Very basic testing, just a set definition, a rule which references it
and another one with an anonymous set.
Sadly this is already enough to expose some pending issues:
* Payload dependency killing ignores the concatenated IP header
expressions on LHS, so rule output is asymmetric.
* Anonymous sets don't accept concatenated ranges yet, so the second
rule is manually disabled for now.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
Changes since v1:
- New patch.
---
tests/py/inet/sets.t | 6 +++++
tests/py/inet/sets.t.json | 35 +++++++++++++++++++++++++++++
tests/py/inet/sets.t.payload.bridge | 13 +++++++++++
tests/py/inet/sets.t.payload.inet | 11 +++++++++
tests/py/inet/sets.t.payload.netdev | 12 ++++++++++
5 files changed, 77 insertions(+)
diff --git a/tests/py/inet/sets.t b/tests/py/inet/sets.t
index daf8f2d6ca302..e0b0ee867f9b7 100644
--- a/tests/py/inet/sets.t
+++ b/tests/py/inet/sets.t
@@ -16,3 +16,9 @@ ip saddr != @set2 drop;fail
ip6 daddr != @set2 accept;ok
ip6 daddr @set1 drop;fail
+
+!set3 type ipv4_addr . ipv4_addr . inet_service flags interval;ok
+?set3 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535;ok
+
+ip saddr . ip daddr . tcp dport @set3 accept;ok
+-ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept;ok
diff --git a/tests/py/inet/sets.t.json b/tests/py/inet/sets.t.json
index bcb638f2664d5..58e19ef647058 100644
--- a/tests/py/inet/sets.t.json
+++ b/tests/py/inet/sets.t.json
@@ -36,3 +36,38 @@
}
]
+# ip saddr . ip daddr . tcp dport @set3 accept
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "dport",
+ "protocol": "tcp"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": "@set3"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
diff --git a/tests/py/inet/sets.t.payload.bridge b/tests/py/inet/sets.t.payload.bridge
index f5aaab1d79bc6..089d9dd7a28dd 100644
--- a/tests/py/inet/sets.t.payload.bridge
+++ b/tests/py/inet/sets.t.payload.bridge
@@ -13,3 +13,16 @@ bridge test-inet input
[ payload load 16b @ network header + 24 => reg 1 ]
[ lookup reg 1 set set2 0x1 ]
[ immediate reg 0 accept ]
+
+# ip saddr . ip daddr . tcp dport @set3 accept
+bridge
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 2b @ transport header + 2 => reg 10 ]
+ [ lookup reg 1 set set3 ]
+ [ immediate reg 0 accept ]
+
diff --git a/tests/py/inet/sets.t.payload.inet b/tests/py/inet/sets.t.payload.inet
index 1584fc07451eb..c5acd6103a038 100644
--- a/tests/py/inet/sets.t.payload.inet
+++ b/tests/py/inet/sets.t.payload.inet
@@ -14,4 +14,15 @@ inet test-inet input
[ lookup reg 1 set set2 0x1 ]
[ immediate reg 0 accept ]
+# ip saddr . ip daddr . tcp dport @set3 accept
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 2b @ transport header + 2 => reg 10 ]
+ [ lookup reg 1 set set3 ]
+ [ immediate reg 0 accept ]
diff --git a/tests/py/inet/sets.t.payload.netdev b/tests/py/inet/sets.t.payload.netdev
index 9c94e38429fb7..82994eabf48b7 100644
--- a/tests/py/inet/sets.t.payload.netdev
+++ b/tests/py/inet/sets.t.payload.netdev
@@ -14,3 +14,15 @@ netdev test-netdev ingress
[ lookup reg 1 set set2 0x1 ]
[ immediate reg 0 accept ]
+# ip saddr . ip daddr . tcp dport @ set3 accept
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ payload load 2b @ transport header + 2 => reg 10 ]
+ [ lookup reg 1 set set3 ]
+ [ immediate reg 0 accept ]
+
--
2.25.1
