test/test/test_acl.h

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(c) 2010-2014 Intel Corporation
   3  */
   4
   5 #ifndef TEST_ACL_H_
   6 #define TEST_ACL_H_
   7
   8 struct ipv4_7tuple {
   9         uint16_t vlan;
  10         uint16_t domain;
  11         uint8_t proto;
  12         uint32_t ip_src;
  13         uint32_t ip_dst;
  14         uint16_t port_src;
  15         uint16_t port_dst;
  16         uint32_t allow;
  17         uint32_t deny;
  18 };
  19
  20 /**
  21  * Legacy support for 7-tuple IPv4 and VLAN rule.
  22  * This structure and corresponding API is deprecated.
  23  */
  24 struct rte_acl_ipv4vlan_rule {
  25         struct rte_acl_rule_data data; /**< Miscellaneous data for the rule. */
  26         uint8_t proto;                 /**< IPv4 protocol ID. */
  27         uint8_t proto_mask;            /**< IPv4 protocol ID mask. */
  28         uint16_t vlan;                 /**< VLAN ID. */
  29         uint16_t vlan_mask;            /**< VLAN ID mask. */
  30         uint16_t domain;               /**< VLAN domain. */
  31         uint16_t domain_mask;          /**< VLAN domain mask. */
  32         uint32_t src_addr;             /**< IPv4 source address. */
  33         uint32_t src_mask_len;         /**< IPv4 source address mask. */
  34         uint32_t dst_addr;             /**< IPv4 destination address. */
  35         uint32_t dst_mask_len;         /**< IPv4 destination address mask. */
  36         uint16_t src_port_low;         /**< L4 source port low. */
  37         uint16_t src_port_high;        /**< L4 source port high. */
  38         uint16_t dst_port_low;         /**< L4 destination port low. */
  39         uint16_t dst_port_high;        /**< L4 destination port high. */
  40 };
  41
  42 /**
  43  * Specifies fields layout inside rte_acl_rule for rte_acl_ipv4vlan_rule.
  44  */
  45 enum {
  46         RTE_ACL_IPV4VLAN_PROTO_FIELD,
  47         RTE_ACL_IPV4VLAN_VLAN1_FIELD,
  48         RTE_ACL_IPV4VLAN_VLAN2_FIELD,
  49         RTE_ACL_IPV4VLAN_SRC_FIELD,
  50         RTE_ACL_IPV4VLAN_DST_FIELD,
  51         RTE_ACL_IPV4VLAN_SRCP_FIELD,
  52         RTE_ACL_IPV4VLAN_DSTP_FIELD,
  53         RTE_ACL_IPV4VLAN_NUM_FIELDS
  54 };
  55
  56 /**
  57  * Macro to define rule size for rte_acl_ipv4vlan_rule.
  58  */
  59 #define RTE_ACL_IPV4VLAN_RULE_SZ        \
  60         RTE_ACL_RULE_SZ(RTE_ACL_IPV4VLAN_NUM_FIELDS)
  61
  62 /*
  63  * That effectively defines order of IPV4VLAN classifications:
  64  *  - PROTO
  65  *  - VLAN (TAG and DOMAIN)
  66  *  - SRC IP ADDRESS
  67  *  - DST IP ADDRESS
  68  *  - PORTS (SRC and DST)
  69  */
  70 enum {
  71         RTE_ACL_IPV4VLAN_PROTO,
  72         RTE_ACL_IPV4VLAN_VLAN,
  73         RTE_ACL_IPV4VLAN_SRC,
  74         RTE_ACL_IPV4VLAN_DST,
  75         RTE_ACL_IPV4VLAN_PORTS,
  76         RTE_ACL_IPV4VLAN_NUM
  77 };
  78
  79 /* rules for invalid layout test */
  80 struct rte_acl_ipv4vlan_rule invalid_layout_rules[] = {
  81                 /* test src and dst address */
  82                 {
  83                                 .data = {.userdata = 1, .category_mask = 1},
  84                                 .src_addr = IPv4(10,0,0,0),
  85                                 .src_mask_len = 24,
  86                 },
  87                 {
  88                                 .data = {.userdata = 2, .category_mask = 1},
  89                                 .dst_addr = IPv4(10,0,0,0),
  90                                 .dst_mask_len = 24,
  91                 },
  92                 /* test src and dst ports */
  93                 {
  94                                 .data = {.userdata = 3, .category_mask = 1},
  95                                 .dst_port_low = 100,
  96                                 .dst_port_high = 100,
  97                 },
  98                 {
  99                                 .data = {.userdata = 4, .category_mask = 1},
 100                                 .src_port_low = 100,
 101                                 .src_port_high = 100,
 102                 },
 103                 /* test proto */
 104                 {
 105                                 .data = {.userdata = 5, .category_mask = 1},
 106                                 .proto = 0xf,
 107                                 .proto_mask = 0xf
 108                 },
 109                 {
 110                                 .data = {.userdata = 6, .category_mask = 1},
 111                                 .dst_port_low = 0xf,
 112                                 .dst_port_high = 0xf,
 113                 }
 114 };
 115
 116 /* these might look odd because they don't match up the rules. This is
 117  * intentional, as the invalid layout test presumes returning the correct
 118  * results using the wrong data layout.
