Very basic testing, just a set definition, a rule which references it and another one with an anonymous set. Sadly this is already enough to expose some pending issues: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. * Anonymous sets don't accept concatenated ranges yet, so the second rule is manually disabled for now. Signed-off-by: Phil Sutter <phil@xxxxxx> --- Changes since v1: - New patch. --- tests/py/inet/sets.t | 6 +++++ tests/py/inet/sets.t.json | 35 +++++++++++++++++++++++++++++ tests/py/inet/sets.t.payload.bridge | 13 +++++++++++ tests/py/inet/sets.t.payload.inet | 11 +++++++++ tests/py/inet/sets.t.payload.netdev | 12 ++++++++++ 5 files changed, 77 insertions(+) diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t index daf8f2d6ca302..e0b0ee867f9b7 100644 --- a/tests/py/inet/sets.t +++ b/tests/py/inet/sets.t @@ -16,3 +16,9 @@ ip saddr != @set2 drop;fail ip6 daddr != @set2 accept;ok ip6 daddr @set1 drop;fail + +!set3 type ipv4_addr . ipv4_addr . inet_service flags interval;ok +?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok + +ip saddr . ip daddr . tcp dport @set3 accept;ok +-ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json index bcb638f2664d5..58e19ef647058 100644 --- a/tests/py/inet/sets.t.json +++ b/tests/py/inet/sets.t.json @@ -36,3 +36,38 @@ } ] +# ip saddr . ip daddr . tcp dport @set3 accept +[ + { + "match": { + "left": { + "concat": [ + { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + { + "payload": { + "field": "dport", + "protocol": "tcp" + } + } + ] + }, + "op": "==", + "right": "@set3" + } + }, + { + "accept": null + } +] + diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge index f5aaab1d79bc6..089d9dd7a28dd 100644 --- a/tests/py/inet/sets.t.payload.bridge +++ b/tests/py/inet/sets.t.payload.bridge @@ -13,3 +13,16 @@ bridge test-inet input [ payload load 16b @ network header + 24 => reg 1 ] [ lookup reg 1 set set2 0x1 ] [ immediate reg 0 accept ] + +# ip saddr . ip daddr . tcp dport @set3 accept +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] + diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet index 1584fc07451eb..c5acd6103a038 100644 --- a/tests/py/inet/sets.t.payload.inet +++ b/tests/py/inet/sets.t.payload.inet @@ -14,4 +14,15 @@ inet test-inet input [ lookup reg 1 set set2 0x1 ] [ immediate reg 0 accept ] +# ip saddr . ip daddr . tcp dport @set3 accept +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev index 9c94e38429fb7..82994eabf48b7 100644 --- a/tests/py/inet/sets.t.payload.netdev +++ b/tests/py/inet/sets.t.payload.netdev @@ -14,3 +14,15 @@ netdev test-netdev ingress [ lookup reg 1 set set2 0x1 ] [ immediate reg 0 accept ] +# ip saddr . ip daddr . tcp dport @ set3 accept +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ payload load 2b @ transport header + 2 => reg 10 ] + [ lookup reg 1 set set3 ] + [ immediate reg 0 accept ] + -- 2.25.1