
+ [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/vmap.t b/tests/py/inet/vmap.t
new file mode 100644
index 0000000..0ac6e56
--- /dev/null
+++ b/tests/py/inet/vmap.t
@@ -0,0 +1,10 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop };ok;iifname . ip protocol . th dport vmap { "eth0" . 6 . 22 : accept, "eth1" . 17 . 67 : drop }
+ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e };ok
+udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept };ok
diff --git a/tests/py/inet/vmap.t.json b/tests/py/inet/vmap.t.json
new file mode 100644
index 0000000..37472cc
--- /dev/null
+++ b/tests/py/inet/vmap.t.json
@@ -0,0 +1,144 @@
+# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
+[
+ {
+ "vmap": {
+ "data": {
+ "set": [
+ [
+ {
+ "concat": [
+ "eth0",
+ 6,
+ 22
+ ]
+ },
+ {
+ "accept": null
+ }
+ ],
+ [
+ {
+ "concat": [
+ "eth1",
+ 17,
+ 67
+ ]
+ },
+ {
+ "drop": null
+ }
+ ]
+ ]
+ },
+ "key": {
+ "concat": [
+ {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "dport",
+ "protocol": "th"
+ }
+ }
+ ]
+ }
+ }
+ }
+]
+
+# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "base": "ih",
+ "len": 32,
+ "offset": 32
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.1.1.1",
+ 20
+ ]
+ },
+ {
+ "concat": [
+ "2.2.2.2",
+ 30
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+[
+ {
+ "vmap": {
+ "data": {
+ "set": [
+ [
+ {
+ "concat": [
+ {
+ "range": [
+ 47,
+ 63
+ ]
+ },
+ "0xe373135363130333131303735353203"
+ ]
+ },
+ {
+ "accept": null
+ }
+ ]
+ ]
+ },
+ "key": {
+ "concat": [
+ {
+ "payload": {
+ "field": "length",
+ "protocol": "udp"
+ }
+ },
+ {
+ "payload": {
+ "base": "th",
+ "len": 128,
+ "offset": 160
+ }
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/vmap.t.payload b/tests/py/inet/vmap.t.payload
new file mode 100644
index 0000000..29ec846
--- /dev/null
+++ b/tests/py/inet/vmap.t.payload
@@ -0,0 +1,34 @@
+# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
+__map%d test-inet b size 2
+__map%d test-inet 0
+ element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load iifname => reg 1 ]
+ [ payload load 1b @ network header + 9 => reg 2 ]
+ [ payload load 2b @ transport header + 2 => reg 13 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+__set%d test-inet 3 size 2
+__set%d test-inet 0
+ element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end]
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ inner header + 4 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+__map%d x 8f size 1
+__map%d x 0
+ element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end]
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ payload load 16b @ transport header + 20 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/inet/vmap.t.payload.netdev b/tests/py/inet/vmap.t.payload.netdev
new file mode 100644
index 0000000..3f51bb3
--- /dev/null
+++ b/tests/py/inet/vmap.t.payload.netdev
@@ -0,0 +1,34 @@
+# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }
+__map%d test-netdev b size 2
+__map%d test-netdev 0
+ element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load iifname => reg 1 ]
+ [ payload load 1b @ network header + 9 => reg 2 ]
+ [ payload load 2b @ transport header + 2 => reg 13 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
+# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }
+__set%d test-netdev 3 size 2
+__set%d test-netdev 0
+ element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end]
+netdev test-netdev ingress
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ inner header + 4 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }
+__map%d test-netdev 8f size 1
+__map%d test-netdev 0
+ element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end]
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ payload load 16b @ transport header + 20 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/inet/vxlan.t b/tests/py/inet/vxlan.t
new file mode 100644
index 0000000..10cdb7a
--- /dev/null
+++ b/tests/py/inet/vxlan.t
@@ -0,0 +1,23 @@
+:input;type filter hook input priority 0
+:ingress;type filter hook ingress device lo priority 0
+:egress;type filter hook egress device lo priority 0