 119  */
 120 struct ipv4_7tuple invalid_layout_data[] = {
 121                 {.ip_src = IPv4(10,0,1,0)},             /* should not match */
 122                 {.ip_src = IPv4(10,0,0,1), .allow = 2}, /* should match 2 */
 123                 {.port_src = 100, .allow = 4},          /* should match 4 */
 124                 {.port_dst = 0xf, .allow = 6},          /* should match 6 */
 125 };
 126
 127 #define ACL_ALLOW 0
 128 #define ACL_DENY 1
 129 #define ACL_ALLOW_MASK 0x1
 130 #define ACL_DENY_MASK  0x2
 131
 132 /* ruleset for ACL unit test */
 133 struct rte_acl_ipv4vlan_rule acl_test_rules[] = {
 134 /* destination IP addresses */
 135                 /* matches all packets traveling to 192.168.0.0/16 */
 136                 {
 137                                 .data = {.userdata = 1, .category_mask = ACL_ALLOW_MASK,
 138                                                 .priority = 230},
 139                                 .dst_addr = IPv4(192,168,0,0),
 140                                 .dst_mask_len = 16,
 141                                 .src_port_low = 0,
 142                                 .src_port_high = 0xffff,
 143                                 .dst_port_low = 0,
 144                                 .dst_port_high = 0xffff,
 145                 },
 146                 /* matches all packets traveling to 192.168.1.0/24 */
 147                 {
 148                                 .data = {.userdata = 2, .category_mask = ACL_ALLOW_MASK,
 149                                                 .priority = 330},
 150                                 .dst_addr = IPv4(192,168,1,0),
 151                                 .dst_mask_len = 24,
 152                                 .src_port_low = 0,
 153                                 .src_port_high = 0xffff,
 154                                 .dst_port_low = 0,
 155                                 .dst_port_high = 0xffff,
 156                 },
 157                 /* matches all packets traveling to 192.168.1.50 */
 158                 {
 159                                 .data = {.userdata = 3, .category_mask = ACL_DENY_MASK,
 160                                                 .priority = 230},
 161                                 .dst_addr = IPv4(192,168,1,50),
 162                                 .dst_mask_len = 32,
 163                                 .src_port_low = 0,
 164                                 .src_port_high = 0xffff,
 165                                 .dst_port_low = 0,
 166                                 .dst_port_high = 0xffff,
 167                 },
 168
 169 /* source IP addresses */
 170                 /* matches all packets traveling from 10.0.0.0/8 */
 171                 {
 172                                 .data = {.userdata = 4, .category_mask = ACL_ALLOW_MASK,
 173                                                 .priority = 240},
 174                                 .src_addr = IPv4(10,0,0,0),
 175                                 .src_mask_len = 8,
 176                                 .src_port_low = 0,
 177                                 .src_port_high = 0xffff,
 178                                 .dst_port_low = 0,
 179                                 .dst_port_high = 0xffff,
 180                 },
 181                 /* matches all packets traveling from 10.1.1.0/24 */
 182                 {
 183                                 .data = {.userdata = 5, .category_mask = ACL_ALLOW_MASK,
 184                                                 .priority = 340},
 185                                 .src_addr = IPv4(10,1,1,0),
 186                                 .src_mask_len = 24,
 187                                 .src_port_low = 0,
 188                                 .src_port_high = 0xffff,
 189                                 .dst_port_low = 0,
 190                                 .dst_port_high = 0xffff,
 191                 },
 192                 /* matches all packets traveling from 10.1.1.1 */
 193                 {
 194                                 .data = {.userdata = 6, .category_mask = ACL_DENY_MASK,
 195                                                 .priority = 240},
 196                                 .src_addr = IPv4(10,1,1,1),
 197                                 .src_mask_len = 32,
 198                                 .src_port_low = 0,
 199                                 .src_port_high = 0xffff,
 200                                 .dst_port_low = 0,
 201                                 .dst_port_high = 0xffff,
 202                 },
 203
 204 /* VLAN tag */
 205                 /* matches all packets with lower 7 bytes of VLAN tag equal to 0x64  */
 206                 {
 207                                 .data = {.userdata = 7, .category_mask = ACL_ALLOW_MASK,
 208                                                 .priority = 260},
 209                                 .vlan = 0x64,
 210                                 .vlan_mask = 0x7f,
 211                                 .src_port_low = 0,
 212                                 .src_port_high = 0xffff,
