[PATCH nft 1/7] Interpret OP_NEQ against a set as OP_LOOKUP

[PATCH nft 1/7] Interpret OP_NEQ against a set as OP_LOOKUP

[Anatole Denis]

Now that the support for inverted matching is in the kernel and in libnftnl, add
it to nftables too.

This fixes bug #888

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
This patch is heavily based off those of Yuxuan Shui from 2014
(https://marc.info/?l=netfilter-devel&m=140682484411296)

 src/evaluate.c            | 14 ++++++++++++++
 src/netlink_delinearize.c | 10 ++++++++++
 src/netlink_linearize.c   | 14 +++++++++-----
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 8b113c8..bb46615 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1541,6 +1541,20 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
 			if (byteorder_conversion(ctx, &rel->right, left->byteorder) < 0)
 				return -1;
 			break;
+		case EXPR_SET:
+			assert(rel->op == OP_NEQ);
+			right = rel->right =
+				implicit_set_declaration(ctx, "__set%d",
+							 left->dtype, left->len,
+							 right);
+			/* fall through */
+		case EXPR_SET_REF:
+			assert(rel->op == OP_NEQ);
+			/* Data for range lookups needs to be in big endian order */
+			if (right->set->flags & SET_F_INTERVAL &&
+			    byteorder_conversion(ctx, &rel->left, BYTEORDER_BIG_ENDIAN) < 0)
+				return -1;
+			break;
 		default:
 			BUG("invalid expression type %s\n", right->ops->name);
 		}
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 0ebe368..cb0f6ac 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -292,6 +292,7 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
 	const char *name;
 	struct expr *expr, *left, *right;
 	struct set *set;
+	uint32_t flag;
 
 	name = nftnl_expr_get_str(nle, NFTNL_EXPR_LOOKUP_SET);
 	set  = set_lookup(ctx->table, name);
@@ -323,6 +324,12 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
 		expr = relational_expr_alloc(loc, OP_LOOKUP, left, right);
 	}
 
+	if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOOKUP_FLAGS)) {
+		flag = nftnl_expr_get_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS);
+		if (flag & NFT_LOOKUP_F_INV)
+			expr->op = OP_NEQ;
+	}
+
 	ctx->stmt = expr_stmt_alloc(loc, expr);
 }
 
@@ -1316,6 +1323,9 @@ static void ct_meta_common_postprocess(const struct expr *expr)
 	struct expr *right = expr->right;
 
 	switch (expr->op) {
+	case OP_NEQ:
+		if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF)
+			break;
 	case OP_LOOKUP:
 		expr_set_type(right, left->dtype, left->byteorder);
 		if (right->dtype == &integer_type)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 2945392..6bc0bee 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -278,6 +278,8 @@ static void netlink_gen_lookup(struct netlink_linearize_ctx *ctx,
 			   expr->right->set->handle.set);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_SET_ID,
 			   expr->right->set->handle.set_id);
+	if (expr->op == OP_NEQ)
+		nftnl_expr_set_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS, NFT_LOOKUP_F_INV);
 
 	release_register(ctx, expr->left);
 	nftnl_rule_add_expr(ctx->nlr, nle);
@@ -346,13 +348,14 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx,
 
 	assert(dreg == NFT_REG_VERDICT);
 
-	if (expr->right->ops->type == EXPR_RANGE)
-		return netlink_gen_range(ctx, expr, dreg);
-
-	sreg = get_register(ctx, expr->left);
-
 	switch (expr->right->ops->type) {
+	case EXPR_RANGE:
+		return netlink_gen_range(ctx, expr, dreg);
+	case EXPR_SET:
+	case EXPR_SET_REF:
+		return netlink_gen_lookup(ctx, expr, dreg);
 	case EXPR_PREFIX:
+		sreg = get_register(ctx, expr->left);
 		if (expr->left->dtype->type != TYPE_STRING) {
 			len = div_round_up(expr->right->len, BITS_PER_BYTE);
 			netlink_gen_expr(ctx, expr->left, sreg);
@@ -365,6 +368,7 @@ static void netlink_gen_cmp(struct netlink_linearize_ctx *ctx,
 		}
 		break;
 	default:
+		sreg = get_register(ctx, expr->left);
 		len = div_round_up(expr->right->len, BITS_PER_BYTE);
 		right = expr->right;
 		netlink_gen_expr(ctx, expr->left, sreg);
-- 
2.11.0.rc2

[PATCH nft 2/7] tests/py/{arp,any}: Unmask negative set lookup

[Anatole Denis]

Many testcases were masked because of bug #888. This series of patches unmasks
them

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
Patches 2 through 7 update the tests, and are split because of the character
limit on netfilter-devel. They could be squashed together.

 tests/py/any/ct.t                 |  10 +-
 tests/py/any/ct.t.payload         |  49 +++++++++
 tests/py/any/meta.t               |  47 ++++-----
 tests/py/any/meta.t.payload       | 203 ++++++++++++++++++++++++++++++++++++++
 tests/py/arp/arp.t                |  14 +--
 tests/py/arp/arp.t.payload        |  56 +++++++++++
 tests/py/arp/arp.t.payload.netdev |  70 +++++++++++++
 7 files changed, 414 insertions(+), 35 deletions(-)

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 7cb49c2..76be185 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -7,7 +7,7 @@
 ct state new,established, related, untracked;ok;ct state established,related,new,untracked
 ct state != related;ok
 ct state {new,established, related, untracked};ok
-- ct state != {new,established, related, untracked};ok
+ct state != {new,established, related, untracked};ok
 ct state invalid drop;ok
 ct state established accept;ok
 ct state 8;ok;ct state new
@@ -18,7 +18,7 @@ ct direction != original;ok
 ct direction reply;ok
 ct direction != reply;ok
 ct direction {reply, original};ok
-- ct direction != {reply, original};ok
+ct direction != {reply, original};ok
 ct direction xxx;fail
 
 ct status expected;ok
@@ -45,7 +45,7 @@ ct mark 0x00000032-0x00000045;ok
 ct mark != 0x00000032-0x00000045;ok
 ct mark {0x32, 0x2222, 0x42de3};ok;ct mark { 0x00042de3, 0x00002222, 0x00000032}
 ct mark {0x32-0x2222, 0x4444-0x42de3};ok;ct mark { 0x00000032-0x00002222, 0x00004444-0x00042de3}
-- ct mark != {0x32, 0x2222, 0x42de3};ok
+ct mark != {0x32, 0x2222, 0x42de3};ok;ct mark != { 0x00042de3, 0x00002222, 0x00000032}
 
 # ct mark != {0x32, 0x2222, 0x42de3};ok
 # BUG: invalid expression type set
@@ -64,9 +64,9 @@ ct expiration != 233;ok;ct expiration != 3m53s
 ct expiration 33-45;ok;ct expiration 33s-45s
 ct expiration != 33-45;ok;ct expiration != 33s-45s
 ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
-- ct expiration != {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
+ct expiration != {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
 ct expiration {33-55};ok;ct expiration { 33s-55s}
-- ct expiration != {33-55};ok
+ct expiration != {33-55};ok; ct expiration != { 33s-55s}
 
 ct helper "ftp";ok
 ct helper "12345678901234567";fail
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 26aeec3..90fce9f 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -17,6 +17,14 @@ ip test-ip4 output
   [ ct load state => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ct state != {new,established, related, untracked}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000040  : 0 [end]
+ip test-ip4 output
+  [ ct load state => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ct state invalid drop
 ip test-ip4 output
   [ ct load state => reg 1 ]
@@ -65,6 +73,14 @@ ip test-ip4 output
   [ ct load direction => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ct direction != {reply, original}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]
+ip test-ip4 output
+  [ ct load direction => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ct status expected
 ip test-ip4 output
   [ ct load status => reg 1 ]
@@ -95,6 +111,14 @@ ip test-ip4 output
   [ ct load status => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ct status != {expected, seen-reply, assured, confirmed, dying}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000008  : 0 [end]	element 00000200  : 0 [end]
+ip test-ip4 output
+  [ ct load status => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ct mark 0
 ip test-ip4 output
   [ ct load mark => reg 1 ]
@@ -174,6 +198,14 @@ ip test-ip4 output
   [ byteorder reg 1 = hton(reg 1, 4, 4) ]
   [ lookup reg 1 set __set%d ]
 
+# ct mark != {0x32, 0x2222, 0x42de3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000032  : 0 [end]	element 00002222  : 0 [end]	element 00042de3  : 0 [end]
+ip test-ip4 output
+  [ ct load mark => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ct mark set 0x11 xor 0x1331
 ip test-ip4 output
   [ immediate reg 1 0x00001320 ]
@@ -230,6 +262,14 @@ ip test-ip4 output
   [ ct load expiration => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ct expiration != {33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 000080e8  : 0 [end]	element 0000d6d8  : 0 [end]	element 000105b8  : 0 [end]	element 000157c0  : 0 [end]
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ct expiration {33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -239,6 +279,15 @@ ip test-ip4 output
   [ byteorder reg 1 = hton(reg 1, 4, 4) ]
   [ lookup reg 1 set __set%d ]
 
+# ct expiration != {33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element e8800000  : 0 [end]	element d9d60000  : 1 [end]
+ip test-ip4 output
+  [ ct load expiration => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ct helper "ftp"
 ip test-ip4 output
   [ ct load helper => reg 1 ]
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 76ce06b..c3ac0a4 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -16,27 +16,28 @@ meta length != 33-45;ok
 meta length { 33, 55, 67, 88};ok
 meta length { 33-55, 67-88};ok
 meta length { 33-55, 55-88, 100-120};ok;meta length { 33-88, 100-120}
-- meta length != { 33, 55, 67, 88};ok
+meta length != { 33, 55, 67, 88};ok
 meta length { 33-55};ok
-- meta length != { 33-55};ok
+meta length != { 33-55};ok
 
 meta protocol { ip, arp, ip6, vlan };ok;meta protocol { ip6, ip, vlan, arp}
-- meta protocol != {ip, arp, ip6, vlan};ok
+meta protocol != {ip, arp, ip6, vlan};ok
 meta protocol ip;ok
 meta protocol != ip;ok
 
 meta nfproto ipv4;ok
 meta nfproto ipv6;ok
 meta nfproto {ipv4, ipv6};ok
+meta nfproto != {ipv4, ipv6};ok
 
 meta l4proto 22;ok
 meta l4proto != 233;ok
 meta l4proto 33-45;ok
 meta l4proto != 33-45;ok
 meta l4proto { 33, 55, 67, 88};ok;meta l4proto { 33, 55, 67, 88}
-- meta l4proto != { 33, 55, 67, 88};ok
+meta l4proto != { 33, 55, 67, 88};ok
 meta l4proto { 33-55};ok
-- meta l4proto != { 33-55};ok
+meta l4proto != { 33-55};ok
 
 meta priority root;ok
 meta priority none;ok
@@ -51,7 +52,7 @@ meta priority bcad:dada-bcad:dadc;ok
 meta priority != bcad:dada-bcad:dadc;ok
 meta priority {bcad:dada, bcad:dadc, aaaa:bbbb};ok
 meta priority set cafe:beef;ok
-- meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok
+meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb};ok
 
 meta mark 0x4;ok;mark 0x00000004
 meta mark 0x32;ok;mark 0x00000032
@@ -71,12 +72,12 @@ meta iif != "lo" accept;ok;iif != "lo" accept
 meta iifname "dummy0";ok;iifname "dummy0"
 meta iifname != "dummy0";ok;iifname != "dummy0"
 meta iifname {"dummy0", "lo"};ok
-- meta iifname != {"dummy0", "lo"};ok
+meta iifname != {"dummy0", "lo"};ok
 meta iifname "dummy*";ok;iifname "dummy*"
 meta iifname "dummy\*";ok;iifname "dummy\*"
 
 meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
-- meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
 meta iiftype != ether;ok;iiftype != ether
 meta iiftype ether;ok;iiftype ether
 meta iiftype != ppp;ok;iiftype != ppp
@@ -85,7 +86,7 @@ meta iiftype ppp;ok;iiftype ppp
 meta oif "lo" accept;ok;oif "lo" accept
 meta oif != "lo" accept;ok;oif != "lo" accept
 meta oif {"lo"} accept;ok
-- meta oif != {"lo"} accept;ok
+meta oif != {"lo"} accept;ok
 
 meta oifname "dummy0";ok;oifname "dummy0"
 meta oifname != "dummy0";ok;oifname != "dummy0"
@@ -94,12 +95,12 @@ meta oifname "dummy*";ok;oifname "dummy*"
 meta oifname "dummy\*";ok;oifname "dummy\*"
 
 meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
-- meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
+meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre};ok
 meta oiftype != ether;ok;oiftype != ether
 meta oiftype ether;ok;oiftype ether
 
 meta skuid {"bin", "root", "daemon"} accept;ok;skuid { 0, 1, 2} accept
-- meta skuid != {"bin", "root", "daemon"} accept;ok
+meta skuid != {"bin", "root", "daemon"} accept;ok;skuid != { 1, 0, 2} accept
 meta skuid "root";ok;skuid 0
 meta skuid != "root";ok;skuid != 0
 meta skuid lt 3000 accept;ok;skuid < 3000 accept
@@ -108,10 +109,10 @@ meta skuid eq 3000 accept;ok;skuid 3000 accept
 meta skuid 3001-3005 accept;ok;skuid 3001-3005 accept
 meta skuid != 2001-2005 accept;ok;skuid != 2001-2005 accept
 meta skuid { 2001-2005} accept;ok;skuid { 2001-2005} accept
-- meta skuid != { 2001-2005} accept;ok
+meta skuid != { 2001-2005} accept;ok
 
 meta skgid {"bin", "root", "daemon"} accept;ok;skgid { 0, 1, 2} accept
-- meta skgid != {"bin", "root", "daemon"} accept;ok
+meta skgid != {"bin", "root", "daemon"} accept;ok;skgid != { 1, 0, 2} accept
 meta skgid "root";ok;skgid 0
 meta skgid != "root";ok;skgid != 0
 meta skgid lt 3000 accept;ok;skgid < 3000 accept
@@ -120,7 +121,7 @@ meta skgid eq 3000 accept;ok;skgid 3000 accept
 meta skgid 2001-2005 accept;ok;skgid 2001-2005 accept
 meta skgid != 2001-2005 accept;ok;skgid != 2001-2005 accept
 meta skgid { 2001-2005} accept;ok;skgid { 2001-2005} accept
-- meta skgid != { 2001-2005} accept;ok;skgid != { 2001-2005} accept
+meta skgid != { 2001-2005} accept;ok;skgid != { 2001-2005} accept
 
 # BUG: meta nftrace 2 and meta nftrace 1
 # $ sudo nft add rule ip test input meta nftrace 2
@@ -166,37 +167,37 @@ meta cpu 1-3;ok;cpu 1-3
 meta cpu != 1-2;ok;cpu != 1-2
 meta cpu { 2,3};ok;cpu { 2,3}
 meta cpu { 2-3, 5-7};ok
--meta cpu != { 2,3};ok; cpu != { 2,3}
+meta cpu != { 2,3};ok; cpu != { 2,3}
 
 meta iifgroup 0;ok;iifgroup "default"
 meta iifgroup != 0;ok;iifgroup != "default"
 meta iifgroup "default";ok;iifgroup "default"
 meta iifgroup != "default";ok;iifgroup != "default"
 meta iifgroup {"default"};ok;iifgroup {"default"}
-- meta iifgroup != {"default"};ok
+meta iifgroup != {"default"};ok
 meta iifgroup { 11,33};ok
 meta iifgroup {11-33};ok
-- meta iifgroup != {11,33};ok
-- meta iifgroup != {11-33};ok
+meta iifgroup != { 11,33};ok
+meta iifgroup != {11-33};ok
 meta oifgroup 0;ok;oifgroup "default"
 meta oifgroup != 0;ok;oifgroup != "default"
 meta oifgroup "default";ok;oifgroup "default"
 meta oifgroup != "default";ok;oifgroup != "default"
 meta oifgroup {"default"};ok;oifgroup {"default"}
-- meta oifgroup != {"default"};ok
+meta oifgroup != {"default"};ok;oifgroup != {"default"}
 meta oifgroup { 11,33};ok
 meta oifgroup {11-33};ok
-- meta oifgroup != {11,33};ok
-- meta oifgroup != {11-33};ok
+meta oifgroup != { 11,33};ok
+meta oifgroup != {11-33};ok
 
 meta cgroup 1048577;ok;cgroup 1048577
 meta cgroup != 1048577;ok;cgroup != 1048577
 meta cgroup { 1048577, 1048578 };ok;cgroup { 1048577, 1048578}
-# meta cgroup != { 1048577, 1048578};ok;cgroup != { 1048577, 1048578}
+meta cgroup != { 1048577, 1048578};ok;cgroup != { 1048577, 1048578}
 meta cgroup 1048577-1048578;ok;cgroup 1048577-1048578
 meta cgroup != 1048577-1048578;ok;cgroup != 1048577-1048578
 meta cgroup {1048577-1048578};ok;cgroup { 1048577-1048578}
-# meta cgroup != { 1048577-1048578};ok;cgroup != { 1048577-1048578}
+meta cgroup != { 1048577-1048578};ok;cgroup != { 1048577-1048578}
 
 meta iif . meta oif { "lo" . "lo" };ok
 meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index f000bc8..e432656 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -61,6 +61,23 @@ ip test-ip4 input
   [ byteorder reg 1 = hton(reg 1, 4, 4) ]
   [ lookup reg 1 set __set%d ]
 
+# meta length != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta length != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input
+  [ meta load len => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta protocol { ip, arp, ip6, vlan }
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -69,6 +86,14 @@ ip test-ip4 input
   [ meta load protocol => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta protocol != {ip, arp, ip6, vlan}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000008  : 0 [end]	element 00000608  : 0 [end]	element 0000dd86  : 0 [end]	element 00000081  : 0 [end]
+ip test-ip4 input
+  [ meta load protocol => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta protocol ip
 ip test-ip4 input
   [ meta load protocol => reg 1 ]
@@ -97,6 +122,14 @@ ip test-ip4 input
   [ meta load nfproto => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta nfproto != {ipv4, ipv6}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 0000000a  : 0 [end]
+ip test-ip4 input
+  [ meta load nfproto => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta l4proto 22
 ip test-ip4 input
   [ meta load l4proto => reg 1 ]
@@ -128,6 +161,14 @@ ip test-ip4 input
   [ meta load l4proto => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta l4proto != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta l4proto { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -137,6 +178,15 @@ ip test-ip4 input
   [ byteorder reg 1 = hton(reg 1, 2, 1) ]
   [ lookup reg 1 set __set%d ]
 
+# meta l4proto != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip test-ip4 input
+  [ meta load l4proto => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 2, 1) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta mark 0x4
 ip test-ip4 input
   [ meta load mark => reg 1 ]
@@ -221,6 +271,14 @@ ip test-ip4 input
   [ meta load iifname => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta iifname != {"dummy0", "lo"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 6d6d7564 00003079 00000000 00000000  : 0 [end]	element 00006f6c 00000000 00000000 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load iifname => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta iifname "dummy*"
 ip test-ip4 input
   [ meta load iifname => reg 1 ]
@@ -239,6 +297,14 @@ ip test-ip4 input
   [ meta load iiftype => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta iiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000301  : 0 [end]	element 00000304  : 0 [end]	element 00000308  : 0 [end]	element 0000030a  : 0 [end]
+ip test-ip4 input
+  [ meta load iiftype => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta iiftype != ether
 ip test-ip4 input
   [ meta load iiftype => reg 1 ]
@@ -280,6 +346,15 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# meta oif != {"lo"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]
+ip test-ip4 input
+  [ meta load oif => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # meta oifname "dummy0"
 ip test-ip4 input
   [ meta load oifname => reg 1 ]
@@ -316,6 +391,14 @@ ip test-ip4 input
   [ meta load oiftype => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta oiftype != {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000200  : 0 [end]	element 00000300  : 0 [end]	element 00000301  : 0 [end]	element 00000304  : 0 [end]	element 00000308  : 0 [end]	element 0000030a  : 0 [end]
+ip test-ip4 input
+  [ meta load oiftype => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta oiftype != ether
 ip test-ip4 input
   [ meta load oiftype => reg 1 ]
@@ -335,6 +418,15 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# meta skuid != {"bin", "root", "daemon"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # meta skuid "root"
 ip test-ip4 input
   [ meta load skuid => reg 1 ]
@@ -390,6 +482,16 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# meta skuid != { 2001-2005} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element d1070000  : 0 [end]	element d6070000  : 1 [end]
+ip test-ip4 input
+  [ meta load skuid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # meta skgid {"bin", "root", "daemon"} accept
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -399,6 +501,15 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# meta skgid != {"bin", "root", "daemon"} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000000  : 0 [end]	element 00000002  : 0 [end]
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # meta skgid "root"
 ip test-ip4 input
   [ meta load skgid => reg 1 ]
@@ -454,6 +565,16 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# meta skgid != { 2001-2005} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element d1070000  : 0 [end]	element d6070000  : 1 [end]
+ip test-ip4 input
+  [ meta load skgid => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # meta mark set 0xffffffc8 xor 0x16
 ip test-ip4 input
   [ immediate reg 1 0xffffffde ]
@@ -595,6 +716,14 @@ ip test-ip4 input
   [ meta load cpu => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta cpu != { 2,3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 00000003  : 0 [end]
+ip test-ip4 input
+  [ meta load cpu => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta cpu { 2-3, 5-7}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -632,6 +761,14 @@ ip test-ip4 input
   [ meta load iifgroup => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta iifgroup != {"default"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta iifgroup { 11,33}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -649,6 +786,23 @@ ip test-ip4 input
   [ byteorder reg 1 = hton(reg 1, 4, 4) ]
   [ lookup reg 1 set __set%d ]
 
+# meta iifgroup != { 11,33}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000000b  : 0 [end]	element 00000021  : 0 [end]
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta iifgroup != {11-33}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0b000000  : 0 [end]	element 22000000  : 1 [end]
+ip test-ip4 input
+  [ meta load iifgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta oifgroup 0
 ip test-ip4 input
   [ meta load oifgroup => reg 1 ]
@@ -677,6 +831,14 @@ ip test-ip4 input
   [ meta load oifgroup => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta oifgroup != {"default"}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000000  : 0 [end]
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta oifgroup { 11,33}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -694,6 +856,23 @@ ip test-ip4 input
   [ byteorder reg 1 = hton(reg 1, 4, 4) ]
   [ lookup reg 1 set __set%d ]
 
+# meta oifgroup != { 11,33}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000000b  : 0 [end]	element 00000021  : 0 [end]
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
+# meta oifgroup != {11-33}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0b000000  : 0 [end]	element 22000000  : 1 [end]
+ip test-ip4 input
+  [ meta load oifgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta cgroup 1048577
 ip test-ip4 input
   [ meta load cgroup => reg 1 ]
@@ -712,6 +891,14 @@ ip test-ip4 input
   [ meta load cgroup => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# meta cgroup != { 1048577, 1048578}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00100001  : 0 [end]	element 00100002  : 0 [end]
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta cgroup 1048577-1048578
 ip test-ip4 input
   [ meta load cgroup => reg 1 ]
@@ -734,6 +921,14 @@ ip test-ip4 input
   [ byteorder reg 1 = hton(reg 1, 4, 4) ]
   [ lookup reg 1 set __set%d ]
 
+# meta cgroup != { 1048577-1048578}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 01001000  : 0 [end]	element 03001000  : 1 [end]
+ip test-ip4 input
+  [ meta load cgroup => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ lookup reg 1 set __set%d 0x1 ]
 
 # meta iif . meta oif { "lo" . "lo" }
 __set%d test-ip4 3
@@ -834,6 +1029,14 @@ ip test-ip4 input
   [ immediate reg 1 0xcafebeef ]
   [ meta set priority with reg 1 ]
 
