Add missing "ih" base raw payload and extend tests/py to cover this new usecase. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/parser_json.c | 2 ++ tests/py/any/rawpayload.t | 2 ++ tests/py/any/rawpayload.t.json | 17 +++++++++++++++++ tests/py/any/rawpayload.t.payload | 6 ++++++ 4 files changed, 27 insertions(+) diff --git a/src/parser_json.c b/src/parser_json.c index 3cd21175b236..7a2d30ff665c 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -558,6 +558,8 @@ static struct expr *json_parse_payload_expr(struct json_ctx *ctx, val = PROTO_BASE_NETWORK_HDR; } else if (!strcmp(base, "th")) { val = PROTO_BASE_TRANSPORT_HDR; + } else if (!strcmp(base, "ih")) { + val = PROTO_BASE_INNER_HDR; } else { json_error(ctx, "Invalid payload base '%s'.", base); return NULL; diff --git a/tests/py/any/rawpayload.t b/tests/py/any/rawpayload.t index 9fe377e24397..128e8088c4e5 100644 --- a/tests/py/any/rawpayload.t +++ b/tests/py/any/rawpayload.t @@ -18,3 +18,5 @@ meta l4proto tcp @th,16,16 { 22, 23, 80};ok;tcp dport { 22, 23, 80} @ll,0,1 1;ok;@ll,0,8 & 0x80 == 0x80 @ll,0,8 & 0x80 == 0x80;ok @ll,0,128 0xfedcba987654321001234567890abcde;ok + +@ih,32,32 0x14000000;ok diff --git a/tests/py/any/rawpayload.t.json b/tests/py/any/rawpayload.t.json index 9481d9bf543b..b5115e0ddacf 100644 --- a/tests/py/any/rawpayload.t.json +++ b/tests/py/any/rawpayload.t.json @@ -156,3 +156,20 @@ } ] +# @ih,32,32 0x14000000 +[ + { + "match": { + "left": { + "payload": { + "base": "ih", + "len": 32, + "offset": 32 + } + }, + "op": "==", + "right": 335544320 + } + } +] + diff --git a/tests/py/any/rawpayload.t.payload b/tests/py/any/rawpayload.t.payload index d2b38183cc95..61c41cb976d6 100644 --- a/tests/py/any/rawpayload.t.payload +++ b/tests/py/any/rawpayload.t.payload @@ -47,3 +47,9 @@ inet test-inet input inet test-inet input [ payload load 16b @ link header + 0 => reg 1 ] [ cmp eq reg 1 0x98badcfe 0x10325476 0x67452301 0xdebc0a89 ] + +# @ih,32,32 0x14000000 +inet test-inet input + [ payload load 4b @ inner header + 4 => reg 1 ] + [ cmp eq reg 1 0x00000014 ] + -- 2.30.2