 213                                 .dst_port_low = 0,
 214                                 .dst_port_high = 0xffff,
 215                 },
 216                 /* matches all packets with VLAN tags that have 0x5 in them */
 217                 {
 218                                 .data = {.userdata = 8, .category_mask = ACL_ALLOW_MASK,
 219                                                 .priority = 260},
 220                                 .vlan = 0x5,
 221                                 .vlan_mask = 0x5,
 222                                 .src_port_low = 0,
 223                                 .src_port_high = 0xffff,
 224                                 .dst_port_low = 0,
 225                                 .dst_port_high = 0xffff,
 226                 },
 227                 /* matches all packets with VLAN tag 5 */
 228                 {
 229                                 .data = {.userdata = 9, .category_mask = ACL_DENY_MASK,
 230                                                 .priority = 360},
 231                                 .vlan = 0x5,
 232                                 .vlan_mask = 0xffff,
 233                                 .src_port_low = 0,
 234                                 .src_port_high = 0xffff,
 235                                 .dst_port_low = 0,
 236                                 .dst_port_high = 0xffff,
 237                 },
 238
 239 /* VLAN domain */
 240                 /* matches all packets with lower 7 bytes of domain equal to 0x64  */
 241                 {
 242                                 .data = {.userdata = 10, .category_mask = ACL_ALLOW_MASK,
 243                                                 .priority = 250},
 244                                 .domain = 0x64,
 245                                 .domain_mask = 0x7f,
 246                                 .src_port_low = 0,
 247                                 .src_port_high = 0xffff,
 248                                 .dst_port_low = 0,
 249                                 .dst_port_high = 0xffff,
 250                 },
 251                 /* matches all packets with domains that have 0x5 in them */
 252                 {
 253                                 .data = {.userdata = 11, .category_mask = ACL_ALLOW_MASK,
 254                                                 .priority = 350},
 255                                 .domain = 0x5,
 256                                 .domain_mask = 0x5,
 257                                 .src_port_low = 0,
 258                                 .src_port_high = 0xffff,
 259                                 .dst_port_low = 0,
 260                                 .dst_port_high = 0xffff,
 261                 },
 262                 /* matches all packets with domain 5 */
 263                 {
 264                                 .data = {.userdata = 12, .category_mask = ACL_DENY_MASK,
 265                                                 .priority = 350},
 266                                 .domain = 0x5,
 267                                 .domain_mask = 0xffff,
 268                                 .src_port_low = 0,
 269                                 .src_port_high = 0xffff,
 270                                 .dst_port_low = 0,
 271                                 .dst_port_high = 0xffff,
 272                 },
 273
 274 /* destination port */
 275                 /* matches everything with dst port 80 */
 276                 {
 277                                 .data = {.userdata = 13, .category_mask = ACL_ALLOW_MASK,
 278                                                 .priority = 310},
 279                                 .dst_port_low = 80,
 280                                 .dst_port_high = 80,
 281                                 .src_port_low = 0,
 282                                 .src_port_high = 0xffff,
 283                 },
 284                 /* matches everything with dst port 22-1023 */
 285                 {
 286                                 .data = {.userdata = 14, .category_mask = ACL_ALLOW_MASK,
 287                                                 .priority = 210},
 288                                 .dst_port_low = 22,
 289                                 .dst_port_high = 1023,
 290                                 .src_port_low = 0,
 291                                 .src_port_high = 0xffff,
 292                 },
 293                 /* matches everything with dst port 1020 */
 294                 {
 295                                 .data = {.userdata = 15, .category_mask = ACL_DENY_MASK,
 296                                                 .priority = 310},
 297                                 .dst_port_low = 1020,
 298                                 .dst_port_high = 1020,
 299                                 .src_port_low = 0,
 300                                 .src_port_high = 0xffff,
 301                 },
 302                 /* matches everything with dst portrange  1000-2000 */
 303                 {
 304                                 .data = {.userdata = 16, .category_mask = ACL_DENY_MASK,
