1/*-
2 *   BSD LICENSE
3 *
4 *   Copyright(c) 2010-2014 Intel Corporation. All rights reserved.
5 *   All rights reserved.
6 *
7 *   Redistribution and use in source and binary forms, with or without
8 *   modification, are permitted provided that the following conditions
9 *   are met:
10 *
11 *     * Redistributions of source code must retain the above copyright
12 *       notice, this list of conditions and the following disclaimer.
13 *     * Redistributions in binary form must reproduce the above copyright
14 *       notice, this list of conditions and the following disclaimer in
15 *       the documentation and/or other materials provided with the
16 *       distribution.
17 *     * Neither the name of Intel Corporation nor the names of its
18 *       contributors may be used to endorse or promote products derived
19 *       from this software without specific prior written permission.
20 *
21 *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24 *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27 *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 */
33
34#ifndef TEST_ACL_H_
35#define TEST_ACL_H_
36
37struct ipv4_7tuple {
38	uint16_t vlan;
39	uint16_t domain;
40	uint8_t proto;
41	uint32_t ip_src;
42	uint32_t ip_dst;
43	uint16_t port_src;
44	uint16_t port_dst;
45	uint32_t allow;
46	uint32_t deny;
47};
48
49/**
50 * Legacy support for 7-tuple IPv4 and VLAN rule.
51 * This structure and corresponding API is deprecated.
52 */
53struct rte_acl_ipv4vlan_rule {
54	struct rte_acl_rule_data data; /**< Miscellaneous data for the rule. */
55	uint8_t proto;                 /**< IPv4 protocol ID. */
56	uint8_t proto_mask;            /**< IPv4 protocol ID mask. */
57	uint16_t vlan;                 /**< VLAN ID. */
58	uint16_t vlan_mask;            /**< VLAN ID mask. */
59	uint16_t domain;               /**< VLAN domain. */
60	uint16_t domain_mask;          /**< VLAN domain mask. */
61	uint32_t src_addr;             /**< IPv4 source address. */
62	uint32_t src_mask_len;         /**< IPv4 source address mask. */
63	uint32_t dst_addr;             /**< IPv4 destination address. */
64	uint32_t dst_mask_len;         /**< IPv4 destination address mask. */
65	uint16_t src_port_low;         /**< L4 source port low. */
66	uint16_t src_port_high;        /**< L4 source port high. */
67	uint16_t dst_port_low;         /**< L4 destination port low. */
68	uint16_t dst_port_high;        /**< L4 destination port high. */
69};
70
71/**
72 * Specifies fields layout inside rte_acl_rule for rte_acl_ipv4vlan_rule.
73 */
74enum {
75	RTE_ACL_IPV4VLAN_PROTO_FIELD,
76	RTE_ACL_IPV4VLAN_VLAN1_FIELD,
77	RTE_ACL_IPV4VLAN_VLAN2_FIELD,
78	RTE_ACL_IPV4VLAN_SRC_FIELD,
79	RTE_ACL_IPV4VLAN_DST_FIELD,
80	RTE_ACL_IPV4VLAN_SRCP_FIELD,
81	RTE_ACL_IPV4VLAN_DSTP_FIELD,
82	RTE_ACL_IPV4VLAN_NUM_FIELDS
83};
84
85/**
86 * Macro to define rule size for rte_acl_ipv4vlan_rule.