+
+*ip;test-ip4;input
+*ip6;test-ip6;input
+*inet;test-inet;input
+*netdev;test-netdev;ingress,egress
+
+vxlan vni 10;fail
+udp dport 4789 vxlan vni 10;ok
+udp dport 4789 vxlan ip saddr 10.141.11.2;ok
+udp dport 4789 vxlan ip saddr 10.141.11.0/24;ok
+udp dport 4789 vxlan ip protocol 1;ok
+udp dport 4789 vxlan udp sport 8888;ok
+udp dport 4789 vxlan icmp type echo-reply;ok
+udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05;ok
+udp dport 4789 vxlan vlan id 10;ok
+udp dport 4789 vxlan ip dscp 0x02;ok
+udp dport 4789 vxlan ip dscp 0x02;ok
+udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 };ok
+
+udp dport 4789 vxlan ip saddr set 1.2.3.4;fail
diff --git a/tests/py/inet/vxlan.t.json b/tests/py/inet/vxlan.t.json
new file mode 100644
index 0000000..91b3d29
--- /dev/null
+++ b/tests/py/inet/vxlan.t.json
@@ -0,0 +1,344 @@
+# udp dport 4789 vxlan vni 10
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "vni",
+ "protocol": "vxlan",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": 10
+ }
+ }
+]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.2
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": "10.141.11.2"
+ }
+ }
+]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.0/24
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": {
+ "prefix": {
+ "addr": "10.141.11.0",
+ "len": 24
+ }
+ }
+ }
+ }
+]
+
+# udp dport 4789 vxlan ip protocol 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "protocol",
+ "protocol": "ip",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# udp dport 4789 vxlan udp sport 8888
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "sport",
+ "protocol": "udp",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": 8888
+ }
+ }
+]
+
+# udp dport 4789 vxlan icmp type echo-reply
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": "echo-reply"
+ }
+ }
+]
+
+# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": "62:87:4d:d6:19:05"
+ }
+ }
+]
+
+# udp dport 4789 vxlan vlan id 10
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": 10
+ }
+ }
+]
+
+# udp dport 4789 vxlan ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# udp dport 4789 vxlan ip dscp 0x02
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip",
+ "tunnel": "vxlan"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ }
+]
+
+# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dport",
+ "protocol": "udp"
+ }
+ },
+ "op": "==",
+ "right": 4789
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip",
+ "tunnel": "vxlan"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip",
+ "tunnel": "vxlan"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "1.2.3.4",
+ "4.3.2.1"
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/vxlan.t.payload b/tests/py/inet/vxlan.t.payload
new file mode 100644
index 0000000..cde8e56
--- /dev/null
+++ b/tests/py/inet/vxlan.t.payload
@@ -0,0 +1,114 @@
+# udp dport 4789 vxlan vni 10
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
+ [ cmp eq reg 1 0x000a0000 ]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.2
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x020b8d0a ]
+
+# udp dport 4789 vxlan ip saddr 10.141.11.0/24
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x000b8d0a ]
+
+# udp dport 4789 vxlan ip protocol 1
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# udp dport 4789 vxlan udp sport 8888
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x0000b822 ]
+
+# udp dport 4789 vxlan icmp type echo-reply
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ]
+ [ cmp eq reg 1 0xd64d8762 0x00000519 ]
+
+# udp dport 4789 vxlan vlan id 10
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000a00 ]
+
+# udp dport 4789 vxlan ip dscp 0x02
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000008 ]
+
+# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
+__set%d test-netdev 3 size 1
+__set%d test-netdev 0
+ element 04030201 01020304 : 0 [end]
+netdev test-netdev ingress
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x0000b512 ]
+ [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
+ [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ]
+ [ lookup reg 1 set __set%d ]
+