 305                                                 .priority = 210},
 306                                 .dst_port_low = 1000,
 307                                 .dst_port_high = 2000,
 308                                 .src_port_low = 0,
 309                                 .src_port_high = 0xffff,
 310                 },
 311
 312 /* source port */
 313                 /* matches everything with src port 80 */
 314                 {
 315                                 .data = {.userdata = 17, .category_mask = ACL_ALLOW_MASK,
 316                                                 .priority = 320},
 317                                 .src_port_low = 80,
 318                                 .src_port_high = 80,
 319                                 .dst_port_low = 0,
 320                                 .dst_port_high = 0xffff,
 321                 },
 322                 /* matches everything with src port 22-1023 */
 323                 {
 324                                 .data = {.userdata = 18, .category_mask = ACL_ALLOW_MASK,
 325                                                 .priority = 220},
 326                                 .src_port_low = 22,
 327                                 .src_port_high = 1023,
 328                                 .dst_port_low = 0,
 329                                 .dst_port_high = 0xffff,
 330                 },
 331                 /* matches everything with src port 1020 */
 332                 {
 333                                 .data = {.userdata = 19, .category_mask = ACL_DENY_MASK,
 334                                                 .priority = 320},
 335                                 .src_port_low = 1020,
 336                                 .src_port_high = 1020,
 337                                 .dst_port_low = 0,
 338                                 .dst_port_high = 0xffff,
 339                 },
 340                 /* matches everything with src portrange  1000-2000 */
 341                 {
 342                                 .data = {.userdata = 20, .category_mask = ACL_DENY_MASK,
 343                                                 .priority = 220},
 344                                 .src_port_low = 1000,
 345                                 .src_port_high = 2000,
 346                                 .dst_port_low = 0,
 347                                 .dst_port_high = 0xffff,
 348                 },
 349
 350 /* protocol number */
 351                 /* matches all packets with protocol number either 0x64 or 0xE4 */
 352                 {
 353                                 .data = {.userdata = 21, .category_mask = ACL_ALLOW_MASK,
 354                                                 .priority = 270},
 355                                 .proto = 0x64,
 356                                 .proto_mask = 0x7f,
 357                                 .src_port_low = 0,
 358                                 .src_port_high = 0xffff,
 359                                 .dst_port_low = 0,
 360                                 .dst_port_high = 0xffff,
 361                 },
 362                 /* matches all packets with protocol that have 0x5 in them */
 363                 {
 364                                 .data = {.userdata = 22, .category_mask = ACL_ALLOW_MASK,
 365                                                 .priority = 1},
 366                                 .proto = 0x5,
 367                                 .proto_mask = 0x5,
 368                                 .src_port_low = 0,
 369                                 .src_port_high = 0xffff,
 370                                 .dst_port_low = 0,
 371                                 .dst_port_high = 0xffff,
 372                 },
 373                 /* matches all packets with protocol 5 */
 374                 {
 375                                 .data = {.userdata = 23, .category_mask = ACL_DENY_MASK,
 376                                                 .priority = 370},
 377                                 .proto = 0x5,
 378                                 .proto_mask = 0xff,
 379                                 .src_port_low = 0,
 380                                 .src_port_high = 0xffff,
 381                                 .dst_port_low = 0,
 382                                 .dst_port_high = 0xffff,
 383                 },
 384
 385 /* rules combining various fields */
 386                 {
 387                                 .data = {.userdata = 24, .category_mask = ACL_ALLOW_MASK,
 388                                                 .priority = 400},
 389                                 /** make sure that unmasked bytes don't fail! */
 390                                 .dst_addr = IPv4(1,2,3,4),
 391                                 .dst_mask_len = 16,
 392                                 .src_addr = IPv4(5,6,7,8),
 393                                 .src_mask_len = 24,
 394                                 .proto = 0x5,
 395                                 .proto_mask = 0xff,
 396                                 .src_port_low = 0,
 397                                 .src_port_high = 0xffff,