87 */
88#define	RTE_ACL_IPV4VLAN_RULE_SZ	\
89	RTE_ACL_RULE_SZ(RTE_ACL_IPV4VLAN_NUM_FIELDS)
90
91/*
92 * That effectively defines order of IPV4VLAN classifications:
93 *  - PROTO
94 *  - VLAN (TAG and DOMAIN)
95 *  - SRC IP ADDRESS
96 *  - DST IP ADDRESS
97 *  - PORTS (SRC and DST)
98 */
99enum {
100	RTE_ACL_IPV4VLAN_PROTO,
101	RTE_ACL_IPV4VLAN_VLAN,
102	RTE_ACL_IPV4VLAN_SRC,
103	RTE_ACL_IPV4VLAN_DST,
104	RTE_ACL_IPV4VLAN_PORTS,
105	RTE_ACL_IPV4VLAN_NUM
106};
107
108/* rules for invalid layout test */
109struct rte_acl_ipv4vlan_rule invalid_layout_rules[] = {
110		/* test src and dst address */
111		{
112				.data = {.userdata = 1, .category_mask = 1,
113					.priority = 1},
114				.src_addr = IPv4(10,0,0,0),
115				.src_mask_len = 24,
116		},
117		{
118				.data = {.userdata = 2, .category_mask = 1,
119					.priority = 1},
120				.dst_addr = IPv4(10,0,0,0),
121				.dst_mask_len = 24,
122		},
123		/* test src and dst ports */
124		{
125				.data = {.userdata = 3, .category_mask = 1,
126					.priority = 1},
127				.dst_port_low = 100,
128				.dst_port_high = 100,
129		},
130		{
131				.data = {.userdata = 4, .category_mask = 1,
132					.priority = 1},
133				.src_port_low = 100,
134				.src_port_high = 100,
135		},
136		/* test proto */
137		{
138				.data = {.userdata = 5, .category_mask = 1,
139					.priority = 1},
140				.proto = 0xf,
141				.proto_mask = 0xf
142		},
143		{
144				.data = {.userdata = 6, .category_mask = 1,
145					.priority = 1},
146				.dst_port_low = 0xf,
147				.dst_port_high = 0xf,
148		}
149};
150
151/* these might look odd because they don't match up the rules. This is
152 * intentional, as the invalid layout test presumes returning the correct
153 * results using the wrong data layout.
154 */
155struct ipv4_7tuple invalid_layout_data[] = {
156		{.ip_src = IPv4(10,0,1,0)},             /* should not match */
157		{.ip_src = IPv4(10,0,0,1), .allow = 2}, /* should match 2 */
158		{.port_src = 100, .allow = 4},          /* should match 4 */
159		{.port_dst = 0xf, .allow = 6},          /* should match 6 */
160};
161
162#define ACL_ALLOW 0
163#define ACL_DENY 1
164#define ACL_ALLOW_MASK 0x1
165#define ACL_DENY_MASK  0x2
166
167/* ruleset for ACL unit test */
168struct rte_acl_ipv4vlan_rule acl_test_rules[] = {
169/* destination IP addresses */
170		/* matches all packets traveling to 192.168.0.0/16 */
171		{
172				.data = {.userdata = 1, .category_mask = ACL_ALLOW_MASK,
173						.priority = 230},
174				.dst_addr = IPv4(192,168,0,0),
175				.dst_mask_len = 16,
176				.src_port_low = 0,
177				.src_port_high = 0xffff,
178				.dst_port_low = 0,
179				.dst_port_high = 0xffff,
180		},
181		/* matches all packets traveling to 192.168.1.0/24 */
182		{
183				.data = {.userdata = 2, .category_mask = ACL_ALLOW_MASK,
184						.priority = 330},
185				.dst_addr = IPv4(192,168,1,0),
186				.dst_mask_len = 24,
187				.src_port_low = 0,
188				.src_port_high = 0xffff,
189				.dst_port_low = 0,
190				.dst_port_high = 0xffff,
191		},
192		/* matches all packets traveling to 192.168.1.50 */
193		{
194				.data = {.userdata = 3, .category_mask = ACL_DENY_MASK,
195						.priority = 230},
196				.dst_addr = IPv4(192,168,1,50),
197				.dst_mask_len = 32,