+# meta priority != {bcad:dada, bcad:dadc, aaaa:bbbb}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element bcaddada  : 0 [end]	element bcaddadc  : 0 [end]	element aaaabbbb  : 0 [end]
+ip test-ip4 input
+  [ meta load priority => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # meta priority 0x87654321
 ip test-ip4 input
   [ meta load priority => reg 1 ]
diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t
index 70f9a9c..94ab4a5 100644
--- a/tests/py/arp/arp.t
+++ b/tests/py/arp/arp.t
@@ -12,9 +12,9 @@ arp htype != 233;ok
 arp htype 33-45;ok
 arp htype != 33-45;ok
 arp htype { 33, 55, 67, 88};ok
-- arp htype != { 33, 55, 67, 88};ok
+arp htype != { 33, 55, 67, 88};ok
 arp htype { 33-55};ok
-- arp htype != { 33-55};ok
+arp htype != { 33-55};ok
 
 arp ptype 0x0800;ok;arp ptype ip
 
@@ -23,21 +23,21 @@ arp hlen != 233;ok
 arp hlen 33-45;ok
 arp hlen != 33-45;ok
 arp hlen { 33, 55, 67, 88};ok
-- arp hlen != { 33, 55, 67, 88};ok
+arp hlen != { 33, 55, 67, 88};ok
 arp hlen { 33-55};ok
-- arp hlen != { 33-55};ok
+arp hlen != { 33-55};ok
 
 arp plen 22;ok
 arp plen != 233;ok
 arp plen 33-45;ok
 arp plen != 33-45;ok
 arp plen { 33, 55, 67, 88};ok
-- arp plen != { 33, 55, 67, 88};ok
+arp plen != { 33, 55, 67, 88};ok
 arp plen { 33-55};ok
-- arp plen != {33-55};ok
+arp plen != {33-55};ok
 
 arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
-- arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
+arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
 arp operation request;ok
 arp operation reply;ok
 arp operation rrequest;ok
diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload
index 5b8f8d5..ea778b2 100644
--- a/tests/py/arp/arp.t.payload
+++ b/tests/py/arp/arp.t.payload
@@ -37,6 +37,14 @@ arp test-arp input
   [ payload load 2b @ network header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp htype != { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp htype { 33-55}
 __set%d test-arp 7
 __set%d test-arp 0
@@ -45,6 +53,14 @@ arp test-arp input
   [ payload load 2b @ network header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp htype != { 33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+arp test-arp input
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp ptype 0x0800
 arp test-arp input
   [ payload load 2b @ network header + 2 => reg 1 ]
@@ -79,6 +95,14 @@ arp test-arp input
   [ payload load 1b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp hlen != { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp hlen { 33-55}
 __set%d test-arp 7
 __set%d test-arp 0
@@ -87,6 +111,14 @@ arp test-arp input
   [ payload load 1b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp hlen != { 33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp plen 22
 arp test-arp input
   [ payload load 1b @ network header + 5 => reg 1 ]
@@ -116,6 +148,14 @@ arp test-arp input
   [ payload load 1b @ network header + 5 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp plen != { 33, 55, 67, 88}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp plen { 33-55}
 __set%d test-arp 7
 __set%d test-arp 0
@@ -124,6 +164,14 @@ arp test-arp input
   [ payload load 1b @ network header + 5 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp plen != {33-55}
+__set%d test-arp 7
+__set%d test-arp 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+arp test-arp input
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
 __set%d test-arp 3
 __set%d test-arp 0
@@ -132,6 +180,14 @@ arp test-arp input
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}
+__set%d test-arp 3
+__set%d test-arp 0
+	element 00000a00  : 0 [end]	element 00000900  : 0 [end]	element 00000800  : 0 [end]	element 00000400  : 0 [end]	element 00000300  : 0 [end]	element 00000200  : 0 [end]	element 00000100  : 0 [end]
+arp test-arp input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp operation request
 arp test-arp input
   [ payload load 2b @ network header + 6 => reg 1 ]
diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev
index 5188ed7..acf9eb1 100644
--- a/tests/py/arp/arp.t.payload.netdev
+++ b/tests/py/arp/arp.t.payload.netdev
@@ -51,6 +51,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp htype != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp htype { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -61,6 +71,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp htype != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp ptype 0x0800
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -107,6 +127,16 @@ netdev test-netdev ingress
   [ payload load 1b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp hlen != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp hlen { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -117,6 +147,16 @@ netdev test-netdev ingress
   [ payload load 1b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp hlen != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp plen 22
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -156,6 +196,16 @@ netdev test-netdev ingress
   [ payload load 1b @ network header + 5 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp plen != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp plen { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -166,6 +216,16 @@ netdev test-netdev ingress
   [ payload load 1b @ network header + 5 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp plen != {33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 1b @ network header + 5 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
 __set%d test-netdev 3
 __set%d test-netdev 0
@@ -176,6 +236,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000a00  : 0 [end]	element 00000900  : 0 [end]	element 00000800  : 0 [end]	element 00000400  : 0 [end]	element 00000300  : 0 [end]	element 00000200  : 0 [end]	element 00000100  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000608 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # arp operation request
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
-- 
2.11.0.rc2

Re: [PATCH nft 2/7] tests/py/{arp,any}: Unmask negative set lookup

[Pablo Neira Ayuso]

On Thu, Nov 24, 2016 at 03:16:21PM +0100, Anatole Denis wrote:
> Many testcases were masked because of bug #888. This series of patches unmasks
> them
>
> Signed-off-by: Anatole Denis <anatole@rezel.net>
> ---
> Patches 2 through 7 update the tests, and are split because of the character
> limit on netfilter-devel. They could be squashed together.

Applied and squashed. Thanks!

[PATCH nft 3/7] tests/py/ip: Unmark negative set lookup tests

[Anatole Denis]

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
 tests/py/ip/dnat.t                |   6 +-
 tests/py/ip/dnat.t.payload.ip     |  14 ++++
 tests/py/ip/icmp.t                |  42 ++++-------
 tests/py/ip/icmp.t.payload.ip     | 152 ++++++++++++++++++++++++++++++++++++++
 tests/py/ip/ip.t                  |  31 ++++----
 tests/py/ip/ip.t.payload          | 115 ++++++++++++++++++++++++++++
 tests/py/ip/ip.t.payload.inet     | 143 +++++++++++++++++++++++++++++++++++
 tests/py/ip/ip.t.payload.netdev   | 143 +++++++++++++++++++++++++++++++++++
 tests/py/ip/sets.t                |   3 +
 tests/py/ip/sets.t.payload.inet   |  16 ++++
 tests/py/ip/sets.t.payload.ip     |  12 +++
 tests/py/ip/sets.t.payload.netdev |  16 ++++
 tests/py/ip/snat.t                |   5 +-
 tests/py/ip/snat.t.payload        |  14 ++++
 14 files changed, 659 insertions(+), 53 deletions(-)

diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t
index d1ffdd7..da00106 100644
--- a/tests/py/ip/dnat.t
+++ b/tests/py/ip/dnat.t
@@ -5,11 +5,7 @@
 iifname "eth0" tcp dport 80-90 dnat to 192.168.3.2;ok
 iifname "eth0" tcp dport != 80-90 dnat to 192.168.3.2;ok
 iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
-
+iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok
 iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2;ok
 
 dnat to ct mark map { 0x00000014 : 1.2.3.4};ok
diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip
index 6caa2c1..6692699 100644
--- a/tests/py/ip/dnat.t.payload.ip
+++ b/tests/py/ip/dnat.t.payload.ip
@@ -35,6 +35,20 @@ ip test-ip4 prerouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
 
+# iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 prerouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
 # iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2
 ip test-ip4 prerouting
   [ meta load iifname => reg 1 ]
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
index a6a4261..5a7ce7e 100644
--- a/tests/py/ip/icmp.t
+++ b/tests/py/ip/icmp.t
@@ -20,34 +20,25 @@ icmp type address-mask-reply accept;ok
 icmp type router-advertisement accept;ok
 icmp type router-solicitation accept;ok
 icmp type {echo-reply, destination-unreachable, source-quench, redirect, echo-request, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation} accept;ok
-- icmp type != {echo-reply, destination-unreachable, source-quench};ok
-# BUG: icmp type != {echo-reply, destination-unreachable, source-quench}
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+icmp type != {echo-reply, destination-unreachable, source-quench};ok
 
 icmp code 111 accept;ok
 icmp code != 111 accept;ok
 icmp code 33-55;ok
 icmp code != 33-55;ok
 icmp code { 33-55};ok
-- icmp code != { 33-55};ok
+icmp code != { 33-55};ok
 icmp code { 2, 4, 54, 33, 56};ok
-- icmp code != { 2, 4, 54, 33, 56};ok
-# $ sudo nft add rule ip test input icmp code != {2, 4, 54, 33, 56}
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+icmp code != { 2, 4, 54, 33, 56};ok
 
 icmp checksum 12343 accept;ok
 icmp checksum != 12343 accept;ok
 icmp checksum 11-343 accept;ok
 icmp checksum != 11-343 accept;ok
 icmp checksum { 11-343} accept;ok
-- icmp checksum != { 11-343} accept;ok
+icmp checksum != { 11-343} accept;ok
 icmp checksum { 1111, 222, 343} accept;ok
-- icmp checksum != { 1111, 222, 343} accept;ok
-# BUG: invalid expression type set
-# icmp checksum != { 1111, 222, 343} accept;ok
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+icmp checksum != { 1111, 222, 343} accept;ok
 
 icmp id 1245 log;ok
 icmp id 22;ok
@@ -55,42 +46,39 @@ icmp id != 233;ok
 icmp id 33-45;ok
 icmp id != 33-45;ok
 icmp id { 33-55};ok
-- icmp id != { 33-55};ok
+icmp id != { 33-55};ok
 icmp id { 22, 34, 333};ok
-- icmp id != { 22, 34, 333};ok
-# BUG: invalid expression type set
-# icmp id != { 22, 34, 333}
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+icmp id != { 22, 34, 333};ok
 
 icmp sequence 22;ok
 icmp sequence != 233;ok
 icmp sequence 33-45;ok
 icmp sequence != 33-45;ok
 icmp sequence { 33, 55, 67, 88};ok
-- icmp sequence != { 33, 55, 67, 88};ok
+icmp sequence != { 33, 55, 67, 88};ok
 icmp sequence { 33-55};ok
-- icmp sequence != { 33-55};ok
+icmp sequence != { 33-55};ok
 
 icmp mtu 33;ok
 icmp mtu 22-33;ok
 icmp mtu { 22-33};ok
-- icmp mtu != { 22-33};ok
+icmp mtu != { 22-33};ok
 icmp mtu 22;ok
 icmp mtu != 233;ok
 icmp mtu 33-45;ok
 icmp mtu != 33-45;ok
 icmp mtu { 33, 55, 67, 88};ok
-- icmp mtu != { 33, 55, 67, 88};ok
+icmp mtu != { 33, 55, 67, 88};ok
 icmp mtu { 33-55};ok
-- icmp mtu != { 33-55};ok
+icmp mtu != { 33-55};ok
 
 icmp gateway 22;ok
 icmp gateway != 233;ok
 icmp gateway 33-45;ok
 icmp gateway != 33-45;ok
 icmp gateway { 33, 55, 67, 88};ok
-- icmp gateway != { 33, 55, 67, 88};ok
+icmp gateway != { 33, 55, 67, 88};ok
 icmp gateway { 33-55};ok
-- icmp gateway != { 33-55};ok
+icmp gateway != { 33-55};ok
 icmp gateway != 34;ok
-- icmp gateway != { 333, 334};ok
+icmp gateway != { 333, 334};ok
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index b740ff8..1130b98 100644
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -113,6 +113,16 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# icmp type != {echo-reply, destination-unreachable, source-quench}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 00000003  : 0 [end]	element 00000004  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp code 111 accept
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -154,6 +164,16 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp code != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp code { 2, 4, 54, 33, 56}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -164,6 +184,16 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp code != { 2, 4, 54, 33, 56}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000036  : 0 [end]	element 00000021  : 0 [end]	element 00000038  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp checksum 12343 accept
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -208,6 +238,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# icmp checksum != { 11-343} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000b00  : 0 [end]	element 00005801  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # icmp checksum { 1111, 222, 343} accept
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -219,6 +260,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# icmp checksum != { 1111, 222, 343} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005704  : 0 [end]	element 0000de00  : 0 [end]	element 00005701  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # icmp id 1245 log
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -266,6 +318,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp id != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp id { 22, 34, 333}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -276,6 +338,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp id != { 22, 34, 333}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001600  : 0 [end]	element 00002200  : 0 [end]	element 00004d01  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp sequence 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -315,6 +387,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp sequence != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp sequence { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -325,6 +407,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp sequence != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp mtu 33
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -350,6 +442,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp mtu != { 22-33}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001600  : 0 [end]	element 00002200  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp mtu 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -389,6 +491,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp mtu != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp mtu { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -399,6 +511,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp mtu != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp gateway 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -438,6 +560,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp gateway != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp gateway { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -448,6 +580,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmp gateway != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp gateway != 34
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -455,6 +597,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ cmp neq reg 1 0x22000000 ]
 