 398                                 .dst_port_low = 22,
 399                                 .dst_port_high = 1024,
 400                                 .vlan = 0x8100,
 401                                 .vlan_mask = 0xffff,
 402                                 .domain = 0x64,
 403                                 .domain_mask = 0xffff,
 404                 },
 405                 {
 406                                 .data = {.userdata = 25, .category_mask = ACL_DENY_MASK,
 407                                                 .priority = 400},
 408                                 .dst_addr = IPv4(5,6,7,8),
 409                                 .dst_mask_len = 24,
 410                                 .src_addr = IPv4(1,2,3,4),
 411                                 .src_mask_len = 16,
 412                                 .proto = 0x5,
 413                                 .proto_mask = 0xff,
 414                                 .src_port_low = 0,
 415                                 .src_port_high = 0xffff,
 416                                 .dst_port_low = 22,
 417                                 .dst_port_high = 1024,
 418                                 .vlan = 0x8100,
 419                                 .vlan_mask = 0xffff,
 420                                 .domain = 0x64,
 421                                 .domain_mask = 0xffff,
 422                 },
 423                 {
 424                                 .data = {.userdata = 26, .category_mask = ACL_ALLOW_MASK,
 425                                                 .priority = 500},
 426                                 .dst_addr = IPv4(1,2,3,4),
 427                                 .dst_mask_len = 8,
 428                                 .src_addr = IPv4(5,6,7,8),
 429                                 .src_mask_len = 32,
 430                                 .proto = 0x5,
 431                                 .proto_mask = 0xff,
 432                                 .src_port_low = 0,
 433                                 .src_port_high = 0xffff,
 434                                 .dst_port_low = 22,
 435                                 .dst_port_high = 1024,
 436                                 .vlan = 0x64,
 437                                 .vlan_mask = 0xffff,
 438                 },
 439                 {
 440                                 .data = {.userdata = 27, .category_mask = ACL_DENY_MASK,
 441                                                 .priority = 500},
 442                                 .dst_addr = IPv4(5,6,7,8),
 443                                 .dst_mask_len = 32,
 444                                 .src_addr = IPv4(1,2,3,4),
 445                                 .src_mask_len = 8,
 446                                 .proto = 0x5,
 447                                 .proto_mask = 0xff,
 448                                 .src_port_low = 0,
 449                                 .src_port_high = 0xffff,
 450                                 .dst_port_low = 22,
 451                                 .dst_port_high = 1024,
 452                                 .vlan = 0x64,
 453                                 .vlan_mask = 0xffff,
 454                 },
 455 };
 456
 457 /* data for ACL unit test */
 458 struct ipv4_7tuple acl_test_data[] = {
 459 /* testing single rule aspects */
 460                 {.ip_src = IPv4(10,0,0,0), .allow = 4}, /* should match 4 */
 461                 {.ip_src = IPv4(10,1,1,2), .allow = 5}, /* should match 5 */
 462                 {.ip_src = IPv4(10,1,1,1), .allow = 5,
 463                                 .deny = 6},                     /* should match 5, 6 */
 464                 {.ip_dst = IPv4(10,0,0,0)},             /* should not match */
 465                 {.ip_dst = IPv4(10,1,1,2)},             /* should not match */
 466                 {.ip_dst = IPv4(10,1,1,1)},             /* should not match */
 467
 468                 {.ip_src = IPv4(192,168,2,50)},             /* should not match */
 469                 {.ip_src = IPv4(192,168,1,2)},              /* should not match */
 470                 {.ip_src = IPv4(192,168,1,50)},             /* should not match */
 471                 {.ip_dst = IPv4(192,168,2,50), .allow = 1}, /* should match 1 */
 472                 {.ip_dst = IPv4(192,168,1,49), .allow = 2}, /* should match 2 */
 473                 {.ip_dst = IPv4(192,168,1,50), .allow = 2,
 474                                 .deny = 3},                         /* should match 2, 3 */
 475
 476                 {.vlan = 0x64, .allow = 7},            /* should match 7 */
 477                 {.vlan = 0xfE4, .allow = 7},           /* should match 7 */
 478                 {.vlan = 0xE2},                        /* should not match */
 479                 {.vlan = 0xD, .allow = 8},             /* should match 8 */
 480                 {.vlan = 0x6},                         /* should not match */
 481                 {.vlan = 0x5, .allow = 8, .deny = 9},  /* should match 8, 9 */
 482
 483                 {.domain = 0x64, .allow = 10},             /* should match 10 */