198				.src_port_low = 0,
199				.src_port_high = 0xffff,
200				.dst_port_low = 0,
201				.dst_port_high = 0xffff,
202		},
203
204/* source IP addresses */
205		/* matches all packets traveling from 10.0.0.0/8 */
206		{
207				.data = {.userdata = 4, .category_mask = ACL_ALLOW_MASK,
208						.priority = 240},
209				.src_addr = IPv4(10,0,0,0),
210				.src_mask_len = 8,
211				.src_port_low = 0,
212				.src_port_high = 0xffff,
213				.dst_port_low = 0,
214				.dst_port_high = 0xffff,
215		},
216		/* matches all packets traveling from 10.1.1.0/24 */
217		{
218				.data = {.userdata = 5, .category_mask = ACL_ALLOW_MASK,
219						.priority = 340},
220				.src_addr = IPv4(10,1,1,0),
221				.src_mask_len = 24,
222				.src_port_low = 0,
223				.src_port_high = 0xffff,
224				.dst_port_low = 0,
225				.dst_port_high = 0xffff,
226		},
227		/* matches all packets traveling from 10.1.1.1 */
228		{
229				.data = {.userdata = 6, .category_mask = ACL_DENY_MASK,
230						.priority = 240},
231				.src_addr = IPv4(10,1,1,1),
232				.src_mask_len = 32,
233				.src_port_low = 0,
234				.src_port_high = 0xffff,
235				.dst_port_low = 0,
236				.dst_port_high = 0xffff,
237		},
238
239/* VLAN tag */
240		/* matches all packets with lower 7 bytes of VLAN tag equal to 0x64  */
241		{
242				.data = {.userdata = 7, .category_mask = ACL_ALLOW_MASK,
243						.priority = 260},
244				.vlan = 0x64,
245				.vlan_mask = 0x7f,
246				.src_port_low = 0,
247				.src_port_high = 0xffff,
248				.dst_port_low = 0,
249				.dst_port_high = 0xffff,
250		},
251		/* matches all packets with VLAN tags that have 0x5 in them */
252		{
253				.data = {.userdata = 8, .category_mask = ACL_ALLOW_MASK,
254						.priority = 260},
255				.vlan = 0x5,
256				.vlan_mask = 0x5,
257				.src_port_low = 0,
258				.src_port_high = 0xffff,
259				.dst_port_low = 0,
260				.dst_port_high = 0xffff,
261		},
262		/* matches all packets with VLAN tag 5 */
263		{
264				.data = {.userdata = 9, .category_mask = ACL_DENY_MASK,
265						.priority = 360},
266				.vlan = 0x5,
267				.vlan_mask = 0xffff,
268				.src_port_low = 0,
269				.src_port_high = 0xffff,
270				.dst_port_low = 0,
271				.dst_port_high = 0xffff,
272		},
273
274/* VLAN domain */
275		/* matches all packets with lower 7 bytes of domain equal to 0x64  */
276		{
277				.data = {.userdata = 10, .category_mask = ACL_ALLOW_MASK,
278						.priority = 250},
279				.domain = 0x64,
280				.domain_mask = 0x7f,
281				.src_port_low = 0,
282				.src_port_high = 0xffff,
283				.dst_port_low = 0,
284				.dst_port_high = 0xffff,
285		},
286		/* matches all packets with domains that have 0x5 in them */
287		{
288				.data = {.userdata = 11, .category_mask = ACL_ALLOW_MASK,
289						.priority = 350},
290				.domain = 0x5,
291				.domain_mask = 0x5,
292				.src_port_low = 0,
293				.src_port_high = 0xffff,
294				.dst_port_low = 0,
295				.dst_port_high = 0xffff,
296		},
297		/* matches all packets with domain 5 */
298		{
299				.data = {.userdata = 12, .category_mask = ACL_DENY_MASK,
300						.priority = 350},
301				.domain = 0x5,
302				.domain_mask = 0xffff,
303				.src_port_low = 0,
304				.src_port_high = 0xffff,
305				.dst_port_low = 0,