+# icmp gateway != { 333, 334}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 4d010000  : 0 [end]	element 4e010000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmp type router-advertisement accept
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t
index 8ed2e99..f984646 100644
--- a/tests/py/ip/ip.t
+++ b/tests/py/ip/ip.t
@@ -29,51 +29,48 @@ ip dscp 0x38;ok;ip dscp cs7
 ip dscp != 0x20;ok;ip dscp != cs4
 ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef};ok
 - ip dscp {0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38, 0x00, 0x0a, 0x0c, 0x0e, 0x12, 0x14, 0x16, 0x1a, 0x1c, 0x1e, 0x22, 0x24, 0x26, 0x2e};ok
-- ip dscp != {CS0, CS3};ok
+ip dscp != {cs0, cs3};ok
 
 ip length 232;ok
 ip length != 233;ok
 ip length 333-435;ok
 ip length != 333-453;ok
 ip length { 333, 553, 673, 838};ok
-- ip length != { 333, 535, 637, 883};ok
+ip length != { 333, 553, 673, 838};ok
 ip length { 333-535};ok
-- ip length != { 333-553};ok
+ip length != { 333-535};ok
 
 ip id 22;ok
 ip id != 233;ok
 ip id 33-45;ok
 ip id != 33-45;ok
 ip id { 33, 55, 67, 88};ok
-- ip id != { 33, 55, 67, 88};ok
+ip id != { 33, 55, 67, 88};ok
 ip id { 33-55};ok
-- ip id != { 33-55};ok
+ip id != { 33-55};ok
 
 ip frag-off 222 accept;ok
 ip frag-off != 233;ok
 ip frag-off 33-45;ok
 ip frag-off != 33-45;ok
 ip frag-off { 33, 55, 67, 88};ok
-- ip frag-off != { 33, 55, 67, 88};ok
+ip frag-off != { 33, 55, 67, 88};ok
 ip frag-off { 33-55};ok
-- ip frag-off != { 33-55};ok
+ip frag-off != { 33-55};ok
 
 ip ttl 0 drop;ok
 ip ttl 233;ok
 ip ttl 33-55;ok
 ip ttl != 45-50;ok
 ip ttl {43, 53, 45 };ok
-- ip ttl != {46, 56, 93 };ok
-# BUG: ip ttl != {46, 56, 93 };ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+ip ttl != {43, 53, 45 };ok
 ip ttl { 33-55};ok
-- ip ttl != { 33-55};ok
+ip ttl != { 33-55};ok
 
 ip protocol tcp;ok;ip protocol 6
 ip protocol != tcp;ok;ip protocol != 6
 ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept
-- ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok
+ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept;ok;ip protocol != { 33, 136, 17, 51, 50, 6, 132, 1, 108} accept
 
 ip protocol 255;ok
 ip protocol 256;fail
@@ -84,9 +81,9 @@ ip checksum != 233;ok
 ip checksum 33-45;ok
 ip checksum != 33-45;ok
 ip checksum { 33, 55, 67, 88};ok
-- ip checksum != { 33, 55, 67, 88};ok
+ip checksum != { 33, 55, 67, 88};ok
 ip checksum { 33-55};ok
-- ip checksum != { 33-55};ok
+ip checksum != { 33-55};ok
 
 ip saddr 192.168.2.0/24;ok
 ip saddr != 192.168.2.0/24;ok
@@ -99,9 +96,9 @@ ip daddr 172.16.0.0-172.31.255.255;ok
 ip daddr 192.168.3.1-192.168.4.250;ok
 ip daddr != 192.168.0.1-192.168.0.250;ok
 ip daddr { 192.168.0.1-192.168.0.250};ok
-- ip daddr != { 192.168.0.1-192.168.0.250};ok
+ip daddr != { 192.168.0.1-192.168.0.250};ok
 ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
-- ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
+ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
 
 ip daddr 192.168.1.2-192.168.1.55;ok
 ip daddr != 192.168.1.2-192.168.1.55;ok
diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
index fade387..5038628 100644
--- a/tests/py/ip/ip.t.payload
+++ b/tests/py/ip/ip.t.payload
@@ -31,6 +31,15 @@ ip test-ip4 input
   [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip dscp != {cs0, cs3}
+__set%d test-ip4 3
+__set%d test-ip4 0
+        element 00000000  : 0 [end]     element 00000060  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip length 232
 ip test-ip4 input
   [ payload load 2b @ network header + 2 => reg 1 ]
@@ -60,6 +69,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip length != { 333, 553, 673, 838}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip length { 333-535}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -68,6 +85,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip length != { 333-535}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00004d01  : 0 [end]	element 00001802  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip id 22
 ip test-ip4 input
   [ payload load 2b @ network header + 4 => reg 1 ]
@@ -97,6 +122,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip id != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip id { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -105,6 +138,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip id != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip frag-off 222 accept
 ip test-ip4 input
   [ payload load 2b @ network header + 6 => reg 1 ]
@@ -135,6 +176,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip frag-off != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip frag-off { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -143,6 +192,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip frag-off != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip ttl 0 drop
 ip test-ip4 input
   [ payload load 1b @ network header + 8 => reg 1 ]
@@ -173,6 +230,14 @@ ip test-ip4 input
   [ payload load 1b @ network header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip ttl != {43, 53, 45 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip ttl { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -181,6 +246,14 @@ ip test-ip4 input
   [ payload load 1b @ network header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip ttl != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip protocol tcp
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -200,6 +273,15 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # ip protocol 255
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -240,6 +322,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 10 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip checksum { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -248,6 +338,14 @@ ip test-ip4 input
   [ payload load 2b @ network header + 10 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip saddr 192.168.2.0/24
 ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
@@ -312,6 +410,14 @@ ip test-ip4 input
   [ payload load 4b @ network header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip daddr != { 192.168.0.1-192.168.0.250}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0100a8c0  : 0 [end]	element fb00a8c0  : 1 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -321,6 +427,15 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+ip test-ip4 input
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # ip daddr 192.168.1.2-192.168.1.55
 ip test-ip4 input
   [ payload load 4b @ network header + 16 => reg 1 ]
diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet
index c9469d3..e658a0f 100644
--- a/tests/py/ip/ip.t.payload.inet
+++ b/tests/py/ip/ip.t.payload.inet
@@ -41,6 +41,17 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip dscp != {cs0, cs3}
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000000  : 0 [end]     element 00000060  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip length 232
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -80,6 +91,16 @@ inet test-inet input
   [ payload load 2b @ network header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip length != { 333, 553, 673, 838}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip length { 333-535}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -90,6 +111,16 @@ inet test-inet input
   [ payload load 2b @ network header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip length != { 333-535}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00004d01  : 0 [end]	element 00001802  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip id 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -129,6 +160,16 @@ inet test-inet input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip id != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip id { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -139,6 +180,16 @@ inet test-inet input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip id != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip frag-off 222 accept
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -179,6 +230,16 @@ inet test-inet input
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip frag-off != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip frag-off { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -189,6 +250,16 @@ inet test-inet input
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip frag-off != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip ttl 0 drop
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -229,6 +300,16 @@ inet test-inet input
   [ payload load 1b @ network header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip ttl != {43, 53, 45 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip ttl { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -239,6 +320,16 @@ inet test-inet input
   [ payload load 1b @ network header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip ttl != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip protocol tcp
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -264,6 +355,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # ip protocol 255
 ip test-ip4 input
   [ meta load nfproto => reg 1 ]
@@ -318,6 +420,16 @@ inet test-inet input
   [ payload load 2b @ network header + 10 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip checksum { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -328,6 +440,16 @@ inet test-inet input
   [ payload load 2b @ network header + 10 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip saddr 192.168.2.0/24
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -414,6 +536,16 @@ inet test-inet input
   [ payload load 4b @ network header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip daddr != { 192.168.0.1-192.168.0.250}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 0100a8c0  : 0 [end]	element fb00a8c0  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
 __set%d test-inet 3
 __set%d test-inet 0
@@ -425,6 +557,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # ip daddr 192.168.1.2-192.168.1.55
 inet test-inet input
   [ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev
index 6f2c174..6df41cb 100644
--- a/tests/py/ip/ip.t.payload.netdev
+++ b/tests/py/ip/ip.t.payload.netdev
@@ -37,6 +37,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip length != { 333, 553, 673, 838}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00004d01  : 0 [end]	element 00002902  : 0 [end]	element 0000a102  : 0 [end]	element 00004603  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip length { 333-535}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -47,6 +57,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip length != { 333-535}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00004d01  : 0 [end]	element 00001802  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip id 22
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -86,6 +106,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip id != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip id { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -96,6 +126,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip id != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip frag-off 222 accept
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -136,6 +176,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip frag-off != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip frag-off { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -146,6 +196,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip frag-off != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip ttl 0 drop
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -179,6 +239,16 @@ netdev test-netdev ingress
   [ payload load 1b @ network header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip ttl != {43, 53, 45 }
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0000002b  : 0 [end]	element 00000035  : 0 [end]	element 0000002d  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip ttl { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -189,6 +259,16 @@ netdev test-netdev ingress
   [ payload load 1b @ network header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip ttl != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
 __set%d test-netdev 3
 __set%d test-netdev 0
@@ -200,6 +280,17 @@ netdev test-netdev ingress
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000001  : 0 [end]	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # ip protocol 255
 ip test-ip4 input
   [ meta load protocol => reg 1 ]
@@ -254,6 +345,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 10 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip checksum != { 33, 55, 67, 88}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip checksum { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -264,6 +365,16 @@ netdev test-netdev ingress
   [ payload load 2b @ network header + 10 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip checksum != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 2b @ network header + 10 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip saddr 192.168.2.0/24
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -343,6 +454,16 @@ netdev test-netdev ingress
   [ payload load 4b @ network header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip daddr != { 192.168.0.1-192.168.0.250}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 0100a8c0  : 0 [end]	element fb00a8c0  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
 __set%d test-netdev 3
 __set%d test-netdev 0
@@ -354,6 +475,17 @@ netdev test-netdev ingress
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0105a8c0  : 0 [end]	element 0205a8c0  : 0 [end]	element 0305a8c0  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # ip daddr 192.168.1.2-192.168.1.55
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -640,6 +772,17 @@ netdev test-netdev ingress
   [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip dscp != {cs0, cs3}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000000  : 0 [end]	element 00000060  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 1b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # iif "lo" ip daddr set 127.0.0.1
 netdev test-netdev ingress
   [ meta load iif => reg 1 ]
diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t
index ee17d99..4cca02b 100644
--- a/tests/py/ip/sets.t
+++ b/tests/py/ip/sets.t
@@ -29,8 +29,11 @@
 ?set2 192.168.3.10 192.168.3.11;ok
 
 ip saddr @set1 drop;ok
+ip saddr != @set1 drop;ok
 ip saddr @set2 drop;ok
+ip saddr != @set2 drop;ok
 ip saddr @set33 drop;fail
+ip saddr != @set33 drop;fail
 
 !set3 type ipv4_addr flags interval;ok
 ?set3 192.168.0.0/16;ok
diff --git a/tests/py/ip/sets.t.payload.inet b/tests/py/ip/sets.t.payload.inet
index f8e97cc..6d8d6bc 100644
--- a/tests/py/ip/sets.t.payload.inet
+++ b/tests/py/ip/sets.t.payload.inet
@@ -6,6 +6,14 @@ inet test-inet input
   [ lookup reg 1 set set1 ]
   [ immediate reg 0 drop ]
 
+# ip saddr != @set1 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 0x1 ]
+  [ immediate reg 0 drop ]
+
 # ip saddr @set2 drop
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -14,3 +22,11 @@ inet test-inet input
   [ lookup reg 1 set set2 ]
   [ immediate reg 0 drop ]
 
+# ip saddr != @set2 drop
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/py/ip/sets.t.payload.ip b/tests/py/ip/sets.t.payload.ip
index ece63d0..858a5e1 100644
--- a/tests/py/ip/sets.t.payload.ip
+++ b/tests/py/ip/sets.t.payload.ip
@@ -4,9 +4,21 @@ ip test-ip4 input
   [ lookup reg 1 set set1 ]
   [ immediate reg 0 drop ]
 
+# ip saddr != @set1 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 0x1 ]
+  [ immediate reg 0 drop ]
+
 # ip saddr @set2 drop
 ip test-ip4 input
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ lookup reg 1 set set2 ]
   [ immediate reg 0 drop ]
 
+# ip saddr != @set2 drop
+ip test-ip4 input
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/py/ip/sets.t.payload.netdev b/tests/py/ip/sets.t.payload.netdev
index 0e91afb..87d54a0 100644
--- a/tests/py/ip/sets.t.payload.netdev
+++ b/tests/py/ip/sets.t.payload.netdev
@@ -6,6 +6,14 @@ netdev test-netdev ingress
   [ lookup reg 1 set set1 ]
   [ immediate reg 0 drop ]
 