 484                 {.domain = 0xfE4, .allow = 10},            /* should match 10 */
 485                 {.domain = 0xE2},                          /* should not match */
 486                 {.domain = 0xD, .allow = 11},              /* should match 11 */
 487                 {.domain = 0x6},                           /* should not match */
 488                 {.domain = 0x5, .allow = 11, .deny = 12},  /* should match 11, 12 */
 489
 490                 {.port_dst = 80, .allow = 13},                /* should match 13 */
 491                 {.port_dst = 79, .allow = 14},                /* should match 14 */
 492                 {.port_dst = 81, .allow = 14},                /* should match 14 */
 493                 {.port_dst = 21},                             /* should not match */
 494                 {.port_dst = 1024, .deny = 16},               /* should match 16 */
 495                 {.port_dst = 1020, .allow = 14, .deny = 15},  /* should match 14, 15 */
 496
 497                 {.port_src = 80, .allow = 17},                /* should match 17 */
 498                 {.port_src = 79, .allow = 18},                /* should match 18 */
 499                 {.port_src = 81, .allow = 18},                /* should match 18 */
 500                 {.port_src = 21},                             /* should not match */
 501                 {.port_src = 1024, .deny = 20},               /* should match 20 */
 502                 {.port_src = 1020, .allow = 18, .deny = 19},  /* should match 18, 19 */
 503
 504                 {.proto = 0x64, .allow = 21},             /* should match 21 */
 505                 {.proto = 0xE4, .allow = 21},             /* should match 21 */
 506                 {.proto = 0xE2},                          /* should not match */
 507                 {.proto = 0xD, .allow = 22},              /* should match 22 */
 508                 {.proto = 0x6},                           /* should not match */
 509                 {.proto = 0x5, .allow = 22, .deny = 23},  /* should match 22, 23 */
 510
 511 /* testing matching multiple rules at once */
 512                 {.vlan = 0x5, .ip_src = IPv4(10,1,1,1),
 513                                 .allow = 5, .deny = 9},               /* should match 5, 9 */
 514                 {.vlan = 0x5, .ip_src = IPv4(192,168,2,50),
 515                                 .allow = 8, .deny = 9},               /* should match 8, 9 */
 516                 {.vlan = 0x55, .ip_src = IPv4(192,168,1,49),
 517                                 .allow = 8},                          /* should match 8 */
 518                 {.port_dst = 80, .port_src = 1024,
 519                                 .allow = 13, .deny = 20},             /* should match 13,20 */
 520                 {.port_dst = 79, .port_src = 1024,
 521                                 .allow = 14, .deny = 20},             /* should match 14,20 */
 522                 {.proto = 0x5, .ip_dst = IPv4(192,168,2,50),
 523                                 .allow = 1, .deny = 23},               /* should match 1, 23 */
 524
 525                 {.proto = 0x5, .ip_dst = IPv4(192,168,1,50),
 526                                 .allow = 2, .deny = 23},              /* should match 2, 23 */
 527                 {.vlan = 0x64, .domain = 0x5,
 528                                 .allow = 11, .deny = 12},             /* should match 11, 12 */
 529                 {.proto = 0x5, .port_src = 80,
 530                                 .allow = 17, .deny = 23},             /* should match 17, 23 */
 531                 {.proto = 0x5, .port_dst = 80,
 532                                 .allow = 13, .deny = 23},             /* should match 13, 23 */
 533                 {.proto = 0x51, .port_src = 5000},            /* should not match */
 534                 {.ip_src = IPv4(192,168,1,50),
 535                                 .ip_dst = IPv4(10,0,0,0),
 536                                 .proto = 0x51,
 537                                 .port_src = 5000,
 538                                 .port_dst = 5000},                    /* should not match */
 539
 540 /* test full packet rules */
 541                 {
 542                                 .ip_dst = IPv4(1,2,100,200),
 543                                 .ip_src = IPv4(5,6,7,254),
 544                                 .proto = 0x5,
 545                                 .vlan = 0x8100,
 546                                 .domain = 0x64,
 547                                 .port_src = 12345,
 548                                 .port_dst = 80,
 549                                 .allow = 24,
 550                                 .deny = 23
 551                 }, /* should match 23, 24 */
 552                 {
 553                                 .ip_dst = IPv4(5,6,7,254),
 554                                 .ip_src = IPv4(1,2,100,200),
 555                                 .proto = 0x5,
 556                                 .vlan = 0x8100,
 557                                 .domain = 0x64,
 558                                 .port_src = 12345,