306				.dst_port_high = 0xffff,
307		},
308
309/* destination port */
310		/* matches everything with dst port 80 */
311		{
312				.data = {.userdata = 13, .category_mask = ACL_ALLOW_MASK,
313						.priority = 310},
314				.dst_port_low = 80,
315				.dst_port_high = 80,
316				.src_port_low = 0,
317				.src_port_high = 0xffff,
318		},
319		/* matches everything with dst port 22-1023 */
320		{
321				.data = {.userdata = 14, .category_mask = ACL_ALLOW_MASK,
322						.priority = 210},
323				.dst_port_low = 22,
324				.dst_port_high = 1023,
325				.src_port_low = 0,
326				.src_port_high = 0xffff,
327		},
328		/* matches everything with dst port 1020 */
329		{
330				.data = {.userdata = 15, .category_mask = ACL_DENY_MASK,
331						.priority = 310},
332				.dst_port_low = 1020,
333				.dst_port_high = 1020,
334				.src_port_low = 0,
335				.src_port_high = 0xffff,
336		},
337		/* matches everything with dst portrange  1000-2000 */
338		{
339				.data = {.userdata = 16, .category_mask = ACL_DENY_MASK,
340						.priority = 210},
341				.dst_port_low = 1000,
342				.dst_port_high = 2000,
343				.src_port_low = 0,
344				.src_port_high = 0xffff,
345		},
346
347/* source port */
348		/* matches everything with src port 80 */
349		{
350				.data = {.userdata = 17, .category_mask = ACL_ALLOW_MASK,
351						.priority = 320},
352				.src_port_low = 80,
353				.src_port_high = 80,
354				.dst_port_low = 0,
355				.dst_port_high = 0xffff,
356		},
357		/* matches everything with src port 22-1023 */
358		{
359				.data = {.userdata = 18, .category_mask = ACL_ALLOW_MASK,
360						.priority = 220},
361				.src_port_low = 22,
362				.src_port_high = 1023,
363				.dst_port_low = 0,
364				.dst_port_high = 0xffff,
365		},
366		/* matches everything with src port 1020 */
367		{
368				.data = {.userdata = 19, .category_mask = ACL_DENY_MASK,
369						.priority = 320},
370				.src_port_low = 1020,
371				.src_port_high = 1020,
372				.dst_port_low = 0,
373				.dst_port_high = 0xffff,
374		},
375		/* matches everything with src portrange  1000-2000 */
376		{
377				.data = {.userdata = 20, .category_mask = ACL_DENY_MASK,
378						.priority = 220},
379				.src_port_low = 1000,
380				.src_port_high = 2000,
381				.dst_port_low = 0,
382				.dst_port_high = 0xffff,
383		},
384
385/* protocol number */
386		/* matches all packets with protocol number either 0x64 or 0xE4 */
387		{
388				.data = {.userdata = 21, .category_mask = ACL_ALLOW_MASK,
389						.priority = 270},
390				.proto = 0x64,
391				.proto_mask = 0x7f,
392				.src_port_low = 0,
393				.src_port_high = 0xffff,
394				.dst_port_low = 0,
395				.dst_port_high = 0xffff,
396		},
397		/* matches all packets with protocol that have 0x5 in them */
398		{
399				.data = {.userdata = 22, .category_mask = ACL_ALLOW_MASK,
400						.priority = 1},
401				.proto = 0x5,
402				.proto_mask = 0x5,
403				.src_port_low = 0,
404				.src_port_high = 0xffff,
405				.dst_port_low = 0,
406				.dst_port_high = 0xffff,
407		},
408		/* matches all packets with protocol 5 */
409		{
410				.data = {.userdata = 23, .category_mask = ACL_DENY_MASK,
411						.priority = 370},
412				.proto = 0x5,
413				.proto_mask = 0xff,
414				.src_port_low = 0,
