diff options
Diffstat (limited to 'tests/py/inet')
128 files changed, 14908 insertions, 0 deletions
diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t new file mode 100644 index 0000000..83b6202 --- /dev/null +++ b/tests/py/inet/ah.t @@ -0,0 +1,47 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +- ah nexthdr esp;ok +- ah nexthdr ah;ok +- ah nexthdr comp;ok +- ah nexthdr udp;ok +- ah nexthdr udplite;ok +- ah nexthdr tcp;ok +- ah nexthdr dccp;ok +- ah nexthdr sctp;ok + +- ah nexthdr { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;ah nexthdr { 6, 132, 50, 17, 136, 33, 51, 108} +- ah nexthdr != { esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok + +ah hdrlength 11-23;ok +ah hdrlength != 11-23;ok +ah hdrlength {11, 23, 44 };ok +ah hdrlength != {11, 23, 44 };ok + +ah reserved 22;ok +ah reserved != 233;ok +ah reserved 33-45;ok +ah reserved != 33-45;ok +ah reserved {23, 100};ok +ah reserved != {23, 100};ok + +ah spi 111;ok +ah spi != 111;ok +ah spi 111-222;ok +ah spi != 111-222;ok +ah spi {111, 122};ok +ah spi != {111, 122};ok + +# sequence +ah sequence 123;ok +ah sequence != 123;ok +ah sequence {23, 25, 33};ok +ah sequence != {23, 25, 33};ok +ah sequence 23-33;ok +ah sequence != 23-33;ok diff --git a/tests/py/inet/ah.t.json b/tests/py/inet/ah.t.json new file mode 100644 index 0000000..217280b --- /dev/null +++ b/tests/py/inet/ah.t.json @@ -0,0 +1,412 @@ +# ah hdrlength 11-23 +[ + { + "match": { + "left": { + "payload": { + "field": "hdrlength", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "range": [ 11, 23 ] + } + } + } +] + +# ah hdrlength != 11-23 +[ + { + "match": { + "left": { + "payload": { + "field": "hdrlength", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "range": [ 11, 23 ] + } + } + } +] + +# ah hdrlength {11, 23, 44 } +[ + { + "match": { + "left": { + "payload": { + "field": "hdrlength", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "set": [ + 11, + 23, + 44 + ] + } + } + } +] + +# ah hdrlength != {11, 23, 44 } +[ + { + "match": { + "left": { + "payload": { + "field": "hdrlength", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "set": [ + 11, + 23, + 44 + ] + } + } + } +] + +# ah reserved 22 +[ + { + "match": { + "left": { + "payload": { + "field": "reserved", + "protocol": "ah" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ah reserved != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "reserved", + "protocol": "ah" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# ah reserved 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "reserved", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ah reserved != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "reserved", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# ah reserved {23, 100} +[ + { + "match": { + "left": { + "payload": { + "field": "reserved", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 100 + ] + } + } + } +] + +# ah reserved != {23, 100} +[ + { + "match": { + "left": { + "payload": { + "field": "reserved", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 100 + ] + } + } + } +] + +# ah spi 111 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "ah" + } + }, + "op": "==", + "right": 111 + } + } +] + +# ah spi != 111 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "ah" + } + }, + "op": "!=", + "right": 111 + } + } +] + +# ah spi 111-222 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "range": [ 111, 222 ] + } + } + } +] + +# ah spi != 111-222 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "range": [ 111, 222 ] + } + } + } +] + +# ah spi {111, 122} +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "set": [ + 111, + 122 + ] + } + } + } +] + +# ah spi != {111, 122} +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "set": [ + 111, + 122 + ] + } + } + } +] + +# ah sequence 123 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "ah" + } + }, + "op": "==", + "right": 123 + } + } +] + +# ah sequence != 123 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "ah" + } + }, + "op": "!=", + "right": 123 + } + } +] + +# ah sequence {23, 25, 33} +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 25, + 33 + ] + } + } + } +] + +# ah sequence != {23, 25, 33} +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 25, + 33 + ] + } + } + } +] + +# ah sequence 23-33 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "ah" + } + }, + "op": "==", + "right": { + "range": [ 23, 33 ] + } + } + } +] + +# ah sequence != 23-33 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "ah" + } + }, + "op": "!=", + "right": { + "range": [ 23, 33 ] + } + } + } +] + diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload new file mode 100644 index 0000000..7ddd72d --- /dev/null +++ b/tests/py/inet/ah.t.payload @@ -0,0 +1,182 @@ +# ah hdrlength 11-23 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp gte reg 1 0x0000000b ] + [ cmp lte reg 1 0x00000017 ] + +# ah hdrlength != 11-23 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ range neq reg 1 0x0000000b 0x00000017 ] + +# ah hdrlength {11, 23, 44 } +__set%d test-inet 3 +__set%d test-inet 0 + element 0000000b : 0 [end] element 00000017 : 0 [end] element 0000002c : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ah hdrlength != {11, 23, 44 } +__set%d test-inet 3 +__set%d test-inet 0 + element 0000000b : 0 [end] element 00000017 : 0 [end] element 0000002c : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ah reserved 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ah reserved != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# ah reserved 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# ah reserved != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# ah reserved {23, 100} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00006400 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ah reserved != {23, 100} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00006400 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ah spi 111 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x6f000000 ] + +# ah spi != 111 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp neq reg 1 0x6f000000 ] + +# ah spi 111-222 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp gte reg 1 0x6f000000 ] + [ cmp lte reg 1 0xde000000 ] + +# ah spi != 111-222 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ range neq reg 1 0x6f000000 0xde000000 ] + +# ah spi {111, 122} +__set%d test-inet 3 +__set%d test-inet 0 + element 6f000000 : 0 [end] element 7a000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ah spi != {111, 122} +__set%d test-inet 3 +__set%d test-inet 0 + element 6f000000 : 0 [end] element 7a000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ah sequence 123 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0x7b000000 ] + +# ah sequence != 123 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp neq reg 1 0x7b000000 ] + +# ah sequence {23, 25, 33} +__set%d test-inet 3 +__set%d test-inet 0 + element 17000000 : 0 [end] element 19000000 : 0 [end] element 21000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ah sequence != {23, 25, 33} +__set%d test-inet 3 +__set%d test-inet 0 + element 17000000 : 0 [end] element 19000000 : 0 [end] element 21000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# ah sequence 23-33 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp gte reg 1 0x17000000 ] + [ cmp lte reg 1 0x21000000 ] + +# ah sequence != 23-33 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000033 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ range neq reg 1 0x17000000 0x21000000 ] + diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t new file mode 100644 index 0000000..2ef5382 --- /dev/null +++ b/tests/py/inet/comp.t @@ -0,0 +1,30 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +# BUG: nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed. +- comp nexthdr esp;ok;comp nexthdr 50 +comp nexthdr != esp;ok;comp nexthdr != 50 + +- comp nexthdr {esp, ah, comp, udp, udplite, tcp, tcp, dccp, sctp};ok +# comp flags ## 8-bit field. Reserved for future use. MUST be set to zero. + +# Bug comp flags: to list. List the decimal value. +comp flags 0x0;ok +comp flags != 0x23;ok +comp flags 0x33-0x45;ok +comp flags != 0x33-0x45;ok +comp flags {0x33, 0x55, 0x67, 0x88};ok +comp flags != {0x33, 0x55, 0x67, 0x88};ok + +comp cpi 22;ok +comp cpi != 233;ok +comp cpi 33-45;ok +comp cpi != 33-45;ok +comp cpi {33, 55, 67, 88};ok +comp cpi != {33, 55, 67, 88};ok diff --git a/tests/py/inet/comp.t.json b/tests/py/inet/comp.t.json new file mode 100644 index 0000000..c9f6fca --- /dev/null +++ b/tests/py/inet/comp.t.json @@ -0,0 +1,244 @@ +# comp nexthdr != esp +[ + { + "match": { + "left": { + "payload": { + "field": "nexthdr", + "protocol": "comp" + } + }, + "op": "!=", + "right": "esp" + } + } +] + +# comp flags 0x0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "==", + "right": "0x0" + } + } +] + +# comp flags != 0x23 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "!=", + "right": "0x23" + } + } +] + +# comp flags 0x33-0x45 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "==", + "right": { + "range": [ "0x33", "0x45" ] + } + } + } +] + +# comp flags != 0x33-0x45 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "!=", + "right": { + "range": [ "0x33", "0x45" ] + } + } + } +] + +# comp flags {0x33, 0x55, 0x67, 0x88} +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "==", + "right": { + "set": [ + "0x33", + "0x55", + "0x67", + "0x88" + ] + } + } + } +] + +# comp flags != {0x33, 0x55, 0x67, 0x88} +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "!=", + "right": { + "set": [ + "0x33", + "0x55", + "0x67", + "0x88" + ] + } + } + } +] + +# comp cpi 22 +[ + { + "match": { + "left": { + "payload": { + "field": "cpi", + "protocol": "comp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# comp cpi != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "cpi", + "protocol": "comp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# comp cpi 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "cpi", + "protocol": "comp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# comp cpi != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "cpi", + "protocol": "comp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# comp cpi {33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "cpi", + "protocol": "comp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# comp cpi != {33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "cpi", + "protocol": "comp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + diff --git a/tests/py/inet/comp.t.json.output b/tests/py/inet/comp.t.json.output new file mode 100644 index 0000000..435c3de --- /dev/null +++ b/tests/py/inet/comp.t.json.output @@ -0,0 +1,170 @@ +# comp nexthdr != esp +[ + { + "match": { + "left": { + "payload": { + "field": "nexthdr", + "protocol": "comp" + } + }, + "op": "!=", + "right": 50 + } + } +] + +# comp flags 0x0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "==", + "right": 0 + } + } +] + +# comp flags != 0x23 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "!=", + "right": 35 + } + } +] + +# comp flags 0x33-0x45 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "==", + "right": { + "range": [ 51, 69 ] + } + } + } +] + +# comp flags != 0x33-0x45 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "!=", + "right": { + "range": [ 51, 69 ] + } + } + } +] + +# comp flags {0x33, 0x55, 0x67, 0x88} +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "==", + "right": { + "set": [ + 51, + 85, + 103, + 136 + ] + } + } + } +] + +# comp flags != {0x33, 0x55, 0x67, 0x88} +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "!=", + "right": { + "set": [ + 51, + 85, + 103, + 136 + ] + } + } + } +] + +# comp flags { 0x33-0x55} +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "==", + "right": { + "set": [ + { "range": [ 51, 85 ] } + ] + } + } + } +] + +# comp flags != { 0x33-0x55} +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "comp" + } + }, + "op": "!=", + "right": { + "set": [ + { "range": [ 51, 85 ] } + ] + } + } + } +] + diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload new file mode 100644 index 0000000..024e47c --- /dev/null +++ b/tests/py/inet/comp.t.payload @@ -0,0 +1,105 @@ +# comp nexthdr != esp +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00000032 ] + +# comp flags 0x0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# comp flags != 0x23 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp neq reg 1 0x00000023 ] + +# comp flags 0x33-0x45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ cmp gte reg 1 0x00000033 ] + [ cmp lte reg 1 0x00000045 ] + +# comp flags != 0x33-0x45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ range neq reg 1 0x00000033 0x00000045 ] + +# comp flags {0x33, 0x55, 0x67, 0x88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00000033 : 0 [end] element 00000055 : 0 [end] element 00000067 : 0 [end] element 00000088 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# comp flags != {0x33, 0x55, 0x67, 0x88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00000033 : 0 [end] element 00000055 : 0 [end] element 00000067 : 0 [end] element 00000088 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# comp cpi 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# comp cpi != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# comp cpi 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# comp cpi != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# comp cpi {33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# comp cpi != {33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000006c ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t new file mode 100644 index 0000000..5312b32 --- /dev/null +++ b/tests/py/inet/ct.t @@ -0,0 +1,15 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*inet;test-inet;input + +meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4 +ct original ip6 saddr ::1;ok + +ct original ip daddr 1.2.3.4 accept;ok + +# missing protocol context +ct original saddr ::1;fail + +# wrong protocol context +ct original ip saddr ::1;fail diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json new file mode 100644 index 0000000..223ac9e --- /dev/null +++ b/tests/py/inet/ct.t.json @@ -0,0 +1,60 @@ +# meta nfproto ipv4 ct original saddr 1.2.3.4 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "saddr" + } + }, + "op": "==", + "right": "1.2.3.4" + } + } +] + +# ct original ip6 saddr ::1 +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "ip6 saddr" + } + }, + "op": "==", + "right": "::1" + } + } +] + +# ct original ip daddr 1.2.3.4 accept +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "ip daddr" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "accept": null + } +] + diff --git a/tests/py/inet/ct.t.json.output b/tests/py/inet/ct.t.json.output new file mode 100644 index 0000000..74c436a --- /dev/null +++ b/tests/py/inet/ct.t.json.output @@ -0,0 +1,16 @@ +# meta nfproto ipv4 ct original saddr 1.2.3.4 +[ + { + "match": { + "left": { + "ct": { + "dir": "original", + "key": "saddr" + } + }, + "op": "==", + "right": "1.2.3.4" + } + } +] + diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload new file mode 100644 index 0000000..f7a2ef2 --- /dev/null +++ b/tests/py/inet/ct.t.payload @@ -0,0 +1,17 @@ +# meta nfproto ipv4 ct original saddr 1.2.3.4 +ip test-ip4 output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ ct load src => reg 1 , dir original ] + [ cmp eq reg 1 0x04030201 ] + +# ct original ip6 saddr ::1 +inet test-inet input + [ ct load src_ip6 => reg 1 , dir original ] + [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] + +# ct original ip daddr 1.2.3.4 accept +inet test-inet input + [ ct load dst_ip => reg 1 , dir original ] + [ cmp eq reg 1 0x04030201 ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t new file mode 100644 index 0000000..99cddbe --- /dev/null +++ b/tests/py/inet/dccp.t @@ -0,0 +1,30 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +dccp sport 21-35;ok +dccp sport != 21-35;ok +dccp sport {23, 24, 25};ok +dccp sport != {23, 24, 25};ok + +dccp sport 20-50;ok + +# dccp dport 21-35;ok +# dccp dport != 21-35;ok +dccp dport {23, 24, 25};ok +dccp dport != {23, 24, 25};ok + +dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok +dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok +dccp type request;ok +dccp type != request;ok + +dccp option 0 exists;ok +dccp option 43 missing;ok +dccp option 255 exists;ok +dccp option 256 exists;fail diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json new file mode 100644 index 0000000..9f47e97 --- /dev/null +++ b/tests/py/inet/dccp.t.json @@ -0,0 +1,276 @@ +# dccp sport 21-35 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "dccp" + } + }, + "op": "==", + "right": { + "range": [ 21, 35 ] + } + } + } +] + +# dccp sport != 21-35 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "dccp" + } + }, + "op": "!=", + "right": { + "range": [ 21, 35 ] + } + } + } +] + +# dccp sport {23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "dccp" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# dccp sport != {23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "dccp" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# dccp sport 20-50 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "dccp" + } + }, + "op": "==", + "right": { + "range": [ 20, 50 ] + } + } + } +] + +# dccp dport {23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "dccp" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# dccp dport != {23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "dccp" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "dccp" + } + }, + "op": "==", + "right": { + "set": [ + "request", + "response", + "data", + "ack", + "dataack", + "closereq", + "close", + "reset", + "sync", + "syncack" + ] + } + } + } +] + +# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "dccp" + } + }, + "op": "!=", + "right": { + "set": [ + "request", + "response", + "data", + "ack", + "dataack", + "closereq", + "close", + "reset", + "sync", + "syncack" + ] + } + } + } +] + +# dccp type request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "dccp" + } + }, + "op": "==", + "right": "request" + } + } +] + +# dccp type != request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "dccp" + } + }, + "op": "!