 559                                 .port_dst = 80,
 560                                 .allow = 13,
 561                                 .deny = 25
 562                 }, /* should match 13, 25 */
 563                 {
 564                                 .ip_dst = IPv4(1,10,20,30),
 565                                 .ip_src = IPv4(5,6,7,8),
 566                                 .proto = 0x5,
 567                                 .vlan = 0x64,
 568                                 .port_src = 12345,
 569                                 .port_dst = 80,
 570                                 .allow = 26,
 571                                 .deny = 23
 572                 }, /* should match 23, 26 */
 573                 {
 574                                 .ip_dst = IPv4(5,6,7,8),
 575                                 .ip_src = IPv4(1,10,20,30),
 576                                 .proto = 0x5,
 577                                 .vlan = 0x64,
 578                                 .port_src = 12345,
 579                                 .port_dst = 80,
 580                                 .allow = 13,
 581                                 .deny = 27
 582                 }, /* should match 13, 27 */
 583                 {
 584                                 .ip_dst = IPv4(2,2,3,4),
 585                                 .ip_src = IPv4(4,6,7,8),
 586                                 .proto = 0x5,
 587                                 .vlan = 0x64,
 588                                 .port_src = 12345,
 589                                 .port_dst = 80,
 590                                 .allow = 13,
 591                                 .deny = 23
 592                 }, /* should match 13, 23 */
 593                 {
 594                                 .ip_dst = IPv4(1,2,3,4),
 595                                 .ip_src = IPv4(4,6,7,8),
 596                                 .proto = 0x5,
 597                                 .vlan = 0x64,
 598                                 .port_src = 12345,
 599                                 .port_dst = 80,
 600                                 .allow = 13,
 601                                 .deny = 23
 602                 }, /* should match 13, 23 */
 603
 604
 605 /* visual separator! */
 606                 {
 607                                 .ip_dst = IPv4(1,2,100,200),
 608                                 .ip_src = IPv4(5,6,7,254),
 609                                 .proto = 0x55,
 610                                 .vlan = 0x8000,
 611                                 .domain = 0x6464,
 612                                 .port_src = 12345,
 613                                 .port_dst = 8080,
 614                                 .allow = 10
 615                 }, /* should match 10 */
 616                 {
 617                                 .ip_dst = IPv4(5,6,7,254),
 618                                 .ip_src = IPv4(1,2,100,200),
 619                                 .proto = 0x55,
 620                                 .vlan = 0x8100,
 621                                 .domain = 0x6464,
 622                                 .port_src = 12345,
 623                                 .port_dst = 180,
 624                                 .allow = 10
 625                 }, /* should match 10 */
 626                 {
 627                                 .ip_dst = IPv4(1,10,20,30),
 628                                 .ip_src = IPv4(5,6,7,8),
 629                                 .proto = 0x55,
 630                                 .vlan = 0x64,
 631                                 .port_src = 12345,
 632                                 .port_dst = 180,
 633                                 .allow = 7
 634                 }, /* should match 7 */
 635                 {
 636                                 .ip_dst = IPv4(5,6,7,8),
 637                                 .ip_src = IPv4(1,10,20,30),
 638                                 .proto = 0x55,
 639                                 .vlan = 0x64,
 640                                 .port_src = 12345,
 641                                 .port_dst = 180,
 642                                 .allow = 7
 643                 }, /* should match 7 */
 644                 {
 645                                 .ip_dst = IPv4(2,2,3,4),
 646                                 .ip_src = IPv4(4,6,7,8),
 647                                 .proto = 0x55,
 648                                 .vlan = 0x64,
 649                                 .port_src = 12345,
 650                                 .port_dst = 180,
 651                                 .allow = 7
 652                 }, /* should match 7 */
 653                 {
 654                                 .ip_dst = IPv4(1,2,3,4),
 655                                 .ip_src = IPv4(4,6,7,8),
 656                                 .proto = 0x50,
 657                                 .vlan = 0x6466,
 658                                 .port_src = 12345,
 659                                 .port_dst = 12345,
 660                 }, /* should not match */
 661 };
 662
 663 #endif /* TEST_ACL_H_ */