+# ip saddr != @set1 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set1 0x1 ]
+  [ immediate reg 0 drop ]
+
 # ip saddr @set2 drop
 netdev test-netdev ingress 
   [ meta load protocol => reg 1 ]
@@ -14,3 +22,11 @@ netdev test-netdev ingress
   [ lookup reg 1 set set2 ]
   [ immediate reg 0 drop ]
 
+# ip saddr != @set2 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t
index ec2df8c..7281bf5 100644
--- a/tests/py/ip/snat.t
+++ b/tests/py/ip/snat.t
@@ -5,9 +5,6 @@
 iifname "eth0" tcp dport 80-90 snat to 192.168.3.2;ok
 iifname "eth0" tcp dport != 80-90 snat to 192.168.3.2;ok
 iifname "eth0" tcp dport {80, 90, 23} snat to 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok
-- iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok
 
 iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2;ok
diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload
index 3d828a3..25a505c 100644
--- a/tests/py/ip/snat.t.payload
+++ b/tests/py/ip/snat.t.payload
@@ -35,6 +35,20 @@ ip test-ip4 postrouting
   [ immediate reg 1 0x0203a8c0 ]
   [ nat snat ip addr_min reg 1 addr_max reg 0 ]
 
+# iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00005000  : 0 [end]	element 00005a00  : 0 [end]	element 00001700  : 0 [end]
+ip test-ip4 postrouting
+  [ meta load iifname => reg 1 ]
+  [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 1 0x0203a8c0 ]
+  [ nat snat ip addr_min reg 1 addr_max reg 0 ]
+
 # iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2
 ip test-ip4 postrouting
   [ meta load iifname => reg 1 ]
-- 
2.11.0.rc2

[PATCH nft 4/7] tests/py/ip6: Unmark inverted set lookup testcases

[Anatole Denis]

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
 tests/py/ip6/dst.t                 |  10 +--
 tests/py/ip6/dst.t.payload.inet    |  50 +++++++++++++
 tests/py/ip6/dst.t.payload.ip6     |  40 +++++++++++
 tests/py/ip6/frag.t                |  14 ++--
 tests/py/ip6/frag.t.payload.inet   |  72 +++++++++++++++++++
 tests/py/ip6/frag.t.payload.ip6    |  58 +++++++++++++++
 tests/py/ip6/hbh.t                 |  10 +--
 tests/py/ip6/hbh.t.payload.inet    |  50 +++++++++++++
 tests/py/ip6/hbh.t.payload.ip6     |  40 +++++++++++
 tests/py/ip6/icmpv6.t              |  26 +++----
 tests/py/ip6/icmpv6.t.payload.ip6  | 143 +++++++++++++++++++++++++++++++++++++
 tests/py/ip6/ip6.t                 |  20 +++---
 tests/py/ip6/ip6.t.payload.inet    | 102 ++++++++++++++++++++++++++
 tests/py/ip6/ip6.t.payload.ip6     |  82 +++++++++++++++++++++
 tests/py/ip6/mh.t                  |  18 ++---
 tests/py/ip6/mh.t.payload.inet     |  90 +++++++++++++++++++++++
 tests/py/ip6/mh.t.payload.ip6      |  72 +++++++++++++++++++
 tests/py/ip6/rt.t                  |  18 ++---
 tests/py/ip6/rt.t.payload.inet     |  90 +++++++++++++++++++++++
 tests/py/ip6/rt.t.payload.ip6      |  72 +++++++++++++++++++
 tests/py/ip6/sets.t                |   2 +
 tests/py/ip6/sets.t.payload.inet   |   8 +++
 tests/py/ip6/sets.t.payload.ip6    |   6 ++
 tests/py/ip6/sets.t.payload.netdev |   8 +++
 24 files changed, 1043 insertions(+), 58 deletions(-)

diff --git a/tests/py/ip6/dst.t b/tests/py/ip6/dst.t
index f7b0979..9e7c554 100644
--- a/tests/py/ip6/dst.t
+++ b/tests/py/ip6/dst.t
@@ -8,11 +8,11 @@ dst nexthdr != 233;ok
 dst nexthdr 33-45;ok
 dst nexthdr != 33-45;ok
 dst nexthdr { 33, 55, 67, 88};ok
-- dst nexthdr != { 33, 55, 67, 88};ok
+dst nexthdr != { 33, 55, 67, 88};ok
 dst nexthdr { 33-55};ok
-- dst nexthdr != { 33-55};ok
+dst nexthdr != { 33-55};ok
 dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr { 51, 50, 17, 136, 58, 6, 33, 132, 108}
-- dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr != { 51, 50, 17, 136, 58, 6, 33, 132, 108}
 dst nexthdr icmp;ok;dst nexthdr 1
 dst nexthdr != icmp;ok;dst nexthdr != 1
 
@@ -21,6 +21,6 @@ dst hdrlength != 233;ok
 dst hdrlength 33-45;ok
 dst hdrlength != 33-45;ok
 dst hdrlength { 33, 55, 67, 88};ok
-- dst hdrlength != { 33, 55, 67, 88};ok
+dst hdrlength != { 33, 55, 67, 88};ok
 dst hdrlength { 33-55};ok
-- dst hdrlength != { 33-55};ok
+dst hdrlength != { 33-55};ok
diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet
index 62d1c5a..768b4f1 100644
--- a/tests/py/ip6/dst.t.payload.inet
+++ b/tests/py/ip6/dst.t.payload.inet
@@ -37,6 +37,16 @@ inet test-inet input
   [ exthdr load 1b @ 60 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst nexthdr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst nexthdr { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet input
   [ exthdr load 1b @ 60 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst nexthdr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
 __set%d test-inet 3
 __set%d test-inet 0
@@ -57,6 +77,16 @@ inet test-inet input
   [ exthdr load 1b @ 60 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst nexthdr icmp
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -110,6 +140,16 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst hdrlength != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst hdrlength { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -120,3 +160,13 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6
index c022c7f..56afc12 100644
--- a/tests/py/ip6/dst.t.payload.ip6
+++ b/tests/py/ip6/dst.t.payload.ip6
@@ -27,6 +27,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst nexthdr != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst nexthdr { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -35,6 +43,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst nexthdr != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -43,6 +59,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 60 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst nexthdr icmp
 ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 0 => reg 1 ]
@@ -82,6 +106,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst hdrlength != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dst hdrlength { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -90,4 +122,12 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 60 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dst hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 60 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 
diff --git a/tests/py/ip6/frag.t b/tests/py/ip6/frag.t
index 0e632bc..e16529a 100644
--- a/tests/py/ip6/frag.t
+++ b/tests/py/ip6/frag.t
@@ -7,7 +7,7 @@
 frag nexthdr tcp;ok;frag nexthdr 6
 frag nexthdr != icmp;ok;frag nexthdr != 1
 frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;frag nexthdr { 51, 136, 132, 6, 108, 50, 17, 33}
-- frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok
+frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp};ok;frag nexthdr != { 51, 136, 132, 6, 108, 50, 17, 33}
 frag nexthdr esp;ok;frag nexthdr 50
 frag nexthdr ah;ok;frag nexthdr 51
 
@@ -16,18 +16,18 @@ frag reserved != 233;ok
 frag reserved 33-45;ok
 frag reserved != 33-45;ok
 frag reserved { 33, 55, 67, 88};ok
-- frag reserved != { 33, 55, 67, 88};ok
+frag reserved != { 33, 55, 67, 88};ok
 frag reserved { 33-55};ok
-- frag reserved != { 33-55};ok
+frag reserved != { 33-55};ok
 
 frag frag-off 22;ok
 frag frag-off != 233;ok
 frag frag-off 33-45;ok
 frag frag-off != 33-45;ok
 frag frag-off { 33, 55, 67, 88};ok
-- frag frag-off != { 33, 55, 67, 88};ok
+frag frag-off != { 33, 55, 67, 88};ok
 frag frag-off { 33-55};ok
-- frag frag-off != { 33-55};ok
+frag frag-off != { 33-55};ok
 
 frag reserved2 1;ok
 frag more-fragments 0;ok
@@ -39,6 +39,6 @@ frag id != 33;ok
 frag id 33-45;ok
 frag id != 33-45;ok
 frag id { 33, 55, 67, 88};ok
-- frag id != { 33, 55, 67, 88};ok
+frag id != { 33, 55, 67, 88};ok
 frag id { 33-55};ok
-- frag id != { 33-55};ok
+frag id != { 33-55};ok
diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet
index bf57eca..0630533 100644
--- a/tests/py/ip6/frag.t.payload.inet
+++ b/tests/py/ip6/frag.t.payload.inet
@@ -22,6 +22,16 @@ inet test-inet output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag nexthdr esp
 inet test-inet output
   [ meta load nfproto => reg 1 ]
@@ -75,6 +85,16 @@ inet test-inet output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag reserved != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag reserved { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -85,6 +105,16 @@ inet test-inet output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag reserved != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag frag-off 22
 inet test-inet output
   [ meta load nfproto => reg 1 ]
@@ -129,6 +159,17 @@ inet test-inet output
   [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# frag frag-off != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag frag-off { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -140,6 +181,17 @@ inet test-inet output
   [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# frag frag-off != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000801  : 0 [end]	element 0000b901  : 1 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag more-fragments 1
 inet test-inet output
   [ meta load nfproto => reg 1 ]
@@ -194,6 +246,16 @@ inet test-inet output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag id != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag id { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -204,6 +266,16 @@ inet test-inet output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag id != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+inet test-inet output
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag reserved2 1
 inet test-inet output
   [ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6
index aa27005..6e86b8a 100644
--- a/tests/py/ip6/frag.t.payload.ip6
+++ b/tests/py/ip6/frag.t.payload.ip6
@@ -16,6 +16,14 @@ ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load 1b @ 44 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag nexthdr esp
 ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 0 => reg 1 ]
@@ -55,6 +63,14 @@ ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag reserved != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag reserved { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -63,6 +79,14 @@ ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag reserved != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 output
+  [ exthdr load 1b @ 44 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag frag-off 22
 ip6 test-ip6 output
   [ exthdr load 2b @ 44 + 2 => reg 1 ]
@@ -97,6 +121,15 @@ ip6 test-ip6 output
   [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# frag frag-off != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000801  : 0 [end]	element 0000b801  : 0 [end]	element 00001802  : 0 [end]	element 0000c002  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag frag-off { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -106,6 +139,15 @@ ip6 test-ip6 output
   [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# frag frag-off != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000801  : 0 [end]	element 0000b901  : 1 [end]
+ip6 test-ip6 output 
+  [ exthdr load 2b @ 44 + 2 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag more-fragments 1
 ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 3 => reg 1 ]
@@ -146,6 +188,14 @@ ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag id != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 output
+  [ exthdr load 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag id { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -154,6 +204,14 @@ ip6 test-ip6 output
   [ exthdr load 4b @ 44 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# frag id != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip6 test-ip6 output
+  [ exthdr load 4b @ 44 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # frag reserved2 1
 ip6 test-ip6 output
   [ exthdr load 1b @ 44 + 3 => reg 1 ]
diff --git a/tests/py/ip6/hbh.t b/tests/py/ip6/hbh.t
index 235cce4..f367a38 100644
--- a/tests/py/ip6/hbh.t
+++ b/tests/py/ip6/hbh.t
@@ -8,19 +8,19 @@ hbh hdrlength != 233;ok
 hbh hdrlength 33-45;ok
 hbh hdrlength != 33-45;ok
 hbh hdrlength {33, 55, 67, 88};ok
-- hbh hdrlength != {33, 55, 67, 88};ok
+hbh hdrlength != {33, 55, 67, 88};ok
 hbh hdrlength { 33-55};ok
-- hbh hdrlength != {33-55};ok
+hbh hdrlength != { 33-55};ok
 
 hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr { 58, 136, 51, 50, 6, 17, 132, 33, 108}
-- hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr != { 58, 136, 51, 50, 6, 17, 132, 33, 108}
 hbh nexthdr 22;ok
 hbh nexthdr != 233;ok
 hbh nexthdr 33-45;ok
 hbh nexthdr != 33-45;ok
 hbh nexthdr {33, 55, 67, 88};ok
-- hbh nexthdr != {33, 55, 67, 88};ok
+hbh nexthdr != {33, 55, 67, 88};ok
 hbh nexthdr { 33-55};ok
-- hbh nexthdr != {33-55};ok
+hbh nexthdr != { 33-55};ok
 hbh nexthdr ip;ok;hbh nexthdr 0
 hbh nexthdr != ip;ok;hbh nexthdr != 0
diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet
index 7e0d079..cf7e353 100644
--- a/tests/py/ip6/hbh.t.payload.inet
+++ b/tests/py/ip6/hbh.t.payload.inet
@@ -37,6 +37,16 @@ inet test-inet filter-input
   [ exthdr load 1b @ 0 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh hdrlength != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh hdrlength { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet filter-input
   [ exthdr load 1b @ 0 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh hdrlength != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
 __set%d test-inet 3
 __set%d test-inet 0
@@ -57,6 +77,16 @@ inet test-inet filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr 22
 inet test-inet filter-input
   [ meta load nfproto => reg 1 ]
@@ -96,6 +126,16 @@ inet test-inet filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh nexthdr != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -106,6 +146,16 @@ inet test-inet filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh nexthdr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet filter-input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr ip
 inet test-inet filter-input
   [ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6
index 783fc6a..93522c4 100644
--- a/tests/py/ip6/hbh.t.payload.ip6
+++ b/tests/py/ip6/hbh.t.payload.ip6
@@ -27,6 +27,14 @@ ip6 test-ip6 filter-input
   [ exthdr load 1b @ 0 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh hdrlength != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh hdrlength { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -35,6 +43,14 @@ ip6 test-ip6 filter-input
   [ exthdr load 1b @ 0 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load 1b @ 0 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -43,6 +59,14 @@ ip6 test-ip6 filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr 22
 ip6 test-ip6 filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
@@ -72,6 +96,14 @@ ip6 test-ip6 filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh nexthdr != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -80,6 +112,14 @@ ip6 test-ip6 filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# hbh nexthdr != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 filter-input
+  [ exthdr load 1b @ 0 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # hbh nexthdr ip
 ip6 test-ip6 filter-input
   [ exthdr load 1b @ 0 + 0 => reg 1 ]
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
index 6892273..afbd451 100644
--- a/tests/py/ip6/icmpv6.t
+++ b/tests/py/ip6/icmpv6.t
@@ -22,23 +22,23 @@ icmpv6 type router-renumbering accept;ok
 icmpv6 type {destination-unreachable, time-exceeded, nd-router-solicit} accept;ok
 icmpv6 type {router-renumbering, mld-listener-reduction, time-exceeded, nd-router-solicit} accept;ok
 icmpv6 type {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
-- icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
+icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept;ok
 
 icmpv6 code 4;ok
 icmpv6 code 3-66;ok
 icmpv6 code {5, 6, 7} accept;ok
-- icmpv6 code != {3, 66, 34};ok
+icmpv6 code != {5, 6, 7} accept;ok
 icmpv6 code { 3-66};ok
-- icmpv6 code != { 3-44};ok
+icmpv6 code != { 3-66};ok
 
 icmpv6 checksum 2222 log;ok
 icmpv6 checksum != 2222 log;ok
 icmpv6 checksum 222-226;ok
 icmpv6 checksum != 2222 log;ok
 icmpv6 checksum { 222, 226};ok
-- icmpv6 checksum != { 222, 226};ok
+icmpv6 checksum != { 222, 226};ok
 icmpv6 checksum { 222-226};ok
-- icmpv6 checksum != { 222-226};ok
+icmpv6 checksum != { 222-226};ok
 
 # BUG: icmpv6 parameter-problem, pptr, mtu, packet-too-big
 # [ICMP6HDR_PPTR]         = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
@@ -65,34 +65,34 @@ icmpv6 mtu != 233;ok
 icmpv6 mtu 33-45;ok
 icmpv6 mtu != 33-45;ok
 icmpv6 mtu {33, 55, 67, 88};ok
-- icmpv6 mtu != {33, 55, 67, 88};ok
+icmpv6 mtu != {33, 55, 67, 88};ok
 icmpv6 mtu {33-55};ok
-- icmpv6 mtu != {33-55};ok
+icmpv6 mtu != {33-55};ok
 
 - icmpv6 id 2;ok
 - icmpv6 id != 233;ok
 icmpv6 id 33-45;ok
 icmpv6 id != 33-45;ok
 icmpv6 id {33, 55, 67, 88};ok
-- icmpv6 id != {33, 55, 67, 88};ok
+icmpv6 id != {33, 55, 67, 88};ok
 icmpv6 id {33-55};ok
-- icmpv6 id != {33-55};ok
+icmpv6 id != {33-55};ok
 
 icmpv6 sequence 2;ok
 icmpv6 sequence {3, 4, 5, 6, 7} accept;ok
 
 icmpv6 sequence {2, 4};ok
-- icmpv6 sequence != {2, 4};ok
+icmpv6 sequence != {2, 4};ok
 icmpv6 sequence 2-4;ok
 icmpv6 sequence != 2-4;ok
 icmpv6 sequence { 2-4};ok
-- icmpv6 sequence != {2-4};ok
+icmpv6 sequence != { 2-4};ok
 
 - icmpv6 max-delay 22;ok
 - icmpv6 max-delay != 233;ok
 icmpv6 max-delay 33-45;ok
 icmpv6 max-delay != 33-45;ok
 icmpv6 max-delay {33, 55, 67, 88};ok
-- icmpv6 max-delay != {33, 55, 67, 88};ok
+icmpv6 max-delay != {33, 55, 67, 88};ok
 icmpv6 max-delay {33-55};ok
-- icmpv6 max-delay != {33-55};ok
+icmpv6 max-delay != {33-55};ok
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
index 8d33249..9fe2496 100644
--- a/tests/py/ip6/icmpv6.t.payload.ip6
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
@@ -151,6 +151,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# icmpv6 type != {mld-listener-query, time-exceeded, nd-router-advert} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000082  : 0 [end]	element 00000003  : 0 [end]	element 00000086  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # icmpv6 code 4
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -177,6 +188,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# icmpv6 code != {5, 6, 7} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000005  : 0 [end]	element 00000006  : 0 [end]	element 00000007  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # icmpv6 code { 3-66}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -187,6 +209,16 @@ ip6 test-ip6 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 code != { 3-66}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000003  : 0 [end]	element 00000043  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 checksum 2222 log
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -229,6 +261,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 checksum != { 222, 226}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 0000de00  : 0 [end]	element 0000e200  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 checksum { 222-226}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -239,6 +281,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 checksum != { 222-226}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 0000de00  : 0 [end]	element 0000e300  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 mtu 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -278,6 +330,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 mtu != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 mtu {33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -288,6 +350,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 mtu != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 id 33-45
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -313,6 +385,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 id != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 id {33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -323,6 +405,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 id != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 sequence 2
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -341,6 +433,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# icmpv6 sequence != {3, 4, 5, 6, 7} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000300  : 0 [end]	element 00000400  : 0 [end]	element 00000500  : 0 [end]	element 00000600  : 0 [end]	element 00000700  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # icmpv6 sequence {2, 4}
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -351,6 +454,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 sequence != {2, 4}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000200  : 0 [end]	element 00000400  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 sequence 2-4
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -376,6 +489,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 sequence != { 2-4}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000200  : 0 [end]	element 00000500  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 max-delay 33-45
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -401,6 +524,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 max-delay != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # icmpv6 max-delay {33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -411,3 +544,13 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# icmpv6 max-delay != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000003a ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t
index 9a18f7a..438b94d 100644
--- a/tests/py/ip6/ip6.t
+++ b/tests/py/ip6/ip6.t
@@ -22,26 +22,26 @@ ip6 flowlabel != 233;ok
 - ip6 flowlabel != 33-45;ok
 ip6 flowlabel { 33, 55, 67, 88};ok
 # BUG ip6 flowlabel { 5046528, 2883584, 13522432 }
-- ip6 flowlabel != { 33, 55, 67, 88};ok
+ip6 flowlabel != { 33, 55, 67, 88};ok
 ip6 flowlabel { 33-55};ok
-- ip6 flowlabel != { 33-55};ok
+ip6 flowlabel != { 33-55};ok
 
 ip6 length 22;ok
 ip6 length != 233;ok
 ip6 length 33-45;ok
 ip6 length != 33-45;ok
-- ip6 length { 33, 55, 67, 88};ok
-- ip6 length != {33, 55, 67, 88};ok
+ip6 length { 33, 55, 67, 88};ok
+ip6 length != {33, 55, 67, 88};ok
 ip6 length { 33-55};ok
-- ip6 length != { 33-55};ok
+ip6 length != { 33-55};ok
 
 ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp};ok;ip6 nexthdr { 132, 51, 108, 136, 17, 33, 6}
 ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr { 6, 136, 108, 33, 50, 17, 132, 58, 51}
-- ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok
+ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr != { 6, 136, 108, 33, 50, 17, 132, 58, 51}
 ip6 nexthdr esp;ok;ip6 nexthdr 50
 ip6 nexthdr != esp;ok;ip6 nexthdr != 50
 ip6 nexthdr { 33-44};ok
-- p6 nexthdr != { 33-44};ok
+ip6 nexthdr != { 33-44};ok
 ip6 nexthdr 33-44;ok
 ip6 nexthdr != 33-44;ok
 
@@ -50,9 +50,9 @@ ip6 hoplimit != 233;ok
 ip6 hoplimit 33-45;ok
 ip6 hoplimit != 33-45;ok
 ip6 hoplimit {33, 55, 67, 88};ok
-- ip6 hoplimit != {33, 55, 67, 88};ok
+ip6 hoplimit != {33, 55, 67, 88};ok
 ip6 hoplimit {33-55};ok
-- ip6 hoplimit != {33-55};ok
+ip6 hoplimit != {33-55};ok
 
 # from src/scanner.l
 # v680		(({hex4}:){7}{hex4})
@@ -139,7 +139,7 @@ ip6 saddr 1234::;ok
 ip6 saddr ::/64;ok
 ip6 saddr ::1 ip6 daddr ::2;ok
 
-- ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 };ok
+ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 };ok;ip6 daddr != {0:1234:1234:1234:1234:1234:1234:1234, 1234:1234:0:1234:1234:1234:1234:1234}
 ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234;ok;ip6 daddr != 0:1234:1234:1234:1234:1234:1234:1234-1234:1234:0:1234:1234:1234:1234:1234
 
 # limit impact to lo
diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
index 1aa0f5b..40277fd 100644
--- a/tests/py/ip6/ip6.t.payload.inet
+++ b/tests/py/ip6/ip6.t.payload.inet
@@ -68,6 +68,17 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 flowlabel != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00210000  : 0 [end]	element 00370000  : 0 [end]	element 00430000  : 0 [end]	element 00580000  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 flowlabel { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -79,6 +90,17 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 flowlabel != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00210000  : 0 [end]	element 00380000  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 length 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -108,6 +130,26 @@ inet test-inet input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ range neq reg 1 0x00002100 0x00002d00 ]
 
+# ip6 length { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 length != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 length { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -118,6 +160,16 @@ inet test-inet input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 length != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
 __set%d test-inet 3
 __set%d test-inet 0
@@ -138,6 +190,16 @@ inet test-inet input
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 nexthdr esp
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -162,6 +224,16 @@ inet test-inet input
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 nexthdr != { 33-44}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 0000002d  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 nexthdr 33-44
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -216,6 +288,16 @@ inet test-inet input
   [ payload load 1b @ network header + 7 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 hoplimit != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 hoplimit {33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -226,6 +308,16 @@ inet test-inet input
   [ payload load 1b @ network header + 7 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 hoplimit != {33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -502,6 +594,16 @@ inet test-inet input
   [ payload load 16b @ network header + 24 => reg 1 ]
   [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ]
 
+# ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 34120000 34123412 34123412 34123412  : 0 [end]	element 34123412 34120000 34123412 34123412  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
 inet test-inet input
   [ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6
index 56ed8bd..74d06b3 100644
--- a/tests/py/ip6/ip6.t.payload.ip6
+++ b/tests/py/ip6/ip6.t.payload.ip6
@@ -52,6 +52,15 @@ ip6 test-ip6 input
   [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 flowlabel != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00210000  : 0 [end]	element 00370000  : 0 [end]	element 00430000  : 0 [end]	element 00580000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 flowlabel { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -61,6 +70,15 @@ ip6 test-ip6 input
   [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 flowlabel != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00210000  : 0 [end]	element 00380000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 3b @ network header + 1 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00ffff0f ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 length 22
 ip6 test-ip6 input
   [ payload load 2b @ network header + 4 => reg 1 ]
@@ -82,6 +100,22 @@ ip6 test-ip6 input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ range neq reg 1 0x00002100 0x00002d00 ]
 