=", + "right": "request" + } + } +] + +# dccp option 0 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 0 + } + }, + "op": "==", + "right": true + } + } +] + +# dccp option 43 missing +[ + { + "match": { + "left": { + "dccp option": { + "type": 43 + } + }, + "op": "==", + "right": false + } + } +] + +# dccp option 255 exists +[ + { + "match": { + "left": { + "dccp option": { + "type": 255 + } + }, + "op": "==", + "right": true + } + } +] diff --git a/tests/py/inet/dccp.t.json.output b/tests/py/inet/dccp.t.json.output new file mode 100644 index 0000000..146741d --- /dev/null +++ b/tests/py/inet/dccp.t.json.output @@ -0,0 +1,18 @@ +# dccp sport ftp-data - re-mail-ck +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "dccp" + } + }, + "op": "==", + "right": { + "range": [ 20, 50 ] + } + } + } +] + diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload new file mode 100644 index 0000000..c0b87be --- /dev/null +++ b/tests/py/inet/dccp.t.payload @@ -0,0 +1,115 @@ +# dccp sport 21-35 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00001500 ] + [ cmp lte reg 1 0x00002300 ] + +# dccp sport != 21-35 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range neq reg 1 0x00001500 0x00002300 ] + +# dccp sport {23, 24, 25} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# dccp sport != {23, 24, 25} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# dccp sport 20-50 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00001400 ] + [ cmp lte reg 1 0x00003200 ] + +# dccp dport {23, 24, 25} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# dccp dport != {23, 24, 25} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} +__set%d test-inet 3 +__set%d test-inet 0 + element 00000000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00000010 : 0 [end] element 00000012 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 1b @ transport header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack} +__set%d test-inet 3 +__set%d test-inet 0 + element 00000000 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000006 : 0 [end] element 00000008 : 0 [end] element 0000000a : 0 [end] element 0000000c : 0 [end] element 0000000e : 0 [end] element 00000010 : 0 [end] element 00000012 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 1b @ transport header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d 0x1 ] + +# dccp type request +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 1b @ transport header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# dccp type != request +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000021 ] + [ payload load 1b @ transport header + 8 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000001e ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# dccp option 0 exists +ip test-inet input + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# dccp option 43 missing +ip test-inet input + [ exthdr load 1b @ 43 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# dccp option 255 exists +ip test-inet input + [ exthdr load 1b @ 255 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t new file mode 100644 index 0000000..e4e169f --- /dev/null +++ b/tests/py/inet/dnat.t @@ -0,0 +1,22 @@ +:prerouting;type nat hook prerouting priority 0 + +*inet;test-inet;prerouting + +iifname "foo" tcp dport 80 redirect to :8080;ok + +iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok +iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok +meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80 + +dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok +dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok + +dnat ip6 to 1.2.3.4;fail +dnat to 1.2.3.4;fail +dnat ip6 to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};fail +ip6 daddr dead::beef dnat to 10.1.2.3;fail + +meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80;ok;meta l4proto { 6, 17} dnat ip to 1.1.1.1:80 +ip protocol { tcp, udp } dnat ip to 1.1.1.1:80;ok;ip protocol { 6, 17} dnat ip to 1.1.1.1:80 +meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail +ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json new file mode 100644 index 0000000..c341a04 --- /dev/null +++ b/tests/py/inet/dnat.t.json @@ -0,0 +1,241 @@ +# iifname "foo" tcp dport 80 redirect to :8080 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "foo" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 80 + } + }, + { + "redirect": { + "port": 8080 + } + } +] + +# iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 443 + } + }, + { + "dnat": { + "addr": "192.168.3.2", + "family": "ip" + } + } +] + +# iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 443 + } + }, + { + "dnat": { + "addr": "dead::beef", + "family": "ip6", + "port": 4443 + } + } +] + +# dnat ip to ct mark map { 0x00000014 : 1.2.3.4} +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + 20, + "1.2.3.4" + ] + ] + }, + "key": { + "ct": { + "key": "mark" + } + } + } + }, + "family": "ip" + } + } +] + +# dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} +[ + { + "dnat": { + "addr": { + "map": { + "data": { + "set": [ + [ + { + "concat": [ + 20, + "1.1.1.1" + ] + }, + "1.2.3.4" + ] + ] + }, + "key": { + "concat": [ + { + "ct": { + "key": "mark" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + } + ] + } + } + }, + "family": "ip" + } + } +] + +# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "dnat": { + "addr": "1.1.1.1", + "family": "ip", + "port": 80 + } + } +] + +# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "set": [ + 6, + 17 + ] + } + } + }, + { + "dnat": { + "addr": "1.1.1.1", + "family": "ip", + "port": 80 + } + } +] + +# meta l4proto tcp dnat to :80 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "dnat": { + "port": 80 + } + } +] + diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload new file mode 100644 index 0000000..ce1601a --- /dev/null +++ b/tests/py/inet/dnat.t.payload @@ -0,0 +1,86 @@ +# iifname "foo" tcp dport 80 redirect to :8080 +inet test-inet prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005000 ] + [ immediate reg 1 0x0000901f ] + [ redir proto_min reg 1 flags 0x2 ] + +# iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2 +inet test-inet prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000bb01 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat dnat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443 +inet test-inet prerouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000bb01 ] + [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] + [ immediate reg 2 0x00005b11 ] + [ nat dnat ip6 addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# dnat ip to ct mark map { 0x00000014 : 1.2.3.4} +__map%d test-inet b size 1 +__map%d test-inet 0 + element 00000014 : 04030201 0 [end] +inet test-inet prerouting + [ ct load mark => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 ] + +# dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4} +__map%d test-inet b size 1 +__map%d test-inet 0 + element 00000014 01010101 : 04030201 0 [end] +inet test-inet prerouting + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ ct load mark => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 ] + +# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80 +__set%d test-inet 3 +__set%d test-inet 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +inet + [ meta load l4proto => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x01010101 ] + [ immediate reg 2 0x00005000 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80 +__set%d test-inet 3 +__set%d test-inet 0 + element 00000006 : 0 [end] element 00000011 : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 1 0x01010101 ] + [ immediate reg 2 0x00005000 ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ] + +# meta l4proto tcp dnat to :80 +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00005000 ] + [ nat dnat inet proto_min reg 1 flags 0x2 ] + diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t new file mode 100644 index 0000000..536260c --- /dev/null +++ b/tests/py/inet/esp.t @@ -0,0 +1,21 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +esp spi 100;ok +esp spi != 100;ok +esp spi 111-222;ok +esp spi != 111-222;ok +esp spi { 100, 102};ok +esp spi != { 100, 102};ok + +esp sequence 22;ok +esp sequence 22-24;ok +esp sequence != 22-24;ok +esp sequence { 22, 24};ok +esp sequence != { 22, 24};ok diff --git a/tests/py/inet/esp.t.json b/tests/py/inet/esp.t.json new file mode 100644 index 0000000..a9dedd6 --- /dev/null +++ b/tests/py/inet/esp.t.json @@ -0,0 +1,204 @@ +# esp spi 100 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "esp" + } + }, + "op": "==", + "right": 100 + } + } +] + +# esp spi != 100 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "esp" + } + }, + "op": "!=", + "right": 100 + } + } +] + +# esp spi 111-222 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "esp" + } + }, + "op": "==", + "right": { + "range": [ 111, 222 ] + } + } + } +] + +# esp spi != 111-222 +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "esp" + } + }, + "op": "!=", + "right": { + "range": [ 111, 222 ] + } + } + } +] + +# esp spi { 100, 102} +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "esp" + } + }, + "op": "==", + "right": { + "set": [ + 100, + 102 + ] + } + } + } +] + +# esp spi != { 100, 102} +[ + { + "match": { + "left": { + "payload": { + "field": "spi", + "protocol": "esp" + } + }, + "op": "!=", + "right": { + "set": [ + 100, + 102 + ] + } + } + } +] + +# esp sequence 22 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "esp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# esp sequence 22-24 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "esp" + } + }, + "op": "==", + "right": { + "range": [ 22, 24 ] + } + } + } +] + +# esp sequence != 22-24 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "esp" + } + }, + "op": "!=", + "right": { + "range": [ 22, 24 ] + } + } + } +] + +# esp sequence { 22, 24} +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "esp" + } + }, + "op": "==", + "right": { + "set": [ + 22, + 24 + ] + } + } + } +] + +# esp sequence != { 22, 24} +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "esp" + } + }, + "op": "!=", + "right": { + "set": [ + 22, + 24 + ] + } + } + } +] + diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload new file mode 100644 index 0000000..0353b05 --- /dev/null +++ b/tests/py/inet/esp.t.payload @@ -0,0 +1,91 @@ +# esp spi 100 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x64000000 ] + +# esp spi != 100 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x64000000 ] + +# esp spi 111-222 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x6f000000 ] + [ cmp lte reg 1 0xde000000 ] + +# esp spi != 111-222 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ range neq reg 1 0x6f000000 0xde000000 ] + +# esp spi { 100, 102} +__set%d test-inet 3 +__set%d test-inet 0 + element 64000000 : 0 [end] element 66000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# esp spi != { 100, 102} +__set%d test-inet 3 +__set%d test-inet 0 + element 64000000 : 0 [end] element 66000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# esp sequence 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x16000000 ] + +# esp sequence 22-24 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp gte reg 1 0x16000000 ] + [ cmp lte reg 1 0x18000000 ] + +# esp sequence != 22-24 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ range neq reg 1 0x16000000 0x18000000 ] + +# esp sequence { 22, 24} +__set%d test-inet 3 +__set%d test-inet 0 + element 16000000 : 0 [end] element 18000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# esp sequence != { 22, 24} +__set%d test-inet 3 +__set%d test-inet 0 + element 16000000 : 0 [end] element 18000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000032 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + diff --git a/tests/py/inet/ether-ip.t b/tests/py/inet/ether-ip.t new file mode 100644 index 0000000..759124d --- /dev/null +++ b/tests/py/inet/ether-ip.t @@ -0,0 +1,9 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 ip daddr 1.2.3.4 accept +tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04;ok diff --git a/tests/py/inet/ether-ip.t.json b/tests/py/inet/ether-ip.t.json new file mode 100644 index 0000000..8f35b3d --- /dev/null +++ b/tests/py/inet/ether-ip.t.json @@ -0,0 +1,92 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "meta": { "key": "iiftype" } + }, + "op": "==", + "right": "ether" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + +# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + } +] + diff --git a/tests/py/inet/ether-ip.t.json.output b/tests/py/inet/ether-ip.t.json.output new file mode 100644 index 0000000..f659113 --- /dev/null +++ b/tests/py/inet/ether-ip.t.json.output @@ -0,0 +1,43 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "accept": null + } +] + diff --git a/tests/py/inet/ether-ip.t.payload b/tests/py/inet/ether-ip.t.payload new file mode 100644 index 0000000..62e37a5 --- /dev/null +++ b/tests/py/inet/ether-ip.t.payload @@ -0,0 +1,28 @@ +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00080411 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ immediate reg 0 accept ] + +# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] diff --git a/tests/py/inet/ether-ip.t.payload.netdev b/tests/py/inet/ether-ip.t.payload.netdev new file mode 100644 index 0000000..b0fa6d8 --- /dev/null +++ b/tests/py/inet/ether-ip.t.payload.netdev @@ -0,0 +1,29 @@ +# tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + +# tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00080411 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ immediate reg 0 accept ] + diff --git a/tests/py/inet/ether.t b/tests/py/inet/ether.t new file mode 100644 index 0000000..8625f70 --- /dev/null +++ b/tests/py/inet/ether.t @@ -0,0 +1,20 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress,egress + +tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept;ok;tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept +tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept;ok + +ether saddr 00:0f:54:0c:11:04 accept;ok + +vlan id 1;ok +ether type vlan vlan id 2;ok;vlan id 2 + +# invalid dependency +ether type ip vlan id 1;fail diff --git a/tests/py/inet/ether.t.json b/tests/py/inet/ether.t.json new file mode 100644 index 0000000..c7a7f88 --- /dev/null +++ b/tests/py/inet/ether.t.json @@ -0,0 +1,122 @@ +# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "meta": { "key": "iiftype" } + }, + "op": "==", + "right": "ether" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + +# ether saddr 00:0f:54:0c:11:04 accept +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + +# vlan id 1 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# ether type vlan vlan id 2 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan" + } + }, + "op": "==", + "right": 2 + } + } +] + diff --git a/tests/py/inet/ether.t.json.output b/tests/py/inet/ether.t.json.output new file mode 100644 index 0000000..9ae8c44 --- /dev/null +++ b/tests/py/inet/ether.t.json.output @@ -0,0 +1,31 @@ +# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "00:0f:54:0c:11:04" + } + }, + { + "accept": null + } +] + diff --git a/tests/py/inet/ether.t.payload b/tests/py/inet/ether.t.payload new file mode 100644 index 0000000..8b74a78 --- /dev/null +++ b/tests/py/inet/ether.t.payload @@ -0,0 +1,52 @@ +# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# ether saddr 00:0f:54:0c:11:04 accept +inet test-inet input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# vlan id 1 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/ether.t.payload.bridge b/tests/py/inet/ether.t.payload.bridge new file mode 100644 index 0000000..0128d5f --- /dev/null +++ b/tests/py/inet/ether.t.payload.bridge @@ -0,0 +1,44 @@ +# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept +bridge test-bridge input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept +bridge test-bridge input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# ether saddr 00:0f:54:0c:11:04 accept +bridge test-bridge input + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# vlan id 1 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/ether.t.payload.ip b/tests/py/inet/ether.t.payload.ip new file mode 100644 index 0000000..7c91f41 --- /dev/null +++ b/tests/py/inet/ether.t.payload.ip @@ -0,0 +1,52 @@ +# tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# ether saddr 00:0f:54:0c:11:04 accept +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 6b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0x0c540f00 0x00000411 ] + [ immediate reg 0 accept ] + +# vlan id 1 +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000100 ] + +# ether type vlan vlan id 2 +ip test-ip4 input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000081 ] + [ payload load 2b @ link header + 14 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000200 ] + diff --git a/tests/py/inet/fib.t b/tests/py/inet/fib.t new file mode 100644 index 0000000..dbe45d9 --- /dev/null +++ b/tests/py/inet/fib.t @@ -0,0 +1,17 @@ +:prerouting;type filter hook prerouting priority 0 + +*ip;test-ip;prerouting +*ip6;test-ip6;prerouting + +fib saddr . daddr oif lo;fail +fib iif . oif . daddr oif lo;fail +fib mark oif lo;fail +fib saddr . iif oif ne 0;ok;fib saddr . iif oif != 0 +fib saddr . iif oifname "lo";ok + +fib daddr . iif type local;ok +fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept };ok +fib daddr . oif type local;fail + +fib daddr oif exists;ok +fib daddr oif missing;ok diff --git a/tests/py/inet/fib.t.json b/tests/py/inet/fib.t.json new file mode 100644 index 0000000..c298915 --- /dev/null +++ b/tests/py/inet/fib.t.json @@ -0,0 +1,132 @@ +# fib saddr . iif oif ne 0 +[ + { + "match": { + "left": { + "fib": { + "flags": [ + "saddr", + "iif" + ], + "result": "oif" + } + }, + "op": "!=", + "right": "0" + } + } +] + +# fib saddr . iif oifname "lo" +[ + { + "match": { + "left": { + "fib": { + "flags": [ + "saddr", + "iif" + ], + "result": "oifname" + } + }, + "op": "==", + "right": "lo" + } + } +] + +# fib daddr . iif type local +[ + { + "match": { + "left": { + "fib": { + "flags": [ + "daddr", + "iif" + ], + "result": "type" + } + }, + "op": "==", + "right": "local" + } + } +] + +# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept } +[ + { + "vmap": { + "key": { + "fib": { + "flags": [ + "daddr", + "iif" + ], + "result": "type" + } + }, + "data": { + "set": [ + [ + "blackhole", + { + "drop": null + } + ], + [ + "prohibit", + { + "drop": null + } + ], + [ + "unicast", + { + "accept": null + } + ] + ] + } + } + } +] + +# fib daddr oif exists +[ + { + "match": { + "left": { + "fib": { + "flags": [ + "daddr" + ], + "result": "oif" + } + }, + "op": "==", + "right": true + } + } +] + +# fib daddr oif missing +[ + { + "match": { + "left": { + "fib": { + "flags": [ + "daddr" + ], + "result": "oif" + } + }, + "op": "==", + "right": false + } + } +] + diff --git a/tests/py/inet/fib.t.json.output b/tests/py/inet/fib.t.json.output new file mode 100644 index 0000000..52cd46b --- /dev/null +++ b/tests/py/inet/fib.t.json.output @@ -0,0 +1,39 @@ +# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept } +[ + { + "vmap": { + "key": { + "fib": { + "flags": [ + "daddr", + "iif" + ], + "result": "type" + } + }, + "data": { + "set": [ + [ + "unicast", + { + "accept": null + } + ], + [ + "blackhole", + { + "drop": null + } + ], + [ + "prohibit", + { + "drop": null + } + ] + ] + } + } + } +] + diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload new file mode 100644 index 0000000..050857d --- /dev/null +++ b/tests/py/inet/fib.t.payload @@ -0,0 +1,32 @@ +# fib saddr . iif oif ne 0 +ip test-ip prerouting + [ fib saddr . iif oif => reg 1 ] + [ cmp neq reg 1 0x00000000 ] + +# fib saddr . iif oifname "lo" +ip test-ip prerouting + [ fib saddr . iif oifname => reg 1 ] + [ cmp eq reg 1 0x00006f6c 0x00000000 0x00000000 0x00000000 ] + +# fib daddr . iif type local +ip test-ip prerouting + [ fib daddr . iif type => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + +# fib daddr . iif type vmap { blackhole : drop, prohibit : drop, unicast : accept } +__map%d test-ip b +__map%d test-ip 0 + element 00000006 : drop 0 [end] element 00000008 : drop 0 [end] element 00000001 : accept 0 [end] +ip test-ip prerouting + [ fib daddr . iif type => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# fib daddr oif exists +ip test-ip prerouting + [ fib daddr oif present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# fib daddr oif missing +ip test-ip prerouting + [ fib daddr oif present => reg 1 ] + [ cmp eq reg 1 0x00000000 ] diff --git a/tests/py/inet/geneve.t b/tests/py/inet/geneve.t new file mode 100644 index 0000000..101f6df --- /dev/null +++ b/tests/py/inet/geneve.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +geneve vni 10;fail +udp dport 6081 geneve vni 10;ok +udp dport 6081 geneve ip saddr 10.141.11.2;ok +udp dport 6081 geneve ip saddr 10.141.11.0/24;ok +udp dport 6081 geneve ip protocol 1;ok +udp dport 6081 geneve udp sport 8888;ok +udp dport 6081 geneve icmp type echo-reply;ok +udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05;ok +udp dport 6081 geneve vlan id 10;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip dscp 0x02;ok +udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 6081 geneve ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/geneve.t.json b/tests/py/inet/geneve.t.json new file mode 100644 index 0000000..a299fcd --- /dev/null +++ b/tests/py/inet/geneve.t.json @@ -0,0 +1,344 @@ +# udp dport 6081 geneve vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "geneve", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 6081 geneve ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 6081 geneve udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 6081 geneve icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "geneve" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 6081 geneve vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "geneve" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 6081 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "geneve" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "geneve" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/geneve.t.payload b/tests/py/inet/geneve.t.payload new file mode 100644 index 0000000..1ce54de --- /dev/null +++ b/tests/py/inet/geneve.t.payload @@ -0,0 +1,114 @@ +# udp dport 6081 geneve vni 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 6081 geneve ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 6081 geneve ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 6081 geneve ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 6081 geneve udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 6081 geneve icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 6081 geneve ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 6081 geneve vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 2 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 6081 geneve ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 6081 geneve ip saddr . geneve ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000c117 ] + [ inner type 2 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 2 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gre.t b/tests/py/inet/gre.t new file mode 100644 index 0000000..a3e046a --- /dev/null +++ b/tests/py/inet/gre.t @@ -0,0 +1,22 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gre version 0;ok +gre ip saddr 10.141.11.2;ok +gre ip saddr 10.141.11.0/24;ok +gre ip protocol 1;ok +gre udp sport 8888;ok +gre icmp type echo-reply;ok +gre ether saddr 62:87:4d:d6:19:05;fail +gre vlan id 10;fail +gre ip dscp 0x02;ok +gre ip dscp 0x02;ok +gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gre ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gre.t.json b/tests/py/inet/gre.t.json new file mode 100644 index 0000000..c443176 --- /dev/null +++ b/tests/py/inet/gre.t.json @@ -0,0 +1,177 @@ +# gre version 0 +[ + { + "match": { + "left": { + "payload": { + "field": "version", + "protocol": "gre" + } + }, + "op": "==", + "right": 0 + } + } +] + +# gre ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gre ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gre ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gre udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gre" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gre icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gre" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gre" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gre" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gre" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gre.t.payload b/tests/py/inet/gre.t.payload new file mode 100644 index 0000000..333133e --- /dev/null +++ b/tests/py/inet/gre.t.payload @@ -0,0 +1,78 @@ +# gre version 0 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ payload load 1b @ transport header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000007 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gre ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gre ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gre udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 3 hdrsize 4 flags c [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gre icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gre ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gre ip saddr . gre ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 3 hdrsize 4 flags c [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 3 hdrsize 4 flags c [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/gretap.t b/tests/py/inet/gretap.t new file mode 100644 index 0000000..cd7ee21 --- /dev/null +++ b/tests/py/inet/gretap.t @@ -0,0 +1,21 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +gretap ip saddr 10.141.11.2;ok +gretap ip saddr 10.141.11.0/24;ok +gretap ip protocol 1;ok +gretap udp sport 8888;ok +gretap icmp type echo-reply;ok +gretap ether saddr 62:87:4d:d6:19:05;ok +gretap vlan id 10;ok +gretap ip dscp 0x02;ok +gretap ip dscp 0x02;ok +gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +gretap ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/gretap.t.json b/tests/py/inet/gretap.t.json new file mode 100644 index 0000000..36fa978 --- /dev/null +++ b/tests/py/inet/gretap.t.json @@ -0,0 +1,195 @@ +# gretap ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# gretap ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# gretap ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 1 + } + } +] + +# gretap udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# gretap icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# gretap ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "gretap" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# gretap vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 10 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "gretap" + } + }, + "op": "==", + "right": 2 + } + } +] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "gretap" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "gretap" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/gretap.t.payload b/tests/py/inet/gretap.t.payload new file mode 100644 index 0000000..654c71e --- /dev/null +++ b/tests/py/inet/gretap.t.payload @@ -0,0 +1,87 @@ +# gretap ip saddr 10.141.11.2 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# gretap ip saddr 10.141.11.0/24 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# gretap ip protocol 1 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# gretap udp sport 8888 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# gretap icmp type echo-reply +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# gretap ether saddr 62:87:4d:d6:19:05 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# gretap vlan id 10 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 4 hdrsize 4 flags e [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# gretap ip dscp 0x02 +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# gretap ip saddr . gretap ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-ip4 3 size 1 +__set%d test-ip4 0 + element 04030201 01020304 : 0 [end] +ip test-ip4 input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000002f ] + [ inner type 4 hdrsize 4 flags e [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 4 hdrsize 4 flags e [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/icmp.t b/tests/py/inet/icmp.t new file mode 100644 index 0000000..9014f84 --- /dev/null +++ b/tests/py/inet/icmp.t @@ -0,0 +1,18 @@ +:output;type filter hook output priority 0 + +*inet;test-inet;output + +# without nfproto specified, these should add an implicit dependency on +# the likely l3 proto (i.e., IPv6 for icmpv6 and IPv4 for icmp) + +icmp type echo-request;ok +icmpv6 type echo-request;ok + +# make sure only those nfproto matches are dropped if +# the next statement would add it as a dependency anyway + +meta nfproto ipv4 icmp type echo-request;ok;icmp type echo-request +meta nfproto ipv4 icmpv6 type echo-request;ok + +meta nfproto ipv6 icmp type echo-request;ok +meta nfproto ipv6 icmpv6 type echo-request;ok;icmpv6 type echo-request diff --git a/tests/py/inet/icmp.t.json b/tests/py/inet/icmp.t.json new file mode 100644 index 0000000..64be2b3 --- /dev/null +++ b/tests/py/inet/icmp.t.json @@ -0,0 +1,124 @@ +# icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta nfproto ipv4 icmp type echo-request +[ + { + "match": { + "left": { "meta": { "key": "nfproto" } }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta nfproto ipv4 icmpv6 type echo-request +[ + { + "match": { + "left": { "meta": { "key": "nfproto" } }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta nfproto ipv6 icmp type echo-request +[ + { + "match": { + "left": { "meta": { "key": "nfproto" } }, + "op": "==", + "right": "ipv6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta nfproto ipv6 icmpv6 type echo-request +[ + { + "match": { + "left": { "meta": { "key": "nfproto" } }, + "op": "==", + "right": "ipv6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + diff --git a/tests/py/inet/icmp.t.json.output b/tests/py/inet/icmp.t.json.output new file mode 100644 index 0000000..062c82f --- /dev/null +++ b/tests/py/inet/icmp.t.json.output @@ -0,0 +1,32 @@ +# meta nfproto ipv4 icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# meta nfproto ipv6 icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + diff --git a/tests/py/inet/icmp.t.payload b/tests/py/inet/icmp.t.payload new file mode 100644 index 0000000..f98cfc3 --- /dev/null +++ b/tests/py/inet/icmp.t.payload @@ -0,0 +1,54 @@ +# icmp type echo-request +inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + +# icmpv6 type echo-request +inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000080 ] + +# meta nfproto ipv4 icmp type echo-request +inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + +# meta nfproto ipv4 icmpv6 type echo-request +inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000080 ] + +# meta nfproto ipv6 icmp type echo-request +inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + +# meta nfproto ipv6 icmpv6 type echo-request +inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000080 ] + diff --git a/tests/py/inet/icmpX.t b/tests/py/inet/icmpX.t new file mode 100644 index 0000000..9430b3d --- /dev/null +++ b/tests/py/inet/icmpX.t @@ -0,0 +1,10 @@ +:input;type filter hook input priority 0 + +*inet;test-inet;input + +ip protocol icmp icmp type echo-request;ok;ip protocol 1 icmp type echo-request +icmp type echo-request;ok +ip6 nexthdr icmpv6 icmpv6 type echo-request;ok;ip6 nexthdr 58 icmpv6 type echo-request +icmpv6 type echo-request;ok +# must not remove 'ip protocol' dependency, this explicitly matches icmpv6-in-ipv4. +ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1;ok;ip protocol 58 icmpv6 type destination-unreachable diff --git a/tests/py/inet/icmpX.t.json b/tests/py/inet/icmpX.t.json new file mode 100644 index 0000000..8e13091 --- /dev/null +++ b/tests/py/inet/icmpX.t.json @@ -0,0 +1,125 @@ +# ip protocol icmp icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "icmp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# ip6 nexthdr icmpv6 icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "nexthdr", + "protocol": "ip6" + } + }, + "op": "==", + "right": "icmpv6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "ipv6-icmp" + } + }, + { + "match": { + "left": { + "meta": { "key": "l4proto" } + }, + "op": "==", + "right": "ipv6-icmp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": 1 + } + } +] + diff --git a/tests/py/inet/icmpX.t.json.output b/tests/py/inet/icmpX.t.json.output new file mode 100644 index 0000000..7765cd9 --- /dev/null +++ b/tests/py/inet/icmpX.t.json.output @@ -0,0 +1,84 @@ +# ip protocol icmp icmp type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 1 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# ip6 nexthdr icmpv6 icmpv6 type echo-request +[ + { + "match": { + "left": { + "payload": { + "field": "nexthdr", + "protocol": "ip6" + } + }, + "op": "==", + "right": 58 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "echo-request" + } + } +] + +# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 58 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmpv6" + } + }, + "op": "==", + "right": "destination-unreachable" + } + } +] + diff --git a/tests/py/inet/icmpX.t.payload b/tests/py/inet/icmpX.t.payload new file mode 100644 index 0000000..9a761ee --- /dev/null +++ b/tests/py/inet/icmpX.t.payload @@ -0,0 +1,46 @@ +# ip protocol icmp icmp type echo-request +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + +# icmp type echo-request +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + +# ip6 nexthdr icmpv6 icmpv6 type echo-request +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000080 ] + +# icmpv6 type echo-request +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000080 ] + +# ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type 1 +inet filter input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0000003a ] + [ payload load 1b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t new file mode 100644 index 0000000..bdb3330 --- /dev/null +++ b/tests/py/inet/ip.t @@ -0,0 +1,12 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*inet;test-inet;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress,egress + +ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok +ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail +ip saddr vmap { 3.3.3.3-3.3.3.4 : accept, 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail diff --git a/tests/py/inet/ip.t.json b/tests/py/inet/ip.t.json new file mode 100644 index 0000000..638fb7d --- /dev/null +++ b/tests/py/inet/ip.t.json @@ -0,0 +1,42 @@ +# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "saddr", + "protocol": "ether" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + "2.2.2.2", + "ca:fe:ca:fe:ca:fe" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/ip.t.payload b/tests/py/inet/ip.t.payload new file mode 100644 index 0000000..589a5cd --- /dev/null +++ b/tests/py/inet/ip.t.payload @@ -0,0 +1,11 @@ +# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe } +__set%d test-inet 3 +__set%d test-inet 0 + element 01010101 02020202 fecafeca 0000feca : 0 [end] +inet test-ip input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 6b @ link header + 6 => reg 10 ] + [ lookup reg 1 set __set%d ] diff --git a/tests/py/inet/ip.t.payload.bridge b/tests/py/inet/ip.t.payload.bridge new file mode 100644 index 0000000..57dbc9e --- /dev/null +++ b/tests/py/inet/ip.t.payload.bridge @@ -0,0 +1,11 @@ +# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe } +__set%d test-bridge 3 +__set%d test-bridge 0 + element 01010101 02020202 fecafeca 0000feca : 0 [end] +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 6b @ link header + 6 => reg 10 ] + [ lookup reg 1 set __set%d ] diff --git a/tests/py/inet/ip.t.payload.inet b/tests/py/inet/ip.t.payload.inet new file mode 100644 index 0000000..8df41de --- /dev/null +++ b/tests/py/inet/ip.t.payload.inet @@ -0,0 +1,14 @@ +# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe } +__set%d test-inet 3 +__set%d test-inet 0 + element 01010101 02020202 fecafeca 0000feca : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 6b @ link header + 6 => reg 10 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/ip.t.payload.netdev b/tests/py/inet/ip.t.payload.netdev new file mode 100644 index 0000000..95be919 --- /dev/null +++ b/tests/py/inet/ip.t.payload.netdev @@ -0,0 +1,14 @@ +# ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe } +__set%d test-netdev 3 +__set%d test-netdev 0 + element 01010101 02020202 fecafeca 0000feca : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 6b @ link header + 6 => reg 10 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/inet/ip_tcp.t b/tests/py/inet/ip_tcp.t new file mode 100644 index 0000000..03bafc0 --- /dev/null +++ b/tests/py/inet/ip_tcp.t @@ -0,0 +1,21 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*inet;test-inet;input +*bridge;test-bridge;input +*netdev;test-netdev;ingress,egress + +# must not remove ip dependency -- ONLY ipv4 packets should be matched +ip protocol tcp tcp dport 22;ok;ip protocol 6 tcp dport 22 + +# could in principle remove it here since ipv4 is implied via saddr. +ip protocol tcp ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 ip saddr 1.2.3.4 tcp dport 22 + +# but not here. +ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22;ok;ip protocol 6 counter ip saddr 1.2.3.4 tcp dport 22 + +# or here. +ip protocol tcp counter tcp dport 22;ok;ip protocol 6 counter tcp dport 22 + +ether type ip tcp dport 22;ok diff --git a/tests/py/inet/ip_tcp.t.json b/tests/py/inet/ip_tcp.t.json new file mode 100644 index 0000000..87cb9bf --- /dev/null +++ b/tests/py/inet/ip_tcp.t.json @@ -0,0 +1,170 @@ +# ip protocol tcp tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp counter tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": "tcp" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ether type ip tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "ether" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + diff --git a/tests/py/inet/ip_tcp.t.json.output b/tests/py/inet/ip_tcp.t.json.output new file mode 100644 index 0000000..acad8b1 --- /dev/null +++ b/tests/py/inet/ip_tcp.t.json.output @@ -0,0 +1,142 @@ +# ip protocol tcp tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# ip protocol tcp counter tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + diff --git a/tests/py/inet/ip_tcp.t.payload b/tests/py/inet/ip_tcp.t.payload new file mode 100644 index 0000000..1e16f85 --- /dev/null +++ b/tests/py/inet/ip_tcp.t.payload @@ -0,0 +1,52 @@ +# ip protocol tcp tcp dport 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp counter tcp dport 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ether type ip tcp dport 22 +inet test-inet input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] diff --git a/tests/py/inet/ip_tcp.t.payload.bridge b/tests/py/inet/ip_tcp.t.payload.bridge new file mode 100644 index 0000000..0344cd6 --- /dev/null +++ b/tests/py/inet/ip_tcp.t.payload.bridge @@ -0,0 +1,51 @@ +# ip protocol tcp tcp dport 22 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp counter tcp dport 22 +bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ether type ip tcp dport 22 +bridge test-bridge input + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + diff --git a/tests/py/inet/ip_tcp.t.payload.netdev b/tests/py/inet/ip_tcp.t.payload.netdev new file mode 100644 index 0000000..915a787 --- /dev/null +++ b/tests/py/inet/ip_tcp.t.payload.netdev @@ -0,0 +1,53 @@ +# ip protocol tcp tcp dport 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp ip saddr 1.2.3.4 tcp dport 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ip protocol tcp counter tcp dport 22 +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ counter pkts 0 bytes 0 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# ether type ip tcp dport 22 +netdev test-netdev ingress + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 2b @ link header + 12 => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t new file mode 100644 index 0000000..b18df39 --- /dev/null +++ b/tests/py/inet/ipsec.t @@ -0,0 +1,23 @@ +:ipsec-forw;type filter hook forward priority 0 + +*ip;ipsec-ip4;ipsec-forw +*ip6;ipsec-ip6;ipsec-forw +*inet;ipsec-inet;ipsec-forw + +ipsec in reqid 1;ok +ipsec in spnum 0 reqid 1;ok;ipsec in reqid 1 + +ipsec out reqid 0xffffffff;ok;ipsec out reqid 4294967295 +ipsec out spnum 0x100000000;fail + +ipsec i reqid 1;fail + +ipsec out spi 1-561;ok + +ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 };ok +ipsec in ip6 daddr dead::beef;ok +ipsec out ip6 saddr dead::feed;ok + +ipsec in spnum 256 reqid 1;fail + +counter ipsec out ip daddr 192.168.1.2;ok diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json new file mode 100644 index 0000000..18a64f3 --- /dev/null +++ b/tests/py/inet/ipsec.t.json @@ -0,0 +1,157 @@ +# ipsec in reqid 1 +[ + { + "match": { + "left": { + "ipsec": { + "dir": "in", + "key": "reqid", + "spnum": 0 + } + }, + "op": "==", + "right": 1 + } + } +] + +# ipsec in spnum 0 reqid 1 +[ + { + "match": { + "left": { + "ipsec": { + "dir": "in", + "key": "reqid", + "spnum": 0 + } + }, + "op": "==", + "right": 1 + } + } +] + +# ipsec out reqid 0xffffffff +[ + { + "match": { + "left": { + "ipsec": { + "dir": "out", + "key": "reqid", + "spnum": 0 + } + }, + "op": "==", + "right": 4294967295 + } + } +] + +# ipsec out spi 1-561 +[ + { + "match": { + "left": { + "ipsec": { + "dir": "out", + "key": "spi", + "spnum": 0 + } + }, + "op": "==", + "right": { + "range": [ + 1, + 561 + ] + } + } + } +] + +# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 } +[ + { + "match": { + "left": { + "ipsec": { + "dir": "in", + "family": "ip", + "key": "saddr", + "spnum": 2 + } + }, + "op": "==", + "right": { + "set": [ + "1.2.3.4", + { + "prefix": { + "addr": "10.6.0.0", + "len": 16 + } + } + ] + } + } + } +] + +# ipsec in ip6 daddr dead::beef +[ + { + "match": { + "left": { + "ipsec": { + "dir": "in", + "family": "ip6", + "key": "daddr", + "spnum": 0 + } + }, + "op": "==", + "right": "dead::beef" + } + } +] + +# ipsec out ip6 saddr dead::feed +[ + { + "match": { + "left": { + "ipsec": { + "dir": "out", + "family": "ip6", + "key": "saddr", + "spnum": 0 + } + }, + "op": "==", + "right": "dead::feed" + } + } +] + +# counter ipsec out ip daddr 192.168.1.2 +[ + { + "counter": null + }, + { + "match": { + "left": { + "ipsec": { + "dir": "out", + "family": "ip", + "key": "daddr", + "spnum": 0 + } + }, + "op": "==", + "right": "192.168.1.2" + } + } +] diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload new file mode 100644 index 0000000..9648255 --- /dev/null +++ b/tests/py/inet/ipsec.t.payload @@ -0,0 +1,45 @@ +# ipsec in reqid 1 +ip ipsec-ip4 ipsec-input + [ xfrm load in 0 reqid => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# ipsec in spnum 0 reqid 1 +ip ipsec-ip4 ipsec-input + [ xfrm load in 0 reqid => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# ipsec out reqid 0xffffffff +ip ipsec-ip4 ipsec-input + [ xfrm load out 0 reqid => reg 1 ] + [ cmp eq reg 1 0xffffffff ] + +# ipsec out spi 1-561 +inet ipsec-inet ipsec-post + [ xfrm load out 0 spi => reg 1 ] + [ cmp gte reg 1 0x01000000 ] + [ cmp lte reg 1 0x31020000 ] + +# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 } +__set%d ipsec-ip4 7 size 5 +__set%d ipsec-ip4 0 + element 00000000 : 1 [end] element 04030201 : 0 [end] element 05030201 : 1 [end] element 0000060a : 0 [end] element 0000070a : 1 [end] +ip ipsec-ip4 ipsec-input + [ xfrm load in 2 saddr4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# ipsec in ip6 daddr dead::beef +ip ipsec-ip4 ipsec-forw + [ xfrm load in 0 daddr6 => reg 1 ] + [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] + +# ipsec out ip6 saddr dead::feed +ip ipsec-ip4 ipsec-forw + [ xfrm load out 0 saddr6 => reg 1 ] + [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ] + +# counter ipsec out ip daddr 192.168.1.2 +ip ipsec-ip4 ipsec-forw + [ counter pkts 0 bytes 0 ] + [ xfrm load out 0 daddr4 => reg 1 ] + [ cmp eq reg 1 0x0201a8c0 ] + diff --git a/tests/py/inet/map.t b/tests/py/inet/map.t new file mode 100644 index 0000000..5a7161b --- /dev/null +++ b/tests/py/inet/map.t @@ -0,0 +1,10 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017};ok;meta mark set ip saddr map { 10.2.3.1 : 0x00000017, 10.2.3.2 : 0x0000002a} +mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001};ok;meta mark set ip hdrlength map { 4 : 0x00000001, 5 : 0x00000017} diff --git a/tests/py/inet/map.t.json b/tests/py/inet/map.t.json new file mode 100644 index 0000000..1cb28e0 --- /dev/null +++ b/tests/py/inet/map.t.json @@ -0,0 +1,66 @@ +# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017} +[ + { + "mangle": { + "key": { + "meta": { "key": "mark" } + }, + "value": { + "map": { + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "data": { + "set": [ + [ + "10.2.3.2", + "0x0000002a" + ], + [ + "10.2.3.1", + "0x00000017" + ] + ] + } + } + } + } + } +] + +# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001} +[ + { + "mangle": { + "key": { + "meta": { "key": "mark" } + }, + "value": { + "map": { + "key": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "data": { + "set": [ + [ + 5, + "0x00000017" + ], + [ + 4, + "0x00000001" + ] + ] + } + } + } + } + } +] + diff --git a/tests/py/inet/map.t.json.output b/tests/py/inet/map.t.json.output new file mode 100644 index 0000000..b0bb7dd --- /dev/null +++ b/tests/py/inet/map.t.json.output @@ -0,0 +1,66 @@ +# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017} +[ + { + "mangle": { + "key": { + "meta": { "key": "mark" } + }, + "value": { + "map": { + "key": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "data": { + "set": [ + [ + "10.2.3.1", + 23 + ], + [ + "10.2.3.2", + 42 + ] + ] + } + } + } + } + } +] + +# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001} +[ + { + "mangle": { + "key": { + "meta": { "key": "mark" } + }, + "value": { + "map": { + "key": { + "payload": { + "field": "hdrlength", + "protocol": "ip" + } + }, + "data": { + "set": [ + [ + 4, + 1 + ], + [ + 5, + 23 + ] + ] + } + } + } + } + } +] + diff --git a/tests/py/inet/map.t.payload b/tests/py/inet/map.t.payload new file mode 100644 index 0000000..50344ad --- /dev/null +++ b/tests/py/inet/map.t.payload @@ -0,0 +1,23 @@ +# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017} +__map%d test-inet b +__map%d test-inet 0 + element 0203020a : 0000002a 0 [end] element 0103020a : 00000017 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001} +__map%d test-inet b +__map%d test-inet 0 + element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + diff --git a/tests/py/inet/map.t.payload.ip b/tests/py/inet/map.t.payload.ip new file mode 100644 index 0000000..3e45667 --- /dev/null +++ b/tests/py/inet/map.t.payload.ip @@ -0,0 +1,19 @@ +# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017} +__map%d test-ip4 b +__map%d test-ip4 0 + element 0203020a : 0000002a 0 [end] element 0103020a : 00000017 0 [end] +ip test-ip4 input + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001} +__map%d test-ip4 b +__map%d test-ip4 0 + element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end] +ip test-ip4 input + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + diff --git a/tests/py/inet/map.t.payload.netdev b/tests/py/inet/map.t.payload.netdev new file mode 100644 index 0000000..2e60f09 --- /dev/null +++ b/tests/py/inet/map.t.payload.netdev @@ -0,0 +1,23 @@ +# mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017} +__map%d test-netdev b +__map%d test-netdev 0 + element 0203020a : 0000002a 0 [end] element 0103020a : 00000017 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + +# mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001} +__map%d test-netdev b +__map%d test-netdev 0 + element 00000005 : 00000017 0 [end] element 00000004 : 00000001 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 1b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000000f ) ^ 0x00000000 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ meta set mark with reg 1 ] + diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t new file mode 100644 index 0000000..5c062b3 --- /dev/null +++ b/tests/py/inet/meta.t @@ -0,0 +1,32 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 + +*inet;test-inet;input + +meta nfproto ipv4;ok +meta nfproto ipv6;ok +meta nfproto {ipv4, ipv6};ok +meta nfproto != {ipv4, ipv6};ok +meta nfproto ipv6 tcp dport 22;ok +meta nfproto ipv4 tcp dport 22;ok +meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4 +meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6 +meta nfproto ipv4 counter ip saddr 1.2.3.4;ok + +meta protocol ip udp dport 67;ok +meta protocol ip6 udp dport 67;ok + +meta ipsec exists;ok +meta secpath missing;ok;meta ipsec missing +meta ibrname "br0";fail +meta obrname "br0";fail +meta mark set ct mark >> 8;ok + +meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok +ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok + +meta mark set ip dscp;ok +meta mark set ip dscp | 0x40;ok +meta mark set ip6 dscp;ok +meta mark set ip6 dscp | 0x40;ok diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json new file mode 100644 index 0000000..3ba0fd1 --- /dev/null +++ b/tests/py/inet/meta.t.json @@ -0,0 +1,528 @@ +# meta nfproto ipv4 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + } +] + +# meta nfproto ipv6 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv6" + } + } +] + +# meta nfproto {ipv4, ipv6} +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": { + "set": [ + "ipv4", + "ipv6" + ] + } + } + } +] + +# meta nfproto != {ipv4, ipv6} +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "!=", + "right": { + "set": [ + "ipv4", + "ipv6" + ] + } + } + } +] + +# meta nfproto ipv6 tcp dport 22 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# meta nfproto ipv4 tcp dport 22 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# meta nfproto ipv4 ip saddr 1.2.3.4 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + } +] + +# meta nfproto ipv6 meta l4proto tcp +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv6" + } + }, + { + "match": { + "left": { + "meta": { "key": "l4proto" } + }, + "op": "==", + "right": "tcp" + } + } +] + +# meta nfproto ipv4 counter ip saddr 1.2.3.4 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "counter": null + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + } +] + +# meta ipsec exists +[ + { + "match": { + "left": { + "meta": { + "key": "ipsec" + } + }, + "op": "==", + "right": true + } + } +] + +# meta secpath missing +[ + { + "match": { + "left": { + "meta": { "key": "secpath" } + }, + "op": "==", + "right": false + } + } +] + +# meta mark set ct mark >> 8 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + ">>": [ + { + "ct": { + "key": "mark" + } + }, + 8 + ] + } + } + } +] + +# meta protocol ip udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta protocol ip6 udp dport 67 +[ + { + "match": { + "left": { + "meta": { + "key": "protocol" + } + }, + "op": "==", + "right": "ip6" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 67 + } + } +] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +[ + { + "match": { + "left": { + "concat": [ + { + "meta": { + "key": "mark" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "range": [ + 10, + 20 + ] + }, + { + "range": [ + 80, + 90 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + 1048576, + 1048867 + ] + }, + { + "range": [ + 100, + 120 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + { + "range": [ + "1.2.3.6", + "1.2.3.8" + ] + }, + { + "range": [ + 512, + 768 + ] + } + ] + } + ] + } + } + } +] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "meta": { + "key": "mark" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + 256 + ] + }, + { + "concat": [ + "5.6.7.8", + 512 + ] + } + ] + } + } + } +] + +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 64 + ] + } + } + } +] + +# meta mark set ip6 dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } +] + +# meta mark set ip6 dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 64 + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.json.got b/tests/py/inet/meta.t.json.got new file mode 100644 index 0000000..f2fad0b --- /dev/null +++ b/tests/py/inet/meta.t.json.got @@ -0,0 +1,86 @@ +# meta mark set ip dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip" + } + } + } + } +] + +# meta mark set ip dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip" + } + }, + 64 + ] + } + } + } +] + +# meta mark set ip6 dscp +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + } + } + } +] + +# meta mark set ip6 dscp | 0x40 +[ + { + "mangle": { + "key": { + "meta": { + "key": "mark" + } + }, + "value": { + "|": [ + { + "payload": { + "field": "dscp", + "protocol": "ip6" + } + }, + 64 + ] + } + } + } +] + diff --git a/tests/py/inet/meta.t.json.output b/tests/py/inet/meta.t.json.output new file mode 100644 index 0000000..3e7dd21 --- /dev/null +++ b/tests/py/inet/meta.t.json.output @@ -0,0 +1,53 @@ +# meta nfproto ipv4 ip saddr 1.2.3.4 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "1.2.3.4" + } + } +] + +# meta nfproto ipv6 meta l4proto tcp +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv6" + } + }, + { + "match": { + "left": { + "meta": { "key": "l4proto" } + }, + "op": "==", + "right": 6 + } + } +] + +# meta secpath missing +[ + { + "match": { + "left": { + "meta": { + "key": "ipsec" + } + }, + "op": "==", + "right": false + } + } +] + diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload new file mode 100644 index 0000000..c53b507 --- /dev/null +++ b/tests/py/inet/meta.t.payload @@ -0,0 +1,175 @@ +# meta nfproto ipv4 +ip test-ip4 input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + +# meta nfproto ipv6 +ip test-ip4 input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + +# meta nfproto {ipv4, ipv6} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000002 : 0 [end] element 0000000a : 0 [end] +ip test-ip4 input + [ meta load nfproto => reg 1 ] + [ lookup reg 1 set __set%d ] + +# meta nfproto != {ipv4, ipv6} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00000002 : 0 [end] element 0000000a : 0 [end] +ip test-ip4 input + [ meta load nfproto => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# meta nfproto ipv6 tcp dport 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# meta nfproto ipv4 tcp dport 22 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# meta nfproto ipv4 ip saddr 1.2.3.4 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + +# meta nfproto ipv6 meta l4proto tcp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + +# meta nfproto ipv4 counter ip saddr 1.2.3.4 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ counter pkts 0 bytes 0 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x04030201 ] + +# meta ipsec exists +inet test-inet input + [ meta load secpath => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# meta secpath missing +inet test-inet input + [ meta load secpath => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# meta mark set ct mark >> 8 +inet test-inet input + [ ct load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ] + [ meta set mark with reg 1 ] + +# meta protocol ip udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta protocol ip6 udp dport 67 +inet test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00004300 ] + +# meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 0a000000 00005000 - 14000000 00005a00 : 0 [end] element 00001000 00006400 - 23011000 00007800 : 0 [end] +ip test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 4, 4) ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 } +__set%d test-inet 87 size 2 +__set%d test-inet 0 + element 04030201 00010000 - 04030201 00010000 : 0 [end] element 06030201 00020000 - 08030201 00030000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ byteorder reg 9 = hton(reg 9, 4, 4) ] + [ lookup reg 1 set __set%d ] + +# ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 04030201 00000100 : 0 [end] element 08070605 00000200 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + +# meta mark set ip dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + diff --git a/tests/py/inet/meta.t.payload.got b/tests/py/inet/meta.t.payload.got new file mode 100644 index 0000000..be3f566 --- /dev/null +++ b/tests/py/inet/meta.t.payload.got @@ -0,0 +1,40 @@ +# meta mark set ip dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 1b @ network header + 1 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ meta set mark with reg 1 ] + +# meta mark set ip6 dscp | 0x40 +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 0 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] + [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] + [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] + [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] + [ meta set mark with reg 1 ] + diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t new file mode 100644 index 0000000..c828541 --- /dev/null +++ b/tests/py/inet/osf.t @@ -0,0 +1,18 @@ +:osfchain;type filter hook input priority 0 + +*ip;osfip;osfchain +*ip6;osfip6;osfchain +*inet;osfinet;osfchain + +osf name "Linux";ok +osf ttl loose name "Linux";ok +osf ttl skip name "Linux";ok +osf ttl skip version "Linux:3.0";ok +osf ttl skip version "morethan:sixteenbytes";fail +osf ttl nottl name "Linux";fail +osf name "morethansixteenbytes";fail +osf name ;fail +osf name { "Windows", "MacOs" };ok +osf version { "Windows:XP", "MacOs:Sierra" };ok +ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok +ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok diff --git a/tests/py/inet/osf.t.json b/tests/py/inet/osf.t.json new file mode 100644 index 0000000..cedb7f6 --- /dev/null +++ b/tests/py/inet/osf.t.json @@ -0,0 +1,170 @@ +# osf name "Linux" +[ + { + "match": { + "left": { + "osf": { + "key": "name" + } + }, + "op": "==", + "right": "Linux" + } + } +] + +# osf ttl loose name "Linux" +[ + { + "match": { + "left": { + "osf": { + "key": "name", + "ttl": "loose" + } + }, + "op": "==", + "right": "Linux" + } + } +] + +# osf ttl skip name "Linux" +[ + { + "match": { + "left": { + "osf": { + "key": "name", + "ttl": "skip" + } + }, + "op": "==", + "right": "Linux" + } + } +] + +# osf ttl skip version "Linux:3.0" +[ + { + "match": { + "left": { + "osf": { + "key": "version", + "ttl": "skip" + } + }, + "op": "==", + "right": "Linux:3.0" + } + } +] + +# osf name { "Windows", "MacOs" } +[ + { + "match": { + "left": { + "osf": { + "key": "name" + } + }, + "op": "==", + "right": { + "set": [ + "MacOs", + "Windows" + ] + } + } + } +] + +# osf version { "Windows:XP", "MacOs:Sierra" } +[ + { + "match": { + "left": { + "osf": { + "key": "version" + } + }, + "op": "==", + "right": { + "set": [ + "Windows:XP", + "MacOs:Sierra" + ] + } + } + } +] + +# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + "MacOs", + 2 + ], + [ + "Windows", + 1 + ] + ] + }, + "key": { + "osf": { + "key": "name" + } + } + } + } + } + } +] + +# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } +[ + { + "mangle": { + "key": { + "ct": { + "key": "mark" + } + }, + "value": { + "map": { + "data": { + "set": [ + [ + "Windows:XP", + 3 + ], + [ + "MacOs:Sierra", + 4 + ] + ] + }, + "key": { + "osf": { + "key": "version" + } + } + } + } + } + } +] diff --git a/tests/py/inet/osf.t.payload b/tests/py/inet/osf.t.payload new file mode 100644 index 0000000..6ddab97 --- /dev/null +++ b/tests/py/inet/osf.t.payload @@ -0,0 +1,53 @@ +# osf name "Linux" +inet osfinet osfchain + [ osf dreg 1 ] + [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] + +# osf ttl loose name "Linux" +inet osfinet osfchain + [ osf dreg 1 ] + [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] + +# osf ttl skip name "Linux" +inet osfinet osfchain + [ osf dreg 1 ] + [ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ] + +# osf ttl skip version "Linux:3.0" +inet osfinet osfchain + [ osf dreg 1 ] + [ cmp eq reg 1 0x756e694c 0x2e333a78 0x00000030 0x00000000 ] + +# osf name { "Windows", "MacOs" } +__set%d osfinet 3 size 2 +__set%d osfinet 0 + element 646e6957 0073776f 00000000 00000000 : 0 [end] element 4f63614d 00000073 00000000 00000000 : 0 [end] +inet osfinet osfchain + [ osf dreg 1 ] + [ lookup reg 1 set __set%d ] + +# osf version { "Windows:XP", "MacOs:Sierra" } +__set%d osfinet 3 size 2 +__set%d osfinet 0 + element 646e6957 3a73776f 00005058 00000000 : 0 [end] element 4f63614d 69533a73 61727265 00000000 : 0 [end] +inet osfinet osfchain + [ osf dreg 1 ] + [ lookup reg 1 set __set%d ] + +# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 } +__map%d osfinet b size 2 +__map%d osfinet 0 + element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end] element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end] +inet osfinet osfchain + [ osf dreg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ ct set mark with reg 1 ] + +# ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 } +__map%d osfinet b size 2 +__map%d osfinet 0 + element 646e6957 3a73776f 00005058 00000000 : 00000003 0 [end] element 4f63614d 69533a73 61727265 00000000 : 00000004 0 [end] +inet osfinet osfchain + [ osf dreg 1 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ ct set mark with reg 1 ] diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t new file mode 100644 index 0000000..61a6d55 --- /dev/null +++ b/tests/py/inet/reject.t @@ -0,0 +1,41 @@ +:input;type filter hook input priority 0 + +*inet;test-inet;input + +reject with icmp host-unreachable;ok +reject with icmp net-unreachable;ok +reject with icmp prot-unreachable;ok +reject with icmp port-unreachable;ok +reject with icmp net-prohibited;ok +reject with icmp host-prohibited;ok +reject with icmp admin-prohibited;ok + +reject with icmpv6 no-route;ok +reject with icmpv6 admin-prohibited;ok +reject with icmpv6 addr-unreachable;ok +reject with icmpv6 port-unreachable;ok + +mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset + +reject;ok +meta nfproto ipv4 reject;ok;reject with icmp port-unreachable +meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable + +reject with icmpx host-unreachable;ok +reject with icmpx no-route;ok +reject with icmpx admin-prohibited;ok +reject with icmpx port-unreachable;ok;reject +reject with icmpx 3;ok;reject with icmpx admin-prohibited + +meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable +meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route + +meta nfproto ipv6 reject with icmp host-unreachable;fail +meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail +meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail +meta l4proto udp reject with tcp reset;fail + +meta nfproto ipv4 reject with icmpx admin-prohibited;ok +meta nfproto ipv6 reject with icmpx admin-prohibited;ok + +ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject;ok;ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject with icmp port-unreachable diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json new file mode 100644 index 0000000..02ac900 --- /dev/null +++ b/tests/py/inet/reject.t.json @@ -0,0 +1,331 @@ +# reject with icmp host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-unreachable +[ + { + "reject": { + "expr": "net-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp prot-unreachable +[ + { + "reject": { + "expr": "prot-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# reject with icmp net-prohibited +[ + { + "reject": { + "expr": "net-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp host-prohibited +[ + { + "reject": { + "expr": "host-prohibited", + "type": "icmp" + } + } +] + +# reject with icmp admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmp" + } + } +] + +# reject with icmpv6 no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 addr-unreachable +[ + { + "reject": { + "expr": "addr-unreachable", + "type": "icmpv6" + } + } +] + +# reject with icmpv6 port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# mark 12345 reject with tcp reset +[ + { + "match": { + "left": { + "meta": { "key": "mark" } + }, + "op": "==", + "right": 12345 + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# reject +[ + { + "reject": null + } +] + +# meta nfproto ipv4 reject +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "reject": null + } +] + +# meta nfproto ipv6 reject +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv6" + } + }, + { + "reject": null + } +] + +# reject with icmpx host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmpx" + } + } +] + +# reject with icmpx no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpx" + } + } +] + +# reject with icmpx admin-prohibited +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# reject with icmpx port-unreachable +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] + +# reject with icmpx 3 +[ + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# meta nfproto ipv4 reject with icmp host-unreachable +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# meta nfproto ipv6 reject with icmpv6 no-route +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv6" + } + }, + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + +# meta nfproto ipv4 reject with icmpx admin-prohibited +[ + { + "match": { + "left": { + "meta": { + "key": "nfproto" + } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# meta nfproto ipv6 reject with icmpx admin-prohibited +[ + { + "match": { + "left": { + "meta": { + "key": "nfproto" + } + }, + "op": "==", + "right": "ipv6" + } + }, + { + "reject": { + "expr": "admin-prohibited", + "type": "icmpx" + } + } +] + +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether" + } + }, + "op": "==", + "right": "aa:bb:cc:dd:ee:ff" + } + }, + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "192.168.0.1" + } + }, + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output new file mode 100644 index 0000000..496ce55 --- /dev/null +++ b/tests/py/inet/reject.t.json.output @@ -0,0 +1,77 @@ +# mark 12345 reject with tcp reset +[ + { + "match": { + "left": { + "meta": { "key": "l4proto" } + }, + "op": "==", + "right": 6 + } + }, + { + "match": { + "left": { + "meta": { "key": "mark" } + }, + "op": "==", + "right": 12345 + } + }, + { + "reject": { + "type": "tcp reset" + } + } +] + +# reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpx" + } + } +] + +# meta nfproto ipv4 reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmp" + } + } +] + +# meta nfproto ipv6 reject +[ + { + "reject": { + "expr": "port-unreachable", + "type": "icmpv6" + } + } +] + +# meta nfproto ipv4 reject with icmp host-unreachable +[ + { + "reject": { + "expr": "host-unreachable", + "type": "icmp" + } + } +] + +# meta nfproto ipv6 reject with icmpv6 no-route +[ + { + "reject": { + "expr": "no-route", + "type": "icmpv6" + } + } +] + diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet new file mode 100644 index 0000000..828cb83 --- /dev/null +++ b/tests/py/inet/reject.t.payload.inet @@ -0,0 +1,144 @@ +# reject with icmp host-unreachable +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 1 ] + +# reject with icmp net-unreachable +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 0 ] + +# reject with icmp prot-unreachable +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 2 ] + +# reject with icmp port-unreachable +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 3 ] + +# reject with icmp net-prohibited +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 9 ] + +# reject with icmp host-prohibited +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 10 ] + +# reject with icmp admin-prohibited +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 13 ] + +# reject with icmpv6 no-route +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ reject type 0 code 0 ] + +# reject with icmpv6 admin-prohibited +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ reject type 0 code 1 ] + +# reject with icmpv6 addr-unreachable +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ reject type 0 code 3 ] + +# reject with icmpv6 port-unreachable +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ reject type 0 code 4 ] + +# mark 12345 reject with tcp reset +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ meta load mark => reg 1 ] + [ cmp eq reg 1 0x00003039 ] + [ reject type 1 code 0 ] + +# reject +inet test-inet input + [ reject type 2 code 1 ] + +# meta nfproto ipv4 reject +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 3 ] + +# meta nfproto ipv6 reject +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ reject type 0 code 4 ] + +# reject with icmpx host-unreachable +inet test-inet input + [ reject type 2 code 2 ] + +# reject with icmpx no-route +inet test-inet input + [ reject type 2 code 0 ] + +# reject with icmpx admin-prohibited +inet test-inet input + [ reject type 2 code 3 ] + +# reject with icmpx port-unreachable +inet test-inet input + [ reject type 2 code 1 ] + +# reject with icmpx 3 +inet test-inet input + [ reject type 2 code 3 ] + +# meta nfproto ipv4 reject with icmp host-unreachable +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 0 code 1 ] + +# meta nfproto ipv6 reject with icmpv6 no-route +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ reject type 0 code 0 ] + +# meta nfproto ipv4 reject with icmpx admin-prohibited +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ reject type 2 code 3 ] + +# meta nfproto ipv6 reject with icmpx admin-prohibited +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ reject type 2 code 3 ] + +# ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject +inet test-inet input + [ meta load iiftype => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ payload load 8b @ link header + 6 => reg 1 ] + [ cmp eq reg 1 0xddccbbaa 0x0008ffee ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + [ reject type 0 code 3 ] + diff --git a/tests/py/inet/rt.t b/tests/py/inet/rt.t new file mode 100644 index 0000000..a0e0d00 --- /dev/null +++ b/tests/py/inet/rt.t @@ -0,0 +1,15 @@ +:output;type filter hook output priority 0 + +*inet;test-inet;output + +meta nfproto ipv4 rt nexthop 192.168.0.1;ok;meta nfproto ipv4 rt ip nexthop 192.168.0.1 +rt ip6 nexthop fd00::1;ok + +# missing context +rt nexthop 192.168.0.1;fail +rt nexthop fd00::1;fail + +# wrong context +rt ip nexthop fd00::1;fail + +tcp option maxseg size set rt mtu;ok diff --git a/tests/py/inet/rt.t.json b/tests/py/inet/rt.t.json new file mode 100644 index 0000000..6dbea41 --- /dev/null +++ b/tests/py/inet/rt.t.json @@ -0,0 +1,59 @@ +# meta nfproto ipv4 rt nexthop 192.168.0.1 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "rt": { + "key": "nexthop" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + +# rt ip6 nexthop fd00::1 +[ + { + "match": { + "left": { + "rt": { + "family": "ip6", + "key": "nexthop" + } + }, + "op": "==", + "right": "fd00::1" + } + } +] + +# tcp option maxseg size set rt mtu +[ + { + "mangle": { + "key": { + "tcp option": { + "field": "size", + "name": "maxseg" + } + }, + "value": { + "rt": { + "key": "mtu" + } + } + } + } +] + diff --git a/tests/py/inet/rt.t.json.output b/tests/py/inet/rt.t.json.output new file mode 100644 index 0000000..382ef87 --- /dev/null +++ b/tests/py/inet/rt.t.json.output @@ -0,0 +1,25 @@ +# meta nfproto ipv4 rt nexthop 192.168.0.1 +[ + { + "match": { + "left": { + "meta": { "key": "nfproto" } + }, + "op": "==", + "right": "ipv4" + } + }, + { + "match": { + "left": { + "rt": { + "family": "ip", + "key": "nexthop" + } + }, + "op": "==", + "right": "192.168.0.1" + } + } +] + diff --git a/tests/py/inet/rt.t.payload b/tests/py/inet/rt.t.payload new file mode 100644 index 0000000..84dea12 --- /dev/null +++ b/tests/py/inet/rt.t.payload @@ -0,0 +1,18 @@ +# meta nfproto ipv4 rt nexthop 192.168.0.1 +inet test-inet output + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ rt load nexthop4 => reg 1 ] + [ cmp eq reg 1 0x0100a8c0 ] + +# rt ip6 nexthop fd00::1 +inet test-inet output + [ rt load nexthop6 => reg 1 ] + [ cmp eq reg 1 0x000000fd 0x00000000 0x00000000 0x01000000 ] + +# tcp option maxseg size set rt mtu +inet test-inet output + [ rt load tcpmss => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 2, 2) ] + [ exthdr write tcpopt reg 1 => 2b @ 2 + 2 ] + diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t new file mode 100644 index 0000000..016173b --- /dev/null +++ b/tests/py/inet/sctp.t @@ -0,0 +1,73 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +sctp sport 23;ok +sctp sport != 23;ok +sctp sport 23-44;ok +sctp sport != 23-44;ok +sctp sport { 23, 24, 25};ok +sctp sport != { 23, 24, 25};ok + +sctp dport 23;ok +sctp dport != 23;ok +sctp dport 23-44;ok +sctp dport != 23-44;ok +sctp dport { 23, 24, 25};ok +sctp dport != { 23, 24, 25};ok + +sctp checksum 1111;ok +sctp checksum != 11;ok +sctp checksum 21-333;ok +sctp checksum != 32-111;ok +sctp checksum { 22, 33, 44};ok +sctp checksum != { 22, 33, 44};ok + +sctp vtag 22;ok +sctp vtag != 233;ok +sctp vtag 33-45;ok +sctp vtag != 33-45;ok +sctp vtag {33, 55, 67, 88};ok +sctp vtag != {33, 55, 67, 88};ok + +# assert all chunk types are recognized +sctp chunk data exists;ok +sctp chunk init exists;ok +sctp chunk init-ack exists;ok +sctp chunk sack exists;ok +sctp chunk heartbeat exists;ok +sctp chunk heartbeat-ack exists;ok +sctp chunk abort exists;ok +sctp chunk shutdown exists;ok +sctp chunk shutdown-ack exists;ok +sctp chunk error exists;ok +sctp chunk cookie-echo exists;ok +sctp chunk cookie-ack exists;ok +sctp chunk ecne exists;ok +sctp chunk cwr exists;ok +sctp chunk shutdown-complete exists;ok +sctp chunk asconf-ack exists;ok +sctp chunk forward-tsn exists;ok +sctp chunk asconf exists;ok + +# test common header fields in random chunk types +sctp chunk data type 0;ok +sctp chunk init flags 23;ok +sctp chunk init-ack length 42;ok + +# test one custom field in every applicable chunk type +sctp chunk data stream 1337;ok +sctp chunk init initial-tsn 5;ok +sctp chunk init-ack num-outbound-streams 3;ok +sctp chunk sack a-rwnd 1;ok +sctp chunk shutdown cum-tsn-ack 65535;ok +sctp chunk ecne lowest-tsn 5;ok +sctp chunk cwr lowest-tsn 8;ok +sctp chunk asconf-ack seqno 12345;ok +sctp chunk forward-tsn new-cum-tsn 31337;ok +sctp chunk asconf seqno 12345;ok diff --git a/tests/py/inet/sctp.t.json b/tests/py/inet/sctp.t.json new file mode 100644 index 0000000..75a9b01 --- /dev/null +++ b/tests/py/inet/sctp.t.json @@ -0,0 +1,928 @@ +# sctp sport 23 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "sctp" + } + }, + "op": "==", + "right": 23 + } + } +] + +# sctp sport != 23 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "sctp" + } + }, + "op": "!=", + "right": 23 + } + } +] + +# sctp sport 23-44 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "range": [ 23, 44 ] + } + } + } +] + +# sctp sport != 23-44 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "range": [ 23, 44 ] + } + } + } +] + +# sctp sport { 23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# sctp sport != { 23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# sctp dport 23 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "sctp" + } + }, + "op": "==", + "right": 23 + } + } +] + +# sctp dport != 23 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "sctp" + } + }, + "op": "!=", + "right": 23 + } + } +] + +# sctp dport 23-44 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "range": [ 23, 44 ] + } + } + } +] + +# sctp dport != 23-44 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "range": [ 23, 44 ] + } + } + } +] + +# sctp dport { 23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# sctp dport != { 23, 24, 25} +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "set": [ + 23, + 24, + 25 + ] + } + } + } +] + +# sctp checksum 1111 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "sctp" + } + }, + "op": "==", + "right": 1111 + } + } +] + +# sctp checksum != 11 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "sctp" + } + }, + "op": "!=", + "right": 11 + } + } +] + +# sctp checksum 21-333 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "range": [ 21, 333 ] + } + } + } +] + +# sctp checksum != 32-111 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "range": [ 32, 111 ] + } + } + } +] + +# sctp checksum { 22, 33, 44} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "set": [ + 22, + 33, + 44 + ] + } + } + } +] + +# sctp checksum != { 22, 33, 44} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "set": [ + 22, + 33, + 44 + ] + } + } + } +] + +# sctp vtag 22 +[ + { + "match": { + "left": { + "payload": { + "field": "vtag", + "protocol": "sctp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# sctp vtag != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "vtag", + "protocol": "sctp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# sctp vtag 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "vtag", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# sctp vtag != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "vtag", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# sctp vtag {33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "vtag", + "protocol": "sctp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# sctp vtag != {33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "vtag", + "protocol": "sctp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# sctp chunk data exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "data" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk init exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "init" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk init-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "init-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk sack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "sack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk heartbeat-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "heartbeat-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk abort exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "abort" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk error exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "error" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-echo exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-echo" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cookie-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cookie-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk ecne exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "ecne" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk cwr exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "cwr" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk shutdown-complete exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "shutdown-complete" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf-ack exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf-ack" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk forward-tsn exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "forward-tsn" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk asconf exists +[ + { + "match": { + "left": { + "sctp chunk": { + "name": "asconf" + } + }, + "op": "==", + "right": true + } + } +] + +# sctp chunk data type 0 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "type", + "name": "data" + } + }, + "op": "==", + "right": 0 + } + } +] + +# sctp chunk init flags 23 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "flags", + "name": "init" + } + }, + "op": "==", + "right": 23 + } + } +] + +# sctp chunk init-ack length 42 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "length", + "name": "init-ack" + } + }, + "op": "==", + "right": 42 + } + } +] + +# sctp chunk data stream 1337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "stream", + "name": "data" + } + }, + "op": "==", + "right": 1337 + } + } +] + +# sctp chunk init initial-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "initial-tsn", + "name": "init" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk init-ack num-outbound-streams 3 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "num-outbound-streams", + "name": "init-ack" + } + }, + "op": "==", + "right": 3 + } + } +] + +# sctp chunk sack a-rwnd 1 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "a-rwnd", + "name": "sack" + } + }, + "op": "==", + "right": 1 + } + } +] + +# sctp chunk shutdown cum-tsn-ack 65535 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "cum-tsn-ack", + "name": "shutdown" + } + }, + "op": "==", + "right": 65535 + } + } +] + +# sctp chunk ecne lowest-tsn 5 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "ecne" + } + }, + "op": "==", + "right": 5 + } + } +] + +# sctp chunk cwr lowest-tsn 8 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "lowest-tsn", + "name": "cwr" + } + }, + "op": "==", + "right": 8 + } + } +] + +# sctp chunk asconf-ack seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf-ack" + } + }, + "op": "==", + "right": 12345 + } + } +] + +# sctp chunk forward-tsn new-cum-tsn 31337 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "new-cum-tsn", + "name": "forward-tsn" + } + }, + "op": "==", + "right": 31337 + } + } +] + +# sctp chunk asconf seqno 12345 +[ + { + "match": { + "left": { + "sctp chunk": { + "field": "seqno", + "name": "asconf" + } + }, + "op": "==", + "right": 12345 + } + } +] + diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload new file mode 100644 index 0000000..7337e2e --- /dev/null +++ b/tests/py/inet/sctp.t.payload @@ -0,0 +1,351 @@ +# sctp sport 23 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00001700 ] + +# sctp sport != 23 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00001700 ] + +# sctp sport 23-44 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00001700 ] + [ cmp lte reg 1 0x00002c00 ] + +# sctp sport != 23-44 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range neq reg 1 0x00001700 0x00002c00 ] + +# sctp sport { 23, 24, 25} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# sctp sport != { 23, 24, 25} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# sctp dport 23 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001700 ] + +# sctp dport != 23 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00001700 ] + +# sctp dport 23-44 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00001700 ] + [ cmp lte reg 1 0x00002c00 ] + +# sctp dport != 23-44 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00001700 0x00002c00 ] + +# sctp dport { 23, 24, 25} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# sctp dport != { 23, 24, 25} +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00001800 : 0 [end] element 00001900 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# sctp checksum 1111 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0x57040000 ] + +# sctp checksum != 11 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp neq reg 1 0x0b000000 ] + +# sctp checksum 21-333 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp gte reg 1 0x15000000 ] + [ cmp lte reg 1 0x4d010000 ] + +# sctp checksum != 32-111 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ range neq reg 1 0x20000000 0x6f000000 ] + +# sctp checksum { 22, 33, 44} +__set%d test-inet 3 +__set%d test-inet 0 + element 16000000 : 0 [end] element 21000000 : 0 [end] element 2c000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# sctp checksum != { 22, 33, 44} +__set%d test-inet 3 +__set%d test-inet 0 + element 16000000 : 0 [end] element 21000000 : 0 [end] element 2c000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# sctp vtag 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x16000000 ] + +# sctp vtag != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp neq reg 1 0xe9000000 ] + +# sctp vtag 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp gte reg 1 0x21000000 ] + [ cmp lte reg 1 0x2d000000 ] + +# sctp vtag != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ range neq reg 1 0x21000000 0x2d000000 ] + +# sctp vtag {33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# sctp vtag != {33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000084 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# sctp chunk data exists +ip + [ exthdr load 1b @ 0 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init exists +ip + [ exthdr load 1b @ 1 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk init-ack exists +ip + [ exthdr load 1b @ 2 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk sack exists +ip + [ exthdr load 1b @ 3 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat exists +ip + [ exthdr load 1b @ 4 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk heartbeat-ack exists +ip + [ exthdr load 1b @ 5 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk abort exists +ip + [ exthdr load 1b @ 6 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown exists +ip + [ exthdr load 1b @ 7 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-ack exists +ip + [ exthdr load 1b @ 8 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk error exists +ip + [ exthdr load 1b @ 9 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-echo exists +ip + [ exthdr load 1b @ 10 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cookie-ack exists +ip + [ exthdr load 1b @ 11 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk ecne exists +ip + [ exthdr load 1b @ 12 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk cwr exists +ip + [ exthdr load 1b @ 13 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk shutdown-complete exists +ip + [ exthdr load 1b @ 14 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf-ack exists +ip + [ exthdr load 1b @ 128 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk forward-tsn exists +ip + [ exthdr load 1b @ 192 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk asconf exists +ip + [ exthdr load 1b @ 193 + 0 present => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# sctp chunk data type 0 +ip + [ exthdr load 1b @ 0 + 0 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# sctp chunk init flags 23 +ip + [ exthdr load 1b @ 1 + 1 => reg 1 ] + [ cmp eq reg 1 0x00000017 ] + +# sctp chunk init-ack length 42 +ip + [ exthdr load 2b @ 2 + 2 => reg 1 ] + [ cmp eq reg 1 0x00002a00 ] + +# sctp chunk data stream 1337 +ip + [ exthdr load 2b @ 0 + 8 => reg 1 ] + [ cmp eq reg 1 0x00003905 ] + +# sctp chunk init initial-tsn 5 +ip + [ exthdr load 4b @ 1 + 16 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk init-ack num-outbound-streams 3 +ip + [ exthdr load 2b @ 2 + 12 => reg 1 ] + [ cmp eq reg 1 0x00000300 ] + +# sctp chunk sack a-rwnd 1 +ip + [ exthdr load 4b @ 3 + 8 => reg 1 ] + [ cmp eq reg 1 0x01000000 ] + +# sctp chunk shutdown cum-tsn-ack 65535 +ip + [ exthdr load 4b @ 7 + 4 => reg 1 ] + [ cmp eq reg 1 0xffff0000 ] + +# sctp chunk ecne lowest-tsn 5 +ip + [ exthdr load 4b @ 12 + 4 => reg 1 ] + [ cmp eq reg 1 0x05000000 ] + +# sctp chunk cwr lowest-tsn 8 +ip + [ exthdr load 4b @ 13 + 4 => reg 1 ] + [ cmp eq reg 1 0x08000000 ] + +# sctp chunk asconf-ack seqno 12345 +ip + [ exthdr load 4b @ 128 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] + +# sctp chunk forward-tsn new-cum-tsn 31337 +ip + [ exthdr load 4b @ 192 + 4 => reg 1 ] + [ cmp eq reg 1 0x697a0000 ] + +# sctp chunk asconf seqno 12345 +ip + [ exthdr load 4b @ 193 + 4 => reg 1 ] + [ cmp eq reg 1 0x39300000 ] + diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t new file mode 100644 index 0000000..5b22e1f --- /dev/null +++ b/tests/py/inet/sets.t @@ -0,0 +1,25 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*inet;test-inet;input +*bridge;test-inet;input +*netdev;test-netdev;ingress,egress + +!set1 type ipv4_addr timeout 60s;ok +?set1 192.168.3.4 timeout 30s, 10.2.1.1;ok + +!set2 type ipv6_addr timeout 23d23h59m59s;ok +?set2 dead::beef timeout 5s;ok + +ip saddr @set1 drop;ok +ip saddr != @set2 drop;fail + +ip6 daddr != @set2 accept;ok +ip6 daddr @set1 drop;fail + +!set3 type ipv4_addr . ipv4_addr . inet_service flags interval;ok +?