415				.src_port_high = 0xffff,
416				.dst_port_low = 0,
417				.dst_port_high = 0xffff,
418		},
419
420/* rules combining various fields */
421		{
422				.data = {.userdata = 24, .category_mask = ACL_ALLOW_MASK,
423						.priority = 400},
424				/** make sure that unmasked bytes don't fail! */
425				.dst_addr = IPv4(1,2,3,4),
426				.dst_mask_len = 16,
427				.src_addr = IPv4(5,6,7,8),
428				.src_mask_len = 24,
429				.proto = 0x5,
430				.proto_mask = 0xff,
431				.src_port_low = 0,
432				.src_port_high = 0xffff,
433				.dst_port_low = 22,
434				.dst_port_high = 1024,
435				.vlan = 0x8100,
436				.vlan_mask = 0xffff,
437				.domain = 0x64,
438				.domain_mask = 0xffff,
439		},
440		{
441				.data = {.userdata = 25, .category_mask = ACL_DENY_MASK,
442						.priority = 400},
443				.dst_addr = IPv4(5,6,7,8),
444				.dst_mask_len = 24,
445				.src_addr = IPv4(1,2,3,4),
446				.src_mask_len = 16,
447				.proto = 0x5,
448				.proto_mask = 0xff,
449				.src_port_low = 0,
450				.src_port_high = 0xffff,
451				.dst_port_low = 22,
452				.dst_port_high = 1024,
453				.vlan = 0x8100,
454				.vlan_mask = 0xffff,
455				.domain = 0x64,
456				.domain_mask = 0xffff,
457		},
458		{
459				.data = {.userdata = 26, .category_mask = ACL_ALLOW_MASK,
460						.priority = 500},
461				.dst_addr = IPv4(1,2,3,4),
462				.dst_mask_len = 8,
463				.src_addr = IPv4(5,6,7,8),
464				.src_mask_len = 32,
465				.proto = 0x5,
466				.proto_mask = 0xff,
467				.src_port_low = 0,
468				.src_port_high = 0xffff,
469				.dst_port_low = 22,
470				.dst_port_high = 1024,
471				.vlan = 0x64,
472				.vlan_mask = 0xffff,
473		},
474		{
475				.data = {.userdata = 27, .category_mask = ACL_DENY_MASK,
476						.priority = 500},
477				.dst_addr = IPv4(5,6,7,8),
478				.dst_mask_len = 32,
479				.src_addr = IPv4(1,2,3,4),
480				.src_mask_len = 8,
481				.proto = 0x5,
482				.proto_mask = 0xff,
483				.src_port_low = 0,
484				.src_port_high = 0xffff,
485				.dst_port_low = 22,
486				.dst_port_high = 1024,
487				.vlan = 0x64,
488				.vlan_mask = 0xffff,
489		},
490};
491
492/* data for ACL unit test */
493struct ipv4_7tuple acl_test_data[] = {
494/* testing single rule aspects */
495		{.ip_src = IPv4(10,0,0,0), .allow = 4}, /* should match 4 */
496		{.ip_src = IPv4(10,1,1,2), .allow = 5}, /* should match 5 */
497		{.ip_src = IPv4(10,1,1,1), .allow = 5,
498				.deny = 6},                     /* should match 5, 6 */
499		{.ip_dst = IPv4(10,0,0,0)},             /* should not match */
500		{.ip_dst = IPv4(10,1,1,2)},             /* should not match */
501		{.ip_dst = IPv4(10,1,1,1)},             /* should not match */
502
503		{.ip_src = IPv4(192,168,2,50)},             /* should not match */
504		{.ip_src = IPv4(192,168,1,2)},              /* should not match */
505		{.ip_src = IPv4(192,168,1,50)},             /* should not match */
506		{.ip_dst = IPv4(192,168,2,50), .allow = 1}, /* should match 1 */
507		{.ip_dst = IPv4(192,168,1,49), .allow = 2}, /* should match 2 */
508		{.ip_dst = IPv4(192,168,1,50), .allow = 2,
509				.deny = 3},                         /* should match 2, 3 */
510
511		{.vlan = 0x64, .allow = 7},            /* should match 7 */