+# ip6 length { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ip6 length != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 length { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -90,6 +124,14 @@ ip6 test-ip6 input
   [ payload load 2b @ network header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 length != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 2b @ network header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -106,6 +148,14 @@ ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000032  : 0 [end]	element 00000033  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000088  : 0 [end]	element 00000006  : 0 [end]	element 00000021  : 0 [end]	element 00000084  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 nexthdr esp
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -124,6 +174,14 @@ ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 nexthdr != { 33-44}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 0000002d  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 nexthdr 33-44
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -164,6 +222,14 @@ ip6 test-ip6 input
   [ payload load 1b @ network header + 7 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 hoplimit != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 hoplimit {33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -172,6 +238,14 @@ ip6 test-ip6 input
   [ payload load 1b @ network header + 7 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ip6 hoplimit != {33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 7 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
 ip6 test-ip6 input
   [ payload load 16b @ network header + 8 => reg 1 ]
@@ -370,6 +444,14 @@ ip6 test-ip6 input
   [ payload load 16b @ network header + 24 => reg 1 ]
   [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ]
 
+# ip6 daddr != {::1234:1234:1234:1234:1234:1234:1234, 1234:1234::1234:1234:1234:1234:1234 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 34120000 34123412 34123412 34123412  : 0 [end]	element 34123412 34120000 34123412 34123412  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 16b @ network header + 24 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ip6 daddr != ::1234:1234:1234:1234:1234:1234:1234-1234:1234::1234:1234:1234:1234:1234
 ip6 test-ip6 input
   [ payload load 16b @ network header + 24 => reg 1 ]
diff --git a/tests/py/ip6/mh.t b/tests/py/ip6/mh.t
index 099a6eb..61f5f78 100644
--- a/tests/py/ip6/mh.t
+++ b/tests/py/ip6/mh.t
@@ -6,7 +6,7 @@
 mh nexthdr 1;ok
 mh nexthdr != 1;ok
 mh nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp };ok;mh nexthdr { 58, 17, 108, 6, 51, 136, 50, 132, 33}
-- mh nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp };ok;mh nexthdr { 58, 17, 108, 6, 51, 136, 50, 132, 33}
 mh nexthdr icmp;ok;mh nexthdr 1
 mh nexthdr != icmp;ok;mh nexthdr != 1
 mh nexthdr 22;ok
@@ -14,18 +14,18 @@ mh nexthdr != 233;ok
 mh nexthdr 33-45;ok
 mh nexthdr != 33-45;ok
 mh nexthdr { 33, 55, 67, 88 };ok
-- mh nexthdr != { 33, 55, 67, 88 };ok
+mh nexthdr != { 33, 55, 67, 88 };ok
 mh nexthdr { 33-55 };ok
-- mh nexthdr != { 33-55 };ok
+mh nexthdr != { 33-55 };ok
 
 mh hdrlength 22;ok
 mh hdrlength != 233;ok
 mh hdrlength 33-45;ok
 mh hdrlength != 33-45;ok
 mh hdrlength { 33, 55, 67, 88 };ok
-- mh hdrlength != { 33, 55, 67, 88 };ok
+mh hdrlength != { 33, 55, 67, 88 };ok
 mh hdrlength { 33-55 };ok
-- mh hdrlength != { 33-55 };ok
+mh hdrlength != { 33-55 };ok
 
 mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok
 mh type home-agent-switch-message;ok
@@ -36,15 +36,15 @@ mh reserved != 233;ok
 mh reserved 33-45;ok
 mh reserved != 33-45;ok
 mh reserved { 33, 55, 67, 88};ok
-- mh reserved != {33, 55, 67, 88};ok
+mh reserved != { 33, 55, 67, 88};ok
 mh reserved { 33-55};ok
-- mh reserved != { 33-55};ok
+mh reserved != { 33-55};ok
 
 mh checksum 22;ok
 mh checksum != 233;ok
 mh checksum 33-45;ok
 mh checksum != 33-45;ok
 mh checksum { 33, 55, 67, 88};ok
-- mh checksum != { 33, 55, 67, 88};ok
+mh checksum != { 33, 55, 67, 88};ok
 mh checksum { 33-55};ok
-- mh checksum != { 33-55};ok
+mh checksum != { 33-55};ok
diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet
index 471af09..24335b1 100644
--- a/tests/py/ip6/mh.t.payload.inet
+++ b/tests/py/ip6/mh.t.payload.inet
@@ -22,6 +22,16 @@ inet test-inet input
   [ exthdr load 1b @ 135 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh nexthdr icmp
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -75,6 +85,16 @@ inet test-inet input
   [ exthdr load 1b @ 135 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh nexthdr != { 33, 55, 67, 88 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh nexthdr { 33-55 }
 __set%d test-inet 7
 __set%d test-inet 0
@@ -85,6 +105,16 @@ inet test-inet input
   [ exthdr load 1b @ 135 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh nexthdr != { 33-55 }
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh hdrlength 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -124,6 +154,16 @@ inet test-inet input
   [ exthdr load 1b @ 135 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh hdrlength != { 33, 55, 67, 88 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh hdrlength { 33-55 }
 __set%d test-inet 7
 __set%d test-inet 0
@@ -134,6 +174,16 @@ inet test-inet input
   [ exthdr load 1b @ 135 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh hdrlength != { 33-55 }
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
 __set%d test-inet 3
 __set%d test-inet 0
@@ -197,6 +247,16 @@ inet test-inet input
   [ exthdr load 1b @ 135 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh reserved != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh reserved { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -207,6 +267,16 @@ inet test-inet input
   [ exthdr load 1b @ 135 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh reserved != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh checksum 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -246,6 +316,16 @@ inet test-inet input
   [ exthdr load 2b @ 135 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh checksum { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -256,3 +336,13 @@ inet test-inet input
   [ exthdr load 2b @ 135 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6
index 7a9aa35..d19b6e6 100644
--- a/tests/py/ip6/mh.t.payload.ip6
+++ b/tests/py/ip6/mh.t.payload.ip6
@@ -16,6 +16,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh nexthdr icmp
 ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 0 => reg 1 ]
@@ -55,6 +63,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh nexthdr != { 33, 55, 67, 88 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh nexthdr { 33-55 }
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -63,6 +79,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh nexthdr != { 33-55 }
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 135 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh hdrlength 22
 ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 1 => reg 1 ]
@@ -92,6 +116,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh hdrlength != { 33, 55, 67, 88 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh hdrlength { 33-55 }
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -100,6 +132,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh hdrlength != { 33-55 }
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 135 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -147,6 +187,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh reserved != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh reserved { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -155,6 +203,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 135 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh reserved != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 135 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh checksum 22
 ip6 test-ip6 input
   [ exthdr load 2b @ 135 + 4 => reg 1 ]
@@ -184,6 +240,14 @@ ip6 test-ip6 input
   [ exthdr load 2b @ 135 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh checksum != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # mh checksum { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -192,3 +256,11 @@ ip6 test-ip6 input
   [ exthdr load 2b @ 135 + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# mh checksum != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 2b @ 135 + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/rt.t b/tests/py/ip6/rt.t
index 7e700a5..2d044c3 100644
--- a/tests/py/ip6/rt.t
+++ b/tests/py/ip6/rt.t
@@ -6,7 +6,7 @@
 rt nexthdr 1;ok
 rt nexthdr != 1;ok
 rt nexthdr {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;rt nexthdr { 33, 136, 50, 132, 51, 17, 108, 6, 58}
-- rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok
+rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;rt nexthdr != { 33, 136, 50, 132, 51, 17, 108, 6, 58}
 rt nexthdr icmp;ok;rt nexthdr 1
 rt nexthdr != icmp;ok;rt nexthdr != 1
 rt nexthdr 22;ok
@@ -14,33 +14,33 @@ rt nexthdr != 233;ok
 rt nexthdr 33-45;ok
 rt nexthdr != 33-45;ok
 rt nexthdr { 33, 55, 67, 88};ok
-- rt nexthdr != { 33, 55, 67, 88};ok
+rt nexthdr != { 33, 55, 67, 88};ok
 rt nexthdr { 33-55};ok;rt nexthdr { 33-55}
-- rt nexthdr != { 33-55};ok
+rt nexthdr != { 33-55};ok
 
 rt hdrlength 22;ok
 rt hdrlength != 233;ok
 rt hdrlength 33-45;ok
 rt hdrlength != 33-45;ok
 rt hdrlength { 33, 55, 67, 88};ok
-- rt hdrlength != { 33, 55, 67, 88};ok
+rt hdrlength != { 33, 55, 67, 88};ok
 rt hdrlength { 33-55};ok
-- rt hdrlength != { 33-55};ok
+rt hdrlength != { 33-55};ok
 
 rt type 22;ok
 rt type != 233;ok
 rt type 33-45;ok
 rt type != 33-45;ok
 rt type { 33, 55, 67, 88};ok
-- rt type != { 33, 55, 67, 88};ok
+rt type != { 33, 55, 67, 88};ok
 rt type { 33-55};ok
-- rt type != { 33-55};ok
+rt type != { 33-55};ok
 
 rt seg-left 22;ok
 rt seg-left != 233;ok
 rt seg-left 33-45;ok
 rt seg-left != 33-45;ok
 rt seg-left { 33, 55, 67, 88};ok
-- rt seg-left != { 33, 55, 67, 88};ok
+rt seg-left != { 33, 55, 67, 88};ok
 rt seg-left { 33-55};ok
-- rt seg-left != { 33-55};ok
+rt seg-left != { 33-55};ok
diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet
index 30e29a5..8fb717f 100644
--- a/tests/py/ip6/rt.t.payload.inet
+++ b/tests/py/ip6/rt.t.payload.inet
@@ -22,6 +22,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt nexthdr icmp
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -75,6 +85,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt nexthdr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt nexthdr { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -85,6 +105,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt nexthdr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt hdrlength 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -124,6 +154,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt hdrlength != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt hdrlength { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -134,6 +174,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt hdrlength != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt type 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -173,6 +223,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt type != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt type { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -183,6 +243,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt type != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt seg-left 22
 inet test-inet input
   [ meta load nfproto => reg 1 ]
@@ -222,6 +292,16 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt seg-left != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt seg-left { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -232,3 +312,13 @@ inet test-inet input
   [ exthdr load 1b @ 43 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt seg-left != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ exthdr load 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6
index b96980b..5a57463 100644
--- a/tests/py/ip6/rt.t.payload.ip6
+++ b/tests/py/ip6/rt.t.payload.ip6
@@ -16,6 +16,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt nexthdr != {udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000088  : 0 [end]	element 0000006c  : 0 [end]	element 00000011  : 0 [end]	element 00000033  : 0 [end]	element 00000084  : 0 [end]	element 00000032  : 0 [end]	element 00000021  : 0 [end]	element 00000006  : 0 [end]	element 0000003a  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt nexthdr icmp
 ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 0 => reg 1 ]
@@ -55,6 +63,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt nexthdr != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt nexthdr { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -63,6 +79,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt nexthdr != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt hdrlength 22
 ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 1 => reg 1 ]
@@ -92,6 +116,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt hdrlength != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt hdrlength { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -100,6 +132,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt hdrlength != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt type 22
 ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 2 => reg 1 ]
@@ -129,6 +169,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt type != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt type { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -137,6 +185,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt type != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt seg-left 22
 ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 3 => reg 1 ]
@@ -166,6 +222,14 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt seg-left != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000021  : 0 [end]	element 00000037  : 0 [end]	element 00000043  : 0 [end]	element 00000058  : 0 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # rt seg-left { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -174,3 +238,11 @@ ip6 test-ip6 input
   [ exthdr load 1b @ 43 + 3 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# rt seg-left != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000021  : 0 [end]	element 00000038  : 1 [end]
+ip6 test-ip6 input
+  [ exthdr load 1b @ 43 + 3 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t
index ea20834..3ea2d83 100644
--- a/tests/py/ip6/sets.t
+++ b/tests/py/ip6/sets.t
@@ -22,7 +22,9 @@
 ?set2 1234:1234:1234::1234;ok
 
 ip6 saddr @set2 drop;ok
+ip6 saddr != @set2 drop;ok
 ip6 saddr @set33 drop;fail
+ip6 saddr != @set33 drop;fail
 
 !set3 type ipv6_addr flags interval;ok
 ?set3 1234:1234:1234:1234::/64;ok
diff --git a/tests/py/ip6/sets.t.payload.inet b/tests/py/ip6/sets.t.payload.inet
index 27be86b..b45f630 100644
--- a/tests/py/ip6/sets.t.payload.inet
+++ b/tests/py/ip6/sets.t.payload.inet
@@ -6,3 +6,11 @@ inet test-inet input
   [ lookup reg 1 set set2 ]
   [ immediate reg 0 drop ]
 