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok + +ip saddr . ip daddr . tcp dport @set3 accept;ok +ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json new file mode 100644 index 0000000..b44ffc2 --- /dev/null +++ b/tests/py/inet/sets.t.json @@ -0,0 +1,136 @@ +# ip saddr @set1 drop +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "@set1" + } + }, + { + "drop": null + } +] + +# ip6 daddr != @set2 accept +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + }, + "op": "!=", + "right": "@set2" + } + }, + { + "accept": null + } +] + +# ip saddr . ip daddr . tcp dport @set3 accept +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": "@set3" + } + }, + { + "accept": null + } +] + +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "range": [ + 10, + 23 + ] + } + ] + }, + { + "concat": [ + { + "range": [ + "192.168.1.1", + "192.168.3.8" + ] + }, + { + "range": [ + 80, + 443 + ] + } + ] + } + ] + } + } + }, + { + "accept": null + } +] diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge new file mode 100644 index 0000000..3dd9d57 --- /dev/null +++ b/tests/py/inet/sets.t.payload.bridge @@ -0,0 +1,42 @@ +# ip saddr @set1 drop +bridge test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip6 daddr != @set2 accept +bridge test-inet input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 24 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 accept ] + +# ip saddr . ip daddr . tcp dport @set3 accept +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] + +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-inet 87 +__set%d test-inet 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet new file mode 100644 index 0000000..53c6b18 --- /dev/null +++ b/tests/py/inet/sets.t.payload.inet @@ -0,0 +1,41 @@ +# ip saddr @set1 drop +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip6 daddr != @set2 accept +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 24 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 accept ] + +# ip saddr . ip daddr . tcp dport @set3 accept +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] + +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-inet 87 +__set%d test-inet 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev new file mode 100644 index 0000000..e31aeb9 --- /dev/null +++ b/tests/py/inet/sets.t.payload.netdev @@ -0,0 +1,41 @@ +# ip saddr @set1 drop +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ lookup reg 1 set set1 ] + [ immediate reg 0 drop ] + +# ip6 daddr != @set2 accept +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x0000dd86 ] + [ payload load 16b @ network header + 24 => reg 1 ] + [ lookup reg 1 set set2 0x1 ] + [ immediate reg 0 accept ] + +# ip saddr . ip daddr . tcp dport @set3 accept +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] + +# ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept +__set%d test-netdev 87 +__set%d test-netdev 0 + element 0000000a 00000a00 - ffffff0a 00001700 : 0 [end] element 0101a8c0 00005000 - 0803a8c0 0000bb01 : 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ payload load 2b @ transport header + 2 => reg 9 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/snat.t b/tests/py/inet/snat.t new file mode 100644 index 0000000..cf23b5c --- /dev/null +++ b/tests/py/inet/snat.t @@ -0,0 +1,21 @@ +:postrouting;type nat hook postrouting priority 0 + +*inet;test-inet;postrouting + +# explicit family: 'snat to ip': +iifname "eth0" tcp dport 81 snat ip to 192.168.3.2;ok + +# infer snat target family from network header base: +iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2;ok;iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat ip to 192.168.3.2 +iifname "eth0" tcp dport 81 snat ip6 to dead::beef;ok + +iifname "foo" masquerade random;ok + + +snat to 192.168.3.2;fail +snat ip6 to 192.168.3.2;fail +snat to dead::beef;fail +snat ip to dead::beef;fail +snat ip daddr 1.2.3.4 to dead::beef;fail +snat ip daddr 1.2.3.4 ip6 to dead::beef;fail +snat ip6 saddr dead::beef to 1.2.3.4;fail diff --git a/tests/py/inet/snat.t.json b/tests/py/inet/snat.t.json new file mode 100644 index 0000000..4671625 --- /dev/null +++ b/tests/py/inet/snat.t.json @@ -0,0 +1,131 @@ +# iifname "eth0" tcp dport 81 snat ip to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "snat": { + "addr": "192.168.3.2", + "family": "ip" + } + } +] + +# iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2 +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "10.1.1.1" + } + }, + { + "snat": { + "addr": "192.168.3.2", + "family": "ip" + } + } +] + +# iifname "eth0" tcp dport 81 snat ip6 to dead::beef +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "eth0" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 81 + } + }, + { + "snat": { + "addr": "dead::beef", + "family": "ip6" + } + } +] + +# iifname "foo" masquerade random +[ + { + "match": { + "left": { + "meta": { + "key": "iifname" + } + }, + "op": "==", + "right": "foo" + } + }, + { + "masquerade": { + "flags": "random" + } + } +] + diff --git a/tests/py/inet/snat.t.payload b/tests/py/inet/snat.t.payload new file mode 100644 index 0000000..50519c6 --- /dev/null +++ b/tests/py/inet/snat.t.payload @@ -0,0 +1,42 @@ +# iifname "eth0" tcp dport 81 snat ip to 192.168.3.2 +inet test-inet postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport 81 ip saddr 10.1.1.1 snat to 192.168.3.2 +inet test-inet postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0101010a ] + [ immediate reg 1 0x0203a8c0 ] + [ nat snat ip addr_min reg 1 ] + +# iifname "eth0" tcp dport 81 snat ip6 to dead::beef +inet test-inet postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005100 ] + [ immediate reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ] + [ nat snat ip6 addr_min reg 1 ] + +# iifname "foo" masquerade random +inet test-inet postrouting + [ meta load iifname => reg 1 ] + [ cmp eq reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ] + [ masq flags 0x4 ] diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t new file mode 100644 index 0000000..05e9ebb --- /dev/null +++ b/tests/py/inet/socket.t @@ -0,0 +1,15 @@ +:sockchain;type filter hook prerouting priority -150 + +*ip;sockip4;sockchain +*ip6;sockip6;sockchain +*inet;sockin;sockchain + +socket transparent 0;ok +socket transparent 1;ok +socket transparent 2;fail + +socket mark 0x00000005;ok + +socket wildcard 0;ok +socket wildcard 1;ok +socket wildcard 2;fail diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json new file mode 100644 index 0000000..fa48e79 --- /dev/null +++ b/tests/py/inet/socket.t.json @@ -0,0 +1,74 @@ +# socket transparent 0 +[ + { + "match": { + "left": { + "socket": { + "key": "transparent" + } + }, + "op": "==", + "right": 0 + } + } +] + +# socket transparent 1 +[ + { + "match": { + "left": { + "socket": { + "key": "transparent" + } + }, + "op": "==", + "right": 1 + } + } +] + +# socket mark 0x00000005 +[ + { + "match": { + "left": { + "socket": { + "key": "mark" + } + }, + "op": "==", + "right": 5 + } + } +] + +# socket wildcard 0 +[ + { + "match": { + "left": { + "socket": { + "key": "wildcard" + } + }, + "op": "==", + "right": 0 + } + } +] + +# socket wildcard 1 +[ + { + "match": { + "left": { + "socket": { + "key": "wildcard" + } + }, + "op": "==", + "right": 1 + } + } +] diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload new file mode 100644 index 0000000..e66ccbf --- /dev/null +++ b/tests/py/inet/socket.t.payload @@ -0,0 +1,24 @@ +# socket transparent 0 +inet sockin sockchain + [ socket load transparent => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# socket transparent 1 +inet sockin sockchain + [ socket load transparent => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# socket mark 0x00000005 +inet sockin sockchain + [ socket load mark => reg 1 ] + [ cmp eq reg 1 0x00000005 ] + +# socket wildcard 0 +inet sockin sockchain + [ socket load wildcard => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# socket wildcard 1 +inet sockin sockchain + [ socket load wildcard => reg 1 ] + [ cmp eq reg 1 0x00000001 ] diff --git a/tests/py/inet/synproxy.t b/tests/py/inet/synproxy.t new file mode 100644 index 0000000..55a05e1 --- /dev/null +++ b/tests/py/inet/synproxy.t @@ -0,0 +1,13 @@ +:synproxychain;type filter hook input priority 0 + +*ip;synproxyip;synproxychain +*ip6;synproxyip6;synproxychain +*inet;synproxyinet;synproxychain + +synproxy;ok +synproxy mss 1460 wscale 7;ok +synproxy mss 1460 wscale 5 timestamp sack-perm;ok +synproxy timestamp sack-perm;ok +synproxy timestamp;ok +synproxy sack-perm;ok + diff --git a/tests/py/inet/synproxy.t.json b/tests/py/inet/synproxy.t.json new file mode 100644 index 0000000..1dd85a6 --- /dev/null +++ b/tests/py/inet/synproxy.t.json @@ -0,0 +1,64 @@ +# synproxy +[ + { + "synproxy":null + } +] + +# synproxy mss 1460 wscale 7 +[ + { + "synproxy": { + "mss": 1460, + "wscale": 7 + } + } +] + +# synproxy timestamp +[ + { + "synproxy": { + "flags": [ + "timestamp" + ] + } + } +] + +# synproxy timestamp sack-perm +[ + { + "synproxy": { + "flags": [ + "timestamp", + "sack-perm" + ] + } + } +] + +# synproxy mss 1460 wscale 5 timestamp sack-perm +[ + { + "synproxy": { + "flags": [ + "timestamp", + "sack-perm" + ], + "mss": 1460, + "wscale": 5 + } + } +] + +# synproxy sack-perm +[ + { + "synproxy": { + "flags": [ + "sack-perm" + ] + } + } +] diff --git a/tests/py/inet/synproxy.t.payload b/tests/py/inet/synproxy.t.payload new file mode 100644 index 0000000..dd318b9 --- /dev/null +++ b/tests/py/inet/synproxy.t.payload @@ -0,0 +1,24 @@ +# synproxy +inet synproxyinet synproxychain + [ synproxy mss 0 wscale 0 ] + +# synproxy mss 1460 wscale 7 +inet synproxyinet synproxychain + [ synproxy mss 1460 wscale 7 ] + +# synproxy mss 1460 wscale 5 timestamp sack-perm +inet synproxyinet synproxychain + [ synproxy mss 1460 wscale 5 ] + +# synproxy timestamp sack-perm +inet synproxyinet synproxychain + [ synproxy mss 0 wscale 0 ] + +# synproxy timestamp +inet synproxyinet synproxychain + [ synproxy mss 0 wscale 0 ] + +# synproxy sack-perm +inet synproxyinet synproxychain + [ synproxy mss 0 wscale 0 ] + diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t new file mode 100644 index 0000000..f51ebd3 --- /dev/null +++ b/tests/py/inet/tcp.t @@ -0,0 +1,115 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +tcp dport set {1, 2, 3};fail + +tcp dport 22;ok +tcp dport != 233;ok +tcp dport 33-45;ok +tcp dport != 33-45;ok +tcp dport { 33, 55, 67, 88};ok +tcp dport != { 33, 55, 67, 88};ok +tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept +tcp dport vmap { 22 : accept, 23 : drop };ok +tcp dport vmap { 25:accept, 28:drop };ok +tcp dport { 22, 53, 80, 110 };ok +tcp dport != { 22, 53, 80, 110 };ok +# BUG: invalid expression type set +# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed. + +tcp sport 22;ok +tcp sport != 233;ok +tcp sport 33-45;ok +tcp sport != 33-45;ok +tcp sport { 33, 55, 67, 88};ok +tcp sport != { 33, 55, 67, 88};ok +tcp sport vmap { 25:accept, 28:drop };ok + +tcp sport 8080 drop;ok +tcp sport 1024 tcp dport 22;ok +tcp sport 1024 tcp dport 22 tcp sequence 0;ok + +tcp sequence 0 tcp sport 1024 tcp dport 22;ok +tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22;ok;tcp sequence 0 tcp sport { 1022, 1024} tcp dport 22 + +tcp sequence 22;ok +tcp sequence != 233;ok +tcp sequence 33-45;ok +tcp sequence != 33-45;ok +tcp sequence { 33, 55, 67, 88};ok +tcp sequence != { 33, 55, 67, 88};ok + +tcp ackseq 42949672 drop;ok +tcp ackseq 22;ok +tcp ackseq != 233;ok +tcp ackseq 33-45;ok +tcp ackseq != 33-45;ok +tcp ackseq { 33, 55, 67, 88};ok +tcp ackseq != { 33, 55, 67, 88};ok + +- tcp doff 22;ok +- tcp doff != 233;ok +- tcp doff 33-45;ok +- tcp doff != 33-45;ok +- tcp doff { 33, 55, 67, 88};ok +- tcp doff != { 33, 55, 67, 88};ok + +# BUG reserved +# BUG: It is accepted but it is not shown then. tcp reserver + +tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop;ok +tcp flags != { fin, urg, ecn, cwr} drop;ok +tcp flags cwr;ok +tcp flags != cwr;ok +tcp flags == syn;ok +tcp flags fin,syn / fin,syn;ok +tcp flags != syn / fin,syn;ok +tcp flags & syn != 0;ok;tcp flags syn +tcp flags & syn == 0;ok;tcp flags ! syn +tcp flags & (syn | ack) != 0;ok;tcp flags syn,ack +tcp flags & (syn | ack) == 0;ok;tcp flags ! syn,ack +# it should be possible to transform this to: tcp flags syn +tcp flags & syn == syn;ok +tcp flags & syn != syn;ok +tcp flags & (fin | syn | rst | ack) syn;ok;tcp flags syn / fin,syn,rst,ack +tcp flags & (fin | syn | rst | ack) == syn;ok;tcp flags syn / fin,syn,rst,ack +tcp flags & (fin | syn | rst | ack) != syn;ok;tcp flags != syn / fin,syn,rst,ack +tcp flags & (fin | syn | rst | ack) == (syn | ack);ok;tcp flags syn,ack / fin,syn,rst,ack +tcp flags & (fin | syn | rst | ack) != (syn | ack);ok;tcp flags != syn,ack / fin,syn,rst,ack +tcp flags & (syn | ack) == (syn | ack);ok;tcp flags syn,ack / syn,ack +tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff +tcp flags { syn, syn | ack };ok +tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok +tcp flags ! fin,rst;ok +tcp flags & (fin | syn | rst | ack) ! syn;fail + +tcp window 22222;ok +tcp window 22;ok +tcp window != 233;ok +tcp window 33-45;ok +tcp window != 33-45;ok +tcp window { 33, 55, 67, 88};ok +tcp window != { 33, 55, 67, 88};ok + +tcp checksum 22;ok +tcp checksum != 233;ok +tcp checksum 33-45;ok +tcp checksum != 33-45;ok +tcp checksum { 33, 55, 67, 88};ok +tcp checksum != { 33, 55, 67, 88};ok + +tcp urgptr 1234 accept;ok +tcp urgptr 22;ok +tcp urgptr != 233;ok +tcp urgptr 33-45;ok +tcp urgptr != 33-45;ok +tcp urgptr { 33, 55, 67, 88};ok +tcp urgptr != { 33, 55, 67, 88};ok + +tcp doff 8;ok diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json new file mode 100644 index 0000000..8439c2b --- /dev/null +++ b/tests/py/inet/tcp.t.json @@ -0,0 +1,1799 @@ +# tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp dport != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# tcp dport 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp dport != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp dport { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp dport != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp dport {telnet, http, https} accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + "telnet", + "http", + "https" + ] + } + } + }, + { + "accept": null + } +] + +# tcp dport vmap { 22 : accept, 23 : drop } +[ + { + "vmap": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 22, + { + "accept": null + } + ], + [ + 23, + { + "drop": null + } + ] + ] + } + } + } +] + +# tcp dport vmap { 25:accept, 28:drop } +[ + { + "vmap": { + "key": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 25, + { + "accept": null + } + ], + [ + 28, + { + "drop": null + } + ] + ] + } + } + } +] + +# tcp dport { 22, 53, 80, 110 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 22, + 53, + 80, + 110 + ] + } + } + } +] + +# tcp dport != { 22, 53, 80, 110 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 22, + 53, + 80, + 110 + ] + } + } + } +] + +# tcp sport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sport != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# tcp sport 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp sport != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp sport { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp sport != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp sport vmap { 25:accept, 28:drop } +[ + { + "vmap": { + "key": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "data": { + "set": [ + [ + 25, + { + "accept": null + } + ], + [ + 28, + { + "drop": null + } + ] + ] + } + } + } +] + +# tcp sport 8080 drop +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 8080 + } + }, + { + "drop": null + } +] + +# tcp sport 1024 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1024 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sport 1024 tcp dport 22 tcp sequence 0 +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1024 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "==", + "right": 0 + } + } +] + +# tcp sequence 0 tcp sport 1024 tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "==", + "right": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1024 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "==", + "right": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 1024, + 1022 + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sequence 22 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp sequence != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# tcp sequence 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp sequence != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp sequence { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp sequence != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp ackseq 42949672 drop +[ + { + "match": { + "left": { + "payload": { + "field": "ackseq", + "protocol": "tcp" + } + }, + "op": "==", + "right": 42949672 + } + }, + { + "drop": null + } +] + +# tcp ackseq 22 +[ + { + "match": { + "left": { + "payload": { + "field": "ackseq", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp ackseq != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "ackseq", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# tcp ackseq 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "ackseq", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp ackseq != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "ackseq", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp ackseq { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "ackseq", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp ackseq != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "ackseq", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + "fin", + "syn", + "rst", + "psh", + "ack", + "urg", + "ecn", + "cwr" + ] + } + } + }, + { + "drop": null + } +] + +# tcp flags != { fin, urg, ecn, cwr} drop +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + "fin", + "urg", + "ecn", + "cwr" + ] + } + } + }, + { + "drop": null + } +] + +# tcp flags cwr +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": "cwr" + } + } +] + +# tcp flags != cwr +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "!=", + "right": "cwr" + } + } +] + +# tcp flags == syn +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & (syn|fin) == (syn|fin) +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "syn", + "fin" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "syn", + "fin" + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] + } + ] + }, + "op": "==", + "right": { "|": [ "fin", { "|": [ "syn", { "|": [ "rst", { "|": [ "psh", { "|": [ "ack", { "|": [ "urg", { "|": [ "ecn", "cwr" ] } ] } ] } ] } ] } ] } ] } + } + } +] + +# tcp window 22222 +[ + { + "match": { + "left": { + "payload": { + "field": "window", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22222 + } + } +] + +# tcp window 22 +[ + { + "match": { + "left": { + "payload": { + "field": "window", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp window != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "window", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# tcp window 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "window", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp window != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "window", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp window { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "window", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp window != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "window", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp checksum 22 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp checksum != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# tcp checksum 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp checksum != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp checksum { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp checksum != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp urgptr 1234 accept +[ + { + "match": { + "left": { + "payload": { + "field": "urgptr", + "protocol": "tcp" + } + }, + "op": "==", + "right": 1234 + } + }, + { + "accept": null + } +] + +# tcp urgptr 22 +[ + { + "match": { + "left": { + "payload": { + "field": "urgptr", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp urgptr != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "urgptr", + "protocol": "tcp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# tcp urgptr 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "urgptr", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp urgptr != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "urgptr", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# tcp urgptr { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "urgptr", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp urgptr != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "urgptr", + "protocol": "tcp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# tcp doff 8 +[ + { + "match": { + "left": { + "payload": { + "field": "doff", + "protocol": "tcp" + } + }, + "op": "==", + "right": 8 + } + } +] + +# tcp flags { syn, syn | ack } +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + { + "|": [ + "syn", + "ack" + ] + }, + "syn" + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + { + "|": [ + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "psh" + ] + }, + "ack" + ] + }, + "urg" + ] + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "|": [ + { + "|": [ + "fin", + "psh" + ] + }, + "ack" + ] + }, + "fin", + { + "|": [ + "psh", + "ack" + ] + }, + "ack" + ] + } + } + } +] + +# tcp flags ! fin,rst +[ + { + "match": { + "op": "!", + "left": { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + "right": [ + "fin", + "rst" + ] + } + } +] + +# tcp flags fin,syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "fin", + "syn" + ] + ] + }, + "op": "==", + "right": [ + "fin", + "syn" + ] + } + } +] + +# tcp flags != syn / fin,syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "fin", + "syn" + ] + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & syn == 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "!", + "right": "syn" + } + } +] + +# tcp flags & syn != 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": "syn" + } + } +] + +# tcp flags & (syn | ack) != 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "in", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & (syn | ack) == 0 +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "!", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & syn == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & syn != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "syn" + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "fin", + "syn", + "rst", + "ack" + ] + ] + }, + "op": "==", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "fin", + "syn", + "rst", + "ack" + ] + ] + }, + "op": "==", + "right": "syn" + } + } +] + + +# tcp flags & (fin | syn | rst | ack) != syn +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "fin", + "syn", + "rst", + "ack" + ] + ] + }, + "op": "!=", + "right": "syn" + } + } +] + +# tcp flags & (fin | syn | rst | ack) == (syn | ack) +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "fin", + "syn", + "rst", + "ack" + ] + ] + }, + "op": "==", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & (fin | syn | rst | ack) != (syn | ack) +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "fin", + "syn", + "rst", + "ack" + ] + ] + }, + "op": "!=", + "right": [ + "syn", + "ack" + ] + } + } +] + +# tcp flags & (syn | ack) == (syn | ack) +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + [ + "syn", + "ack" + ] + ] + }, + "op": "==", + "right": [ + "syn", + "ack" + ] + } + } +] + diff --git a/tests/py/inet/tcp.t.json.output b/tests/py/inet/tcp.t.json.output new file mode 100644 index 0000000..c471e8d --- /dev/null +++ b/tests/py/inet/tcp.t.json.output @@ -0,0 +1,210 @@ +# tcp dport {telnet, http, https} accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 23, + 80, + 443 + ] + } + } + }, + { + "accept": null + } +] + +# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22 +[ + { + "match": { + "left": { + "payload": { + "field": "sequence", + "protocol": "tcp" + } + }, + "op": "==", + "right": 0 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + 1022, + 1024 + ] + } + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# tcp flags & (syn|fin) == (syn|fin) +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + "fin", + "syn" + ] + } + ] + }, + "op": "==", + "right": { + "|": [ + "fin", + "syn" + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", + "right": 255 + } + } +] + +# tcp flags { syn, syn | ack } +[ + { + "match": { + "left": { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "set": [ + "syn", + { + "|": [ + "syn", + "ack" + ] + } + ] + } + } + } +] + +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +[ + { + "match": { + "left": { + "&": [ + { + "payload": { + "field": "flags", + "protocol": "tcp" + } + }, + { + "|": [ + { + "|": [ + { + "|": [ + { + "|": [ + { + "|": [ + "fin", + "syn" + ] + }, + "rst" + ] + }, + "psh" + ] + }, + "ack" + ] + }, + "urg" + ] + } + ] + }, + "op": "==", + "right": { + "set": [ + "fin", + { + "|": [ + { + "|": [ + "fin", + "psh" + ] + }, + "ack" + ] + }, + { + "|": [ + "psh", + "ack" + ] + }, + "ack" + ] + } + } + } +] diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload new file mode 100644 index 0000000..1cfe500 --- /dev/null +++ b/tests/py/inet/tcp.t.payload @@ -0,0 +1,674 @@ +# tcp dport 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp dport != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# tcp dport 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# tcp dport != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# tcp dport { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp dport != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp dport {telnet, http, https} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 00001700 : 0 [end] element 00005000 : 0 [end] element 0000bb01 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# tcp dport vmap { 22 : accept, 23 : drop } +__map%d test-inet b +__map%d test-inet 0 + element 00001600 : accept 0 [end] element 00001700 : drop 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# tcp dport vmap { 25:accept, 28:drop } +__map%d test-inet b +__map%d test-inet 0 + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# tcp dport { 22, 53, 80, 110 } +__set%d test-inet 3 +__set%d test-inet 0 + element 00001600 : 0 [end] element 00003500 : 0 [end] element 00005000 : 0 [end] element 00006e00 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp dport != { 22, 53, 80, 110 } +__set%d test-inet 3 +__set%d test-inet 0 + element 00001600 : 0 [end] element 00003500 : 0 [end] element 00005000 : 0 [end] element 00006e00 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp sport 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp sport != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# tcp sport 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# tcp sport != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# tcp sport { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp sport != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp sport vmap { 25:accept, 28:drop } +__map%d test-inet b +__map%d test-inet 0 + element 00001900 : accept 0 [end] element 00001c00 : drop 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# tcp sport 8080 drop +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x0000901f ] + [ immediate reg 0 drop ] + +# tcp sport 1024 tcp dport 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x16000004 ] + +# tcp sport 1024 tcp dport 22 tcp sequence 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x16000004 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp sequence 0 tcp sport 1024 tcp dport 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ payload load 4b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x16000004 ] + +# tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22 +__set%d test-inet 3 +__set%d test-inet 0 + element 00000004 : 0 [end] element 0000fe03 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp sequence 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x16000000 ] + +# tcp sequence != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp neq reg 1 0xe9000000 ] + +# tcp sequence 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ cmp gte reg 1 0x21000000 ] + [ cmp lte reg 1 0x2d000000 ] + +# tcp sequence != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ range neq reg 1 0x21000000 0x2d000000 ] + +# tcp sequence { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp sequence != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp ackseq 42949672 drop +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0x285c8f02 ] + [ immediate reg 0 drop ] + +# tcp ackseq 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp eq reg 1 0x16000000 ] + +# tcp ackseq != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp neq reg 1 0xe9000000 ] + +# tcp ackseq 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ cmp gte reg 1 0x21000000 ] + [ cmp lte reg 1 0x2d000000 ] + +# tcp ackseq != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ range neq reg 1 0x21000000 0x2d000000 ] + +# tcp ackseq { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp ackseq != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 21000000 : 0 [end] element 37000000 : 0 [end] element 43000000 : 0 [end] element 58000000 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ transport header + 8 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop +__set%d test-inet 3 +__set%d test-inet 0 + element 00000001 : 0 [end] element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000008 : 0 [end] element 00000010 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000080 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 drop ] + +# tcp flags != { fin, urg, ecn, cwr} drop +__set%d test-inet 3 +__set%d test-inet 0 + element 00000001 : 0 [end] element 00000020 : 0 [end] element 00000040 : 0 [end] element 00000080 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 drop ] + +# tcp flags cwr +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000080 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags != cwr +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ cmp neq reg 1 0x00000080 ] + +# tcp flags == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags fin,syn / fin,syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000003 ] + +# tcp flags != syn / fin,syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & syn != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & syn == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) != 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000000 ] + +# tcp flags & (syn | ack) == 0 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + +# tcp flags & syn == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & syn != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) != syn +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000002 ] + +# tcp flags & (fin | syn | rst | ack) == (syn | ack) +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + +# tcp flags & (fin | syn | rst | ack) != (syn | ack) +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ] + [ cmp neq reg 1 0x00000012 ] + +# tcp flags & (syn | ack) == (syn | ack) +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000012 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000012 ] + +# tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x000000ff ] + +# tcp window 22222 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] + [ cmp eq reg 1 0x0000ce56 ] + +# tcp window 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp window != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# tcp window 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# tcp window != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# tcp window { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp window != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 14 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp checksum 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp checksum != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# tcp checksum 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# tcp checksum != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# tcp checksum { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp checksum != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 16 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp urgptr 1234 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] + [ cmp eq reg 1 0x0000d204 ] + [ immediate reg 0 accept ] + +# tcp urgptr 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# tcp urgptr != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# tcp urgptr 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# tcp urgptr != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# tcp urgptr { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp urgptr != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 18 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# tcp doff 8 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000080 ] + +# tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack } +__set%d test-inet 3 +__set%d test-inet 0 + element 00000001 : 0 [end] element 00000010 : 0 [end] element 00000018 : 0 [end] element 00000019 : 0 [end] +ip + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000003f ) ^ 0x00000000 ] + [ lookup reg 1 set __set%d ] + +# tcp flags { syn, syn | ack } +__set%d test-inet 3 +__set%d test-inet 0 + element 00000002 : 0 [end] element 00000012 : 0 [end] +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# tcp flags ! fin,rst +inet + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 1b @ transport header + 13 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000005 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t new file mode 100644 index 0000000..d23bbcb --- /dev/null +++ b/tests/py/inet/tproxy.t @@ -0,0 +1,21 @@ +:y;type filter hook prerouting priority -150 + +*inet;x;y + +tproxy;fail +meta l4proto 17 tproxy to 192.0.2.1;fail +meta l4proto 6 tproxy to 192.0.2.1:50080;fail +meta l4proto 17 tproxy ip to 192.0.2.1;ok +meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok +ip protocol 6 tproxy ip6 to [2001:db8::1];fail + +meta l4proto 6 tproxy to [2001:db8::1];fail +meta l4proto 17 tproxy to [2001:db8::1]:50080;fail +meta l4proto 6 tproxy ip6 to [2001:db8::1];ok +meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok +ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail + +meta l4proto 17 tproxy ip to :50080;ok +meta l4proto 17 tproxy ip6 to :50080;ok +meta l4proto 17 tproxy to :50080;ok +ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json new file mode 100644 index 0000000..7b3b11c --- /dev/null +++ b/tests/py/inet/tproxy.t.json @@ -0,0 +1,185 @@ +# meta l4proto 17 tproxy ip to 192.0.2.1 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "addr": "192.0.2.1", + "family": "ip" + } + } +] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "192.0.2.1", + "family": "ip", + "port": 50080 + } + } +] + +# meta l4proto 6 tproxy ip6 to [2001:db8::1] +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "addr": "2001:db8::1", + "family": "ip6" + } + } +] + +# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "addr": "2001:db8::1", + "family": "ip6", + "port": 50080 + } + } +] + +# meta l4proto 17 tproxy ip to :50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "family": "ip", + "port": 50080 + } + } +] + +# meta l4proto 17 tproxy ip6 to :50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "family": "ip6", + "port": 50080 + } + } +] + +# meta l4proto 17 tproxy to :50080 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 17 + } + }, + { + "tproxy": { + "port": 50080 + } + } +] + +# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "0.0.0.0", + "len": 0 + } + } + } + }, + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "tproxy": { + "family": "ip", + "port": 2000 + } + } +] diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload new file mode 100644 index 0000000..24bf8f6 --- /dev/null +++ b/tests/py/inet/tproxy.t.payload @@ -0,0 +1,63 @@ +# meta l4proto 17 tproxy ip to 192.0.2.1 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0x0000a0c3 ] + [ tproxy ip addr reg 1 port reg 2 ] + +# meta l4proto 6 tproxy ip6 to [2001:db8::1] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ] + [ tproxy ip6 addr reg 1 ] + +# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0xb80d0120 0x00000000 0x00000000 0x01000000 ] + [ immediate reg 2 0x0000a0c3 ] + [ tproxy ip6 addr reg 1 port reg 2 ] + +# meta l4proto 17 tproxy to :50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x0000a0c3 ] + [ tproxy port reg 1 ] + +# meta l4proto 17 tproxy ip to :50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x0000a0c3 ] + [ tproxy ip port reg 1 ] + +# meta l4proto 17 tproxy ip6 to :50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x0000a0c3 ] + [ tproxy ip6 port reg 1 ] + +# ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000 +inet x y + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x00000000 ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x0000d007 ] + [ tproxy ip port reg 1 ] + diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t new file mode 100644 index 0000000..7f21c8e --- /dev/null +++ b/tests/py/inet/udp.t @@ -0,0 +1,45 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +udp sport 80 accept;ok +udp sport != 60 accept;ok +udp sport 50-70 accept;ok +udp sport != 50-60 accept;ok +udp sport { 49, 50} drop;ok +udp sport != { 50, 60} accept;ok + +udp dport set {1, 2, 3};fail + +udp dport 80 accept;ok +udp dport != 60 accept;ok +udp dport 70-75 accept;ok +udp dport != 50-60 accept;ok +udp dport { 49, 50} drop;ok +udp dport != { 50, 60} accept;ok + +udp length 6666;ok +udp length != 6666;ok +udp length 50-65 accept;ok +udp length != 50-65 accept;ok +udp length { 50, 65} accept;ok +udp length != { 50, 65} accept;ok + +udp checksum 6666 drop;ok +udp checksum != { 444, 555} accept;ok + +udp checksum 22;ok +udp checksum != 233;ok +udp checksum 33-45;ok +udp checksum != 33-45;ok +udp checksum { 33, 55, 67, 88};ok +udp checksum != { 33, 55, 67, 88};ok + +# limit impact to lo +iif "lo" udp checksum set 0;ok +iif "lo" udp dport set 65535;ok diff --git a/tests/py/inet/udp.t.json b/tests/py/inet/udp.t.json new file mode 100644 index 0000000..665998e --- /dev/null +++ b/tests/py/inet/udp.t.json @@ -0,0 +1,583 @@ +# udp sport 80 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp" + } + }, + "op": "==", + "right": 80 + } + }, + { + "accept": null + } +] + +# udp sport != 60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp" + } + }, + "op": "!=", + "right": 60 + } + }, + { + "accept": null + } +] + +# udp sport 50-70 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "range": [ 50, 70 ] + } + } + }, + { + "accept": null + } +] + +# udp sport != 50-60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "range": [ 50, 60 ] + } + } + }, + { + "accept": null + } +] + +# udp sport { 49, 50} drop +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "set": [ + 49, + 50 + ] + } + } + }, + { + "drop": null + } +] + +# udp sport != { 50, 60} accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "set": [ + 50, + 60 + ] + } + } + }, + { + "accept": null + } +] + +# udp dport 80 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 80 + } + }, + { + "accept": null + } +] + +# udp dport != 60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "!=", + "right": 60 + } + }, + { + "accept": null + } +] + +# udp dport 70-75 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "range": [ 70, 75 ] + } + } + }, + { + "accept": null + } +] + +# udp dport != 50-60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "range": [ 50, 60 ] + } + } + }, + { + "accept": null + } +] + +# udp dport { 49, 50} drop +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "set": [ + 49, + 50 + ] + } + } + }, + { + "drop": null + } +] + +# udp dport != { 50, 60} accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "set": [ + 50, + 60 + ] + } + } + }, + { + "accept": null + } +] + +# udp length 6666 +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + "op": "==", + "right": 6666 + } + } +] + +# udp length != 6666 +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + "op": "!=", + "right": 6666 + } + } +] + +# udp length 50-65 accept +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "range": [ 50, 65 ] + } + } + }, + { + "accept": null + } +] + +# udp length != 50-65 accept +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "range": [ 50, 65 ] + } + } + }, + { + "accept": null + } +] + +# udp length { 50, 65} accept +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "set": [ + 50, + 65 + ] + } + } + }, + { + "accept": null + } +] + +# udp length != { 50, 65} accept +[ + { + "match": { + "left": { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "set": [ + 50, + 65 + ] + } + } + }, + { + "accept": null + } +] + +# udp checksum 6666 drop +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "==", + "right": 6666 + } + }, + { + "drop": null + } +] + +# udp checksum != { 444, 555} accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "set": [ + 444, + 555 + ] + } + } + }, + { + "accept": null + } +] + +# udp checksum 22 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "==", + "right": 22 + } + } +] + +# udp checksum != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# udp checksum 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# udp checksum != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# udp checksum { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# udp checksum != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# iif "lo" udp checksum set 0 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "checksum", + "protocol": "udp" + } + }, + "value": 0 + } + } +] + +# iif "lo" udp dport set 65535 +[ + { + "match": { + "left": { + "meta": { "key": "iif" } + }, + "op": "==", + "right": "lo" + } + }, + { + "mangle": { + "key": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "value": 65535 + } + } +] + diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload new file mode 100644 index 0000000..e6beda7 --- /dev/null +++ b/tests/py/inet/udp.t.payload @@ -0,0 +1,248 @@ +# udp sport 80 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00005000 ] + [ immediate reg 0 accept ] + +# udp sport != 60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00003c00 ] + [ immediate reg 0 accept ] + +# udp sport 50-70 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00003200 ] + [ cmp lte reg 1 0x00004600 ] + [ immediate reg 0 accept ] + +# udp sport != 50-60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + +# udp sport { 49, 50} drop +__set%d test-inet 3 +__set%d test-inet 0 + element 00003100 : 0 [end] element 00003200 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 drop ] + +# udp sport != { 50, 60} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 00003200 : 0 [end] element 00003c00 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# udp dport 80 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005000 ] + [ immediate reg 0 accept ] + +# udp dport != 60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00003c00 ] + [ immediate reg 0 accept ] + +# udp dport 70-75 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00004600 ] + [ cmp lte reg 1 0x00004b00 ] + [ immediate reg 0 accept ] + +# udp dport != 50-60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + +# udp dport { 49, 50} drop +__set%d test-inet 3 +__set%d test-inet 0 + element 00003100 : 0 [end] element 00003200 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 drop ] + +# udp dport != { 50, 60} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 00003200 : 0 [end] element 00003c00 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# udp length 6666 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000a1a ] + +# udp length != 6666 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp neq reg 1 0x00000a1a ] + +# udp length 50-65 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ cmp gte reg 1 0x00003200 ] + [ cmp lte reg 1 0x00004100 ] + [ immediate reg 0 accept ] + +# udp length != 50-65 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ range neq reg 1 0x00003200 0x00004100 ] + [ immediate reg 0 accept ] + +# udp length { 50, 65} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 00003200 : 0 [end] element 00004100 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] + +# udp length != { 50, 65} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 00003200 : 0 [end] element 00004100 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# udp checksum 6666 drop +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000a1a ] + [ immediate reg 0 drop ] + +# udp checksum != { 444, 555} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 0000bc01 : 0 [end] element 00002b02 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# udp checksum 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# udp checksum != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# udp checksum 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# udp checksum != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# udp checksum { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# udp checksum != { 33, 55, 67, 88} +__set%d test-inet 3 +__set%d test-inet 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + +# iif "lo" udp checksum set 0 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x00000000 ] + [ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 csum_flags 0x0 ] + +# iif "lo" udp dport set 65535 +inet test-inet input + [ meta load iif => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ immediate reg 1 0x0000ffff ] + [ payload write reg 1 => 2b @ transport header + 2 csum_type 1 csum_off 6 csum_flags 0x0 ] diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t new file mode 100644 index 0000000..6a54709 --- /dev/null +++ b/tests/py/inet/udplite.t @@ -0,0 +1,38 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +udplite sport 80 accept;ok +udplite sport != 60 accept;ok +udplite sport 50-70 accept;ok +udplite sport != 50-60 accept;ok +udplite sport { 49, 50} drop;ok +udplite sport != { 49, 50} accept;ok + +udplite dport 80 accept;ok +udplite dport != 60 accept;ok +udplite dport 70-75 accept;ok +udplite dport != 50-60 accept;ok +udplite dport { 49, 50} drop;ok +udplite dport != { 49, 50} accept;ok + +- udplite csumcov 6666;ok +- udplite csumcov != 6666;ok +- udplite csumcov 50-65 accept;ok +- udplite csumcov != 50-65 accept;ok +- udplite csumcov { 50, 65} accept;ok +- udplite csumcov != { 50, 65} accept;ok + +udplite checksum 6666 drop;ok +udplite checksum != { 444, 555} accept;ok +udplite checksum 22;ok +udplite checksum != 233;ok +udplite checksum 33-45;ok +udplite checksum != 33-45;ok +udplite checksum { 33, 55, 67, 88};ok +udplite checksum != { 33, 55, 67, 88};ok diff --git a/tests/py/inet/udplite.t.json b/tests/py/inet/udplite.t.json new file mode 100644 index 0000000..713a534 --- /dev/null +++ b/tests/py/inet/udplite.t.json @@ -0,0 +1,413 @@ +# udplite sport 80 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udplite" + } + }, + "op": "==", + "right": 80 + } + }, + { + "accept": null + } +] + +# udplite sport != 60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udplite" + } + }, + "op": "!=", + "right": 60 + } + }, + { + "accept": null + } +] + +# udplite sport 50-70 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udplite" + } + }, + "op": "==", + "right": { + "range": [ 50, 70 ] + } + } + }, + { + "accept": null + } +] + +# udplite sport != 50-60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udplite" + } + }, + "op": "!=", + "right": { + "range": [ 50, 60 ] + } + } + }, + { + "accept": null + } +] + +# udplite sport { 49, 50} drop +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udplite" + } + }, + "op": "==", + "right": { + "set": [ + 49, + 50 + ] + } + } + }, + { + "drop": null + } +] + +# udplite sport != { 49, 50} accept +[ + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udplite" + } + }, + "op": "!=", + "right": { + "set": [ + 49, + 50 + ] + } + } + }, + { + "accept": null + } +] + +# udplite dport 80 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udplite" + } + }, + "op": "==", + "right": 80 + } + }, + { + "accept": null + } +] + +# udplite dport != 60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udplite" + } + }, + "op": "!=", + "right": 60 + } + }, + { + "accept": null + } +] + +# udplite dport 70-75 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udplite" + } + }, + "op": "==", + "right": { + "range": [ 70, 75 ] + } + } + }, + { + "accept": null + } +] + +# udplite dport != 50-60 accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udplite" + } + }, + "op": "!=", + "right": { + "range": [ 50, 60 ] + } + } + }, + { + "accept": null + } +] + +# udplite dport { 49, 50} drop +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udplite" + } + }, + "op": "==", + "right": { + "set": [ + 49, + 50 + ] + } + } + }, + { + "drop": null + } +] + +# udplite dport != { 49, 50} accept +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udplite" + } + }, + "op": "!=", + "right": { + "set": [ + 49, + 50 + ] + } + } + }, + { + "accept": null + } +] + +# udplite checksum 6666 drop +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "==", + "right": 6666 + } + }, + { + "drop": null + } +] + +# udplite checksum != { 444, 555} accept +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "!=", + "right": { + "set": [ + 444, + 555 + ] + } + } + }, + { + "accept": null + } +] + +# udplite checksum 22 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "==", + "right": 22 + } + } +] + +# udplite checksum != 233 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "!=", + "right": 233 + } + } +] + +# udplite checksum 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "==", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# udplite checksum != 33-45 +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "!=", + "right": { + "range": [ 33, 45 ] + } + } + } +] + +# udplite checksum { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "==", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + +# udplite checksum != { 33, 55, 67, 88} +[ + { + "match": { + "left": { + "payload": { + "field": "checksum", + "protocol": "udplite" + } + }, + "op": "!=", + "right": { + "set": [ + 33, + 55, + 67, + 88 + ] + } + } + } +] + diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload new file mode 100644 index 0000000..de9d09e --- /dev/null +++ b/tests/py/inet/udplite.t.payload @@ -0,0 +1,178 @@ +# udplite sport 80 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp eq reg 1 0x00005000 ] + [ immediate reg 0 accept ] + +# udplite sport != 60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp neq reg 1 0x00003c00 ] + [ immediate reg 0 accept ] + +# udplite sport 50-70 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00003200 ] + [ cmp lte reg 1 0x00004600 ] + [ immediate reg 0 accept ] + +# udplite sport != 50-60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + +# udplite sport { 49, 50} drop +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00003100 : 0 [end] element 00003200 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 drop ] + +# udplite sport != { 49, 50} accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00003100 : 0 [end] element 00003200 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# udplite dport 80 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x00005000 ] + [ immediate reg 0 accept ] + +# udplite dport != 60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp neq reg 1 0x00003c00 ] + [ immediate reg 0 accept ] + +# udplite dport 70-75 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00004600 ] + [ cmp lte reg 1 0x00004b00 ] + [ immediate reg 0 accept ] + +# udplite dport != 50-60 accept +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ range neq reg 1 0x00003200 0x00003c00 ] + [ immediate reg 0 accept ] + +# udplite dport { 49, 50} drop +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00003100 : 0 [end] element 00003200 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 drop ] + +# udplite dport != { 49, 50} accept +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00003100 : 0 [end] element 00003200 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# udplite checksum 6666 drop +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000a1a ] + [ immediate reg 0 drop ] + +# udplite checksum != { 444, 555} accept +__set%d test-inet 3 +__set%d test-inet 0 + element 0000bc01 : 0 [end] element 00002b02 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + [ immediate reg 0 accept ] + +# udplite checksum 22 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp eq reg 1 0x00001600 ] + +# udplite checksum != 233 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp neq reg 1 0x0000e900 ] + +# udplite checksum 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ cmp gte reg 1 0x00002100 ] + [ cmp lte reg 1 0x00002d00 ] + +# udplite checksum != 33-45 +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ range neq reg 1 0x00002100 0x00002d00 ] + +# udplite checksum { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d ] + +# udplite checksum != { 33, 55, 67, 88} +__set%d test-ip4 3 +__set%d test-ip4 0 + element 00002100 : 0 [end] element 00003700 : 0 [end] element 00004300 : 0 [end] element 00005800 : 0 [end] +inet test-inet input + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000088 ] + [ payload load 2b @ transport header + 6 => reg 1 ] + [ lookup reg 1 set __set%d 0x1 ] + diff --git a/tests/py/inet/vmap.t b/tests/py/inet/vmap.t new file mode 100644 index 0000000..0ac6e56 --- /dev/null +++ b/tests/py/inet/vmap.t @@ -0,0 +1,10 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop };ok;iifname . ip protocol . th dport vmap { "eth0" . 6 . 22 : accept, "eth1" . 17 . 67 : drop } +ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e };ok +udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept };ok diff --git a/tests/py/inet/vmap.t.json b/tests/py/inet/vmap.t.json new file mode 100644 index 0000000..37472cc --- /dev/null +++ b/tests/py/inet/vmap.t.json @@ -0,0 +1,144 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + "eth0", + 6, + 22 + ] + }, + { + "accept": null + } + ], + [ + { + "concat": [ + "eth1", + 17, + 67 + ] + }, + { + "drop": null + } + ] + ] + }, + "key": { + "concat": [ + { + "meta": { + "key": "iifname" + } + }, + { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "th" + } + } + ] + } + } + } +] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "base": "ih", + "len": 32, + "offset": 32 + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.1.1.1", + 20 + ] + }, + { + "concat": [ + "2.2.2.2", + 30 + ] + } + ] + } + } + } +] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +[ + { + "vmap": { + "data": { + "set": [ + [ + { + "concat": [ + { + "range": [ + 47, + 63 + ] + }, + "0xe373135363130333131303735353203" + ] + }, + { + "accept": null + } + ] + ] + }, + "key": { + "concat": [ + { + "payload": { + "field": "length", + "protocol": "udp" + } + }, + { + "payload": { + "base": "th", + "len": 128, + "offset": 160 + } + } + ] + } + } + } +] + diff --git a/tests/py/inet/vmap.t.payload b/tests/py/inet/vmap.t.payload new file mode 100644 index 0000000..29ec846 --- /dev/null +++ b/tests/py/inet/vmap.t.payload @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-inet b size 2 +__map%d test-inet 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-inet 3 size 2 +__set%d test-inet 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d x 8f size 1 +__map%d x 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vmap.t.payload.netdev b/tests/py/inet/vmap.t.payload.netdev new file mode 100644 index 0000000..3f51bb3 --- /dev/null +++ b/tests/py/inet/vmap.t.payload.netdev @@ -0,0 +1,34 @@ +# iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop } +__map%d test-netdev b size 2 +__map%d test-netdev 0 + element 30687465 00000000 00000000 00000000 00000006 00001600 : accept 0 [end] element 31687465 00000000 00000000 00000000 00000011 00004300 : drop 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load iifname => reg 1 ] + [ payload load 1b @ network header + 9 => reg 2 ] + [ payload load 2b @ transport header + 2 => reg 13 ] + [ lookup reg 1 set __map%d dreg 0 ] + +# ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } +__set%d test-netdev 3 size 2 +__set%d test-netdev 0 + element 01010101 14000000 : 0 [end] element 02020202 1e000000 : 0 [end] +netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ inner header + 4 => reg 9 ] + [ lookup reg 1 set __set%d ] + +# udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept } +__map%d test-netdev 8f size 1 +__map%d test-netdev 0 + element 00002f00 3531370e 33303136 37303131 03323535 - 00003f00 3531370e 33303136 37303131 03323535 : accept 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 4 => reg 1 ] + [ payload load 16b @ transport header + 20 => reg 9 ] + [ lookup reg 1 set __map%d dreg 0 ] + diff --git a/tests/py/inet/vxlan.t b/tests/py/inet/vxlan.t new file mode 100644 index 0000000..10cdb7a --- /dev/null +++ b/tests/py/inet/vxlan.t @@ -0,0 +1,23 @@ +:input;type filter hook input priority 0 +:ingress;type filter hook ingress device lo priority 0 +:egress;type filter hook egress device lo priority 0 + +*ip;test-ip4;input +*ip6;test-ip6;input +*inet;test-inet;input +*netdev;test-netdev;ingress,egress + +vxlan vni 10;fail +udp dport 4789 vxlan vni 10;ok +udp dport 4789 vxlan ip saddr 10.141.11.2;ok +udp dport 4789 vxlan ip saddr 10.141.11.0/24;ok +udp dport 4789 vxlan ip protocol 1;ok +udp dport 4789 vxlan udp sport 8888;ok +udp dport 4789 vxlan icmp type echo-reply;ok +udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05;ok +udp dport 4789 vxlan vlan id 10;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip dscp 0x02;ok +udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 };ok + +udp dport 4789 vxlan ip saddr set 1.2.3.4;fail diff --git a/tests/py/inet/vxlan.t.json b/tests/py/inet/vxlan.t.json new file mode 100644 index 0000000..91b3d29 --- /dev/null +++ b/tests/py/inet/vxlan.t.json @@ -0,0 +1,344 @@ +# udp dport 4789 vxlan vni 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "vni", + "protocol": "vxlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "10.141.11.2" + } + } +] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": { + "prefix": { + "addr": "10.141.11.0", + "len": 24 + } + } + } + } +] + +# udp dport 4789 vxlan ip protocol 1 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 1 + } + } +] + +# udp dport 4789 vxlan udp sport 8888 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "udp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 8888 + } + } +] + +# udp dport 4789 vxlan icmp type echo-reply +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "type", + "protocol": "icmp", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "echo-reply" + } + } +] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ether", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": "62:87:4d:d6:19:05" + } + } +] + +# udp dport 4789 vxlan vlan id 10 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "id", + "protocol": "vlan", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 10 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip dscp 0x02 +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "payload": { + "field": "dscp", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + "op": "==", + "right": 2 + } + } +] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +[ + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "udp" + } + }, + "op": "==", + "right": 4789 + } + }, + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip", + "tunnel": "vxlan" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip", + "tunnel": "vxlan" + } + } + ] + }, + "op": "==", + "right": { + "set": [ + { + "concat": [ + "1.2.3.4", + "4.3.2.1" + ] + } + ] + } + } + } +] + diff --git a/tests/py/inet/vxlan.t.payload b/tests/py/inet/vxlan.t.payload new file mode 100644 index 0000000..cde8e56 --- /dev/null +++ b/tests/py/inet/vxlan.t.payload @@ -0,0 +1,114 @@ +# udp dport 4789 vxlan vni 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] + [ cmp eq reg 1 0x000a0000 ] + +# udp dport 4789 vxlan ip saddr 10.141.11.2 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x020b8d0a ] + +# udp dport 4789 vxlan ip saddr 10.141.11.0/24 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 3b @ network header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x000b8d0a ] + +# udp dport 4789 vxlan ip protocol 1 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 9 => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + +# udp dport 4789 vxlan udp sport 8888 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000011 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x0000b822 ] + +# udp dport 4789 vxlan icmp type echo-reply +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ meta load l4proto => reg 1 ] ] + [ cmp eq reg 1 0x00000001 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ transport header + 0 => reg 1 ] ] + [ cmp eq reg 1 0x00000000 ] + +# udp dport 4789 vxlan ether saddr 62:87:4d:d6:19:05 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 6b @ link header + 6 => reg 1 ] ] + [ cmp eq reg 1 0xd64d8762 0x00000519 ] + +# udp dport 4789 vxlan vlan id 10 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 12 => reg 1 ] ] + [ cmp eq reg 1 0x00000081 ] + [ inner type 1 hdrsize 8 flags f [ payload load 2b @ link header + 14 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000a00 ] + +# udp dport 4789 vxlan ip dscp 0x02 +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 1b @ network header + 1 => reg 1 ] ] + [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] + [ cmp eq reg 1 0x00000008 ] + +# udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 } +__set%d test-netdev 3 size 1 +__set%d test-netdev 0 + element 04030201 01020304 : 0 [end] +netdev test-netdev ingress + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp eq reg 1 0x0000b512 ] + [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ] + [ cmp eq reg 1 0x00000008 ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ] + [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 16 => reg 9 ] ] + [ lookup reg 1 set __set%d ] + |