512		{.vlan = 0xfE4, .allow = 7},           /* should match 7 */
513		{.vlan = 0xE2},                        /* should not match */
514		{.vlan = 0xD, .allow = 8},             /* should match 8 */
515		{.vlan = 0x6},                         /* should not match */
516		{.vlan = 0x5, .allow = 8, .deny = 9},  /* should match 8, 9 */
517
518		{.domain = 0x64, .allow = 10},             /* should match 10 */
519		{.domain = 0xfE4, .allow = 10},            /* should match 10 */
520		{.domain = 0xE2},                          /* should not match */
521		{.domain = 0xD, .allow = 11},              /* should match 11 */
522		{.domain = 0x6},                           /* should not match */
523		{.domain = 0x5, .allow = 11, .deny = 12},  /* should match 11, 12 */
524
525		{.port_dst = 80, .allow = 13},                /* should match 13 */
526		{.port_dst = 79, .allow = 14},                /* should match 14 */
527		{.port_dst = 81, .allow = 14},                /* should match 14 */
528		{.port_dst = 21},                             /* should not match */
529		{.port_dst = 1024, .deny = 16},               /* should match 16 */
530		{.port_dst = 1020, .allow = 14, .deny = 15},  /* should match 14, 15 */
531
532		{.port_src = 80, .allow = 17},                /* should match 17 */
533		{.port_src = 79, .allow = 18},                /* should match 18 */
534		{.port_src = 81, .allow = 18},                /* should match 18 */
535		{.port_src = 21},                             /* should not match */
536		{.port_src = 1024, .deny = 20},               /* should match 20 */
537		{.port_src = 1020, .allow = 18, .deny = 19},  /* should match 18, 19 */
538
539		{.proto = 0x64, .allow = 21},             /* should match 21 */
540		{.proto = 0xE4, .allow = 21},             /* should match 21 */
541		{.proto = 0xE2},                          /* should not match */
542		{.proto = 0xD, .allow = 22},              /* should match 22 */
543		{.proto = 0x6},                           /* should not match */
544		{.proto = 0x5, .allow = 22, .deny = 23},  /* should match 22, 23 */
545
546/* testing matching multiple rules at once */
547		{.vlan = 0x5, .ip_src = IPv4(10,1,1,1),
548				.allow = 5, .deny = 9},               /* should match 5, 9 */
549		{.vlan = 0x5, .ip_src = IPv4(192,168,2,50),
550				.allow = 8, .deny = 9},               /* should match 8, 9 */
551		{.vlan = 0x55, .ip_src = IPv4(192,168,1,49),
552				.allow = 8},                          /* should match 8 */
553		{.port_dst = 80, .port_src = 1024,
554				.allow = 13, .deny = 20},             /* should match 13,20 */
555		{.port_dst = 79, .port_src = 1024,
556				.allow = 14, .deny = 20},             /* should match 14,20 */
557		{.proto = 0x5, .ip_dst = IPv4(192,168,2,50),
558				.allow = 1, .deny = 23},               /* should match 1, 23 */
559
560		{.proto = 0x5, .ip_dst = IPv4(192,168,1,50),
561				.allow = 2, .deny = 23},              /* should match 2, 23 */
562		{.vlan = 0x64, .domain = 0x5,
563				.allow = 11, .deny = 12},             /* should match 11, 12 */
564		{.proto = 0x5, .port_src = 80,
565				.allow = 17, .deny = 23},             /* should match 17, 23 */
566		{.proto = 0x5, .port_dst = 80,
567				.allow = 13, .deny = 23},             /* should match 13, 23 */