+# ip6 saddr != @set2 drop
+inet test-inet input 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/py/ip6/sets.t.payload.ip6 b/tests/py/ip6/sets.t.payload.ip6
index 0e51fd3..0fab365 100644
--- a/tests/py/ip6/sets.t.payload.ip6
+++ b/tests/py/ip6/sets.t.payload.ip6
@@ -4,3 +4,9 @@ ip6 test-ip6 input
   [ lookup reg 1 set set2 ]
   [ immediate reg 0 drop ]
 
+# ip6 saddr != @set2 drop
+ip6 test-ip6 input
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
diff --git a/tests/py/ip6/sets.t.payload.netdev b/tests/py/ip6/sets.t.payload.netdev
index 8f432d0..7c4ba3e 100644
--- a/tests/py/ip6/sets.t.payload.netdev
+++ b/tests/py/ip6/sets.t.payload.netdev
@@ -6,3 +6,11 @@ netdev test-netdev ingress
   [ lookup reg 1 set set2 ]
   [ immediate reg 0 drop ]
 
+# ip6 saddr != @set2 drop
+netdev test-netdev ingress 
+  [ meta load protocol => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ payload load 16b @ network header + 8 => reg 1 ]
+  [ lookup reg 1 set set2 0x1 ]
+  [ immediate reg 0 drop ]
+
-- 
2.11.0.rc2

[PATCH nft 5/7] tests/py{ah,esp,comp}: Unmark inverted set lookup

[Anatole Denis]

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
 tests/py/inet/ah.t                  | 21 ++++------
 tests/py/inet/ah.t.payload.inet     | 80 +++++++++++++++++++++++++++++++++++++
 tests/py/inet/ah.t.payload.ip       | 80 +++++++++++++++++++++++++++++++++++++
 tests/py/inet/ah.t.payload.ip6      | 80 +++++++++++++++++++++++++++++++++++++
 tests/py/inet/ah.t.payload.netdev   | 80 +++++++++++++++++++++++++++++++++++++
 tests/py/inet/comp.t                |  8 ++--
 tests/py/inet/comp.t.payload.inet   | 40 +++++++++++++++++++
 tests/py/inet/comp.t.payload.ip     | 40 +++++++++++++++++++
 tests/py/inet/comp.t.payload.ip6    | 40 +++++++++++++++++++
 tests/py/inet/comp.t.payload.netdev | 40 +++++++++++++++++++
 tests/py/inet/esp.t                 |  8 ++--
 tests/py/inet/esp.t.payload.inet    | 40 +++++++++++++++++++
 tests/py/inet/esp.t.payload.ip      | 40 +++++++++++++++++++
 tests/py/inet/esp.t.payload.ip6     | 40 +++++++++++++++++++
 tests/py/inet/esp.t.payload.netdev  | 40 +++++++++++++++++++
 15 files changed, 655 insertions(+), 22 deletions(-)

diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t
index ef52c2c..8544d9d 100644
--- a/tests/py/inet/ah.t
+++ b/tests/py/inet/ah.t
@@ -23,39 +23,34 @@
 ah hdrlength 11-23;ok
 ah hdrlength != 11-23;ok
 ah hdrlength { 11-23};ok
-- ah hdrlength != { 11-23};ok
+ah hdrlength != { 11-23};ok
 ah hdrlength {11, 23, 44 };ok
-- ah hdrlength != {11-23 };ok
+ah hdrlength != {11, 23, 44 };ok
 
 ah reserved 22;ok
 ah reserved != 233;ok
 ah reserved 33-45;ok
 ah reserved != 33-45;ok
 ah reserved {23, 100};ok
-- ah reserved != {33, 55, 67, 88};ok
+ah reserved != {23, 100};ok
 ah reserved { 33-55};ok
-- ah reserved != { 33-55};ok
+ah reserved != { 33-55};ok
 
 ah spi 111;ok
 ah spi != 111;ok
 ah spi 111-222;ok
 ah spi != 111-222;ok
 ah spi {111, 122};ok
-- ah spi != {111, 122};ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
-
+ah spi != {111, 122};ok
 ah spi { 111-122};ok
-- ah spi != { 111-122};ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+ah spi != { 111-122};ok
 
 # sequence
 ah sequence 123;ok
 ah sequence != 123;ok
 ah sequence {23, 25, 33};ok
-- ah sequence != {23, 25, 33};ok
+ah sequence != {23, 25, 33};ok
 ah sequence { 23-33};ok
-- ah sequence != { 33-44};ok
+ah sequence != { 23-33};ok
 ah sequence 23-33;ok
 ah sequence != 23-33;ok
diff --git a/tests/py/inet/ah.t.payload.inet b/tests/py/inet/ah.t.payload.inet
index 1e56797..5ec5fba 100644
--- a/tests/py/inet/ah.t.payload.inet
+++ b/tests/py/inet/ah.t.payload.inet
@@ -23,6 +23,16 @@ inet test-inet input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != { 11-23}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 0000000b  : 0 [end]	element 00000018  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah hdrlength {11, 23, 44 }
 __set%d test-inet 3
 __set%d test-inet 0
@@ -33,6 +43,16 @@ inet test-inet input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != {11, 23, 44 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000000b  : 0 [end]	element 00000017  : 0 [end]	element 0000002c  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -72,6 +92,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != {23, 100}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00006400  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -82,6 +112,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi 111
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -121,6 +161,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != {111, 122}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 6f000000  : 0 [end]	element 7a000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi { 111-122}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -131,6 +181,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != { 111-122}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 6f000000  : 0 [end]	element 7b000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 123
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -155,6 +215,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != {23, 25, 33}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 17000000  : 0 [end]	element 19000000  : 0 [end]	element 21000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence { 23-33}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -165,6 +235,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != { 23-33}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 17000000  : 0 [end]	element 22000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 23-33
 inet test-inet input
   [ meta load l4proto => reg 1 ]
diff --git a/tests/py/inet/ah.t.payload.ip b/tests/py/inet/ah.t.payload.ip
index 5ad0041..594c949 100644
--- a/tests/py/inet/ah.t.payload.ip
+++ b/tests/py/inet/ah.t.payload.ip
@@ -23,6 +23,16 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != { 11-23}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 0000000b  : 0 [end]	element 00000018  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah hdrlength {11, 23, 44 }
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -33,6 +43,16 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != {11, 23, 44 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000000b  : 0 [end]	element 00000017  : 0 [end]	element 0000002c  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -72,6 +92,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != {23, 100}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00006400  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -82,6 +112,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi 111
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -121,6 +161,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != {111, 122}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 6f000000  : 0 [end]	element 7a000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi { 111-122}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -131,6 +181,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != { 111-122}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 6f000000  : 0 [end]	element 7b000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 123
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -155,6 +215,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != {23, 25, 33}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 17000000  : 0 [end]	element 19000000  : 0 [end]	element 21000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence { 23-33}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -165,6 +235,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != { 23-33}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 17000000  : 0 [end]	element 22000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 23-33
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
diff --git a/tests/py/inet/ah.t.payload.ip6 b/tests/py/inet/ah.t.payload.ip6
index c57a28a..f12f0a0 100644
--- a/tests/py/inet/ah.t.payload.ip6
+++ b/tests/py/inet/ah.t.payload.ip6
@@ -23,6 +23,16 @@ ip6 test-ip6 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != { 11-23}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 0000000b  : 0 [end]	element 00000018  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah hdrlength {11, 23, 44 }
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -33,6 +43,16 @@ ip6 test-ip6 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != {11, 23, 44 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 0000000b  : 0 [end]	element 00000017  : 0 [end]	element 0000002c  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -72,6 +92,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != {23, 100}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00001700  : 0 [end]	element 00006400  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -82,6 +112,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi 111
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -121,6 +161,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != {111, 122}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 6f000000  : 0 [end]	element 7a000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi { 111-122}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -131,6 +181,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != { 111-122}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 6f000000  : 0 [end]	element 7b000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 123
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -155,6 +215,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != {23, 25, 33}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 17000000  : 0 [end]	element 19000000  : 0 [end]	element 21000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence { 23-33}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -165,6 +235,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != { 23-33}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 17000000  : 0 [end]	element 22000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 23-33
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
diff --git a/tests/py/inet/ah.t.payload.netdev b/tests/py/inet/ah.t.payload.netdev
index e06811d..af15096 100644
--- a/tests/py/inet/ah.t.payload.netdev
+++ b/tests/py/inet/ah.t.payload.netdev
@@ -23,6 +23,16 @@ netdev test-netdev ingress
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != { 11-23}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 0000000b  : 0 [end]	element 00000018  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah hdrlength {11, 23, 44 }
 __set%d test-netdev 3
 __set%d test-netdev 0
@@ -33,6 +43,16 @@ netdev test-netdev ingress
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah hdrlength != {11, 23, 44 }
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0000000b  : 0 [end]	element 00000017  : 0 [end]	element 0000002c  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved 22
 netdev test-netdev ingress 
   [ meta load l4proto => reg 1 ]
@@ -72,6 +92,16 @@ netdev test-netdev ingress
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != {23, 100}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00001700  : 0 [end]	element 00006400  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah reserved { 33-55}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -82,6 +112,16 @@ netdev test-netdev ingress
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah reserved != { 33-55}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi 111
 netdev test-netdev ingress 
   [ meta load l4proto => reg 1 ]
@@ -121,6 +161,16 @@ netdev test-netdev ingress
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != {111, 122}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 6f000000  : 0 [end]	element 7a000000  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah spi { 111-122}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -131,6 +181,16 @@ netdev test-netdev ingress
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah spi != { 111-122}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 6f000000  : 0 [end]	element 7b000000  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 123
 netdev test-netdev ingress 
   [ meta load l4proto => reg 1 ]
@@ -155,6 +215,16 @@ netdev test-netdev ingress
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != {23, 25, 33}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 17000000  : 0 [end]	element 19000000  : 0 [end]	element 21000000  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence { 23-33}
 __set%d test-netdev 7
 __set%d test-netdev 0
@@ -165,6 +235,16 @@ netdev test-netdev ingress
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# ah sequence != { 23-33}
+__set%d test-netdev 7
+__set%d test-netdev 0
+	element 00000000  : 1 [end]	element 17000000  : 0 [end]	element 22000000  : 1 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000033 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # ah sequence 23-33
 netdev test-netdev ingress 
   [ meta load l4proto => reg 1 ]
diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t
index 654e712..0df1813 100644
--- a/tests/py/inet/comp.t
+++ b/tests/py/inet/comp.t
@@ -19,15 +19,15 @@ comp flags != 0x23;ok
 comp flags 0x33-0x45;ok
 comp flags != 0x33-0x45;ok
 comp flags {0x33, 0x55, 0x67, 0x88};ok
-- comp flags != {0x33, 0x55, 0x67, 0x88};ok
+comp flags != {0x33, 0x55, 0x67, 0x88};ok
 comp flags { 0x33-0x55};ok
-- comp flags != { 0x33-0x55};ok
+comp flags != { 0x33-0x55};ok
 
 comp cpi 22;ok
 comp cpi != 233;ok
 comp cpi 33-45;ok
 comp cpi != 33-45;ok
 comp cpi {33, 55, 67, 88};ok
-- comp cpi != {33, 55, 67, 88};ok
+comp cpi != {33, 55, 67, 88};ok
 comp cpi { 33-55};ok
-- comp cpi != { 33-55};ok
+comp cpi != { 33-55};ok
diff --git a/tests/py/inet/comp.t.payload.inet b/tests/py/inet/comp.t.payload.inet
index cdeba2b..dec38ae 100644
--- a/tests/py/inet/comp.t.payload.inet
+++ b/tests/py/inet/comp.t.payload.inet
@@ -44,6 +44,16 @@ inet test-inet input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000033  : 0 [end]	element 00000055  : 0 [end]	element 00000067  : 0 [end]	element 00000088  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp flags { 0x33-0x55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -54,6 +64,16 @@ inet test-inet input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != { 0x33-0x55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000033  : 0 [end]	element 00000056  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -93,6 +113,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -103,3 +133,13 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/comp.t.payload.ip b/tests/py/inet/comp.t.payload.ip
index 9da8f94..9a6194e 100644
--- a/tests/py/inet/comp.t.payload.ip
+++ b/tests/py/inet/comp.t.payload.ip
@@ -44,6 +44,16 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000033  : 0 [end]	element 00000055  : 0 [end]	element 00000067  : 0 [end]	element 00000088  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp flags { 0x33-0x55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -54,6 +64,16 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != { 0x33-0x55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000033  : 0 [end]	element 00000056  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -93,6 +113,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != {33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -103,3