568		{.proto = 0x51, .port_src = 5000},            /* should not match */
569		{.ip_src = IPv4(192,168,1,50),
570				.ip_dst = IPv4(10,0,0,0),
571				.proto = 0x51,
572				.port_src = 5000,
573				.port_dst = 5000},                    /* should not match */
574
575/* test full packet rules */
576		{
577				.ip_dst = IPv4(1,2,100,200),
578				.ip_src = IPv4(5,6,7,254),
579				.proto = 0x5,
580				.vlan = 0x8100,
581				.domain = 0x64,
582				.port_src = 12345,
583				.port_dst = 80,
584				.allow = 24,
585				.deny = 23
586		}, /* should match 23, 24 */
587		{
588				.ip_dst = IPv4(5,6,7,254),
589				.ip_src = IPv4(1,2,100,200),
590				.proto = 0x5,
591				.vlan = 0x8100,
592				.domain = 0x64,
593				.port_src = 12345,
594				.port_dst = 80,
595				.allow = 13,
596				.deny = 25
597		}, /* should match 13, 25 */
598		{
599				.ip_dst = IPv4(1,10,20,30),
600				.ip_src = IPv4(5,6,7,8),
601				.proto = 0x5,
602				.vlan = 0x64,
603				.port_src = 12345,
604				.port_dst = 80,
605				.allow = 26,
606				.deny = 23
607		}, /* should match 23, 26 */
608		{
609				.ip_dst = IPv4(5,6,7,8),
610				.ip_src = IPv4(1,10,20,30),
611				.proto = 0x5,
612				.vlan = 0x64,
613				.port_src = 12345,
614				.port_dst = 80,
615				.allow = 13,
616				.deny = 27
617		}, /* should match 13, 27 */
618		{
619				.ip_dst = IPv4(2,2,3,4),
620				.ip_src = IPv4(4,6,7,8),
621				.proto = 0x5,
622				.vlan = 0x64,
623				.port_src = 12345,
624				.port_dst = 80,
625				.allow = 13,
626				.deny = 23
627		}, /* should match 13, 23 */
628		{
629				.ip_dst = IPv4(1,2,3,4),
630				.ip_src = IPv4(4,6,7,8),
631				.proto = 0x5,
632				.vlan = 0x64,
633				.port_src = 12345,
634				.port_dst = 80,
635				.allow = 13,
636				.deny = 23
637		}, /* should match 13, 23 */
638
639
640/* visual separator! */
641		{
642				.ip_dst = IPv4(1,2,100,200),
643				.ip_src = IPv4(5,6,7,254),
644				.proto = 0x55,
645				.vlan = 0x8000,
646				.domain = 0x6464,
647				.port_src = 12345,
648				.port_dst = 8080,
649				.allow = 10
650		}, /* should match 10 */
651		{
652				.ip_dst = IPv4(5,6,7,254),
653				.ip_src = IPv4(1,2,100,200),
654				.proto = 0x55,
655				.vlan = 0x8100,
656				.domain = 0x6464,
657				.port_src = 12345,
658				.port_dst = 180,
659				.allow = 10
660		}, /* should match 10 */
661		{
662				.ip_dst = IPv4(1,10,20,30),
663				.ip_src = IPv4(5,6,7,8),
664				.proto = 0x55,
665				.vlan = 0x64,
666				.port_src = 12345,
667				.port_dst = 180,
668				.allow = 7
669		}, /* should match 7 */
670		{
671				.ip_dst = IPv4(5,6,7,8),
672				.ip_src = IPv4(1,10,20,30),
673				.proto = 0x55,
674				.vlan = 0x64,
675				.port_src = 12345,
676				.port_dst = 180,
677				.allow = 7
678		}, /* should match 7 */
679		{
680				.ip_dst = IPv4(2,2,3,4),
681				.ip_src = IPv4(4,6,7,8),
682				.proto = 0x55,
683				.vlan = 0x64,
684				.port_src = 12345,
685				.port_dst = 180,
686				.allow = 7
687		}, /* should match 7 */
688		{
689				.ip_dst = IPv4(1,2,3,4),
690				.ip_src = IPv4(4,6,7,8),
691				.proto = 0x50,
692				.vlan = 0x6466,
693				.port_src = 12345,
694				.port_dst = 12345,
695		}, /* should not match */
696};
697
698#endif /* TEST_ACL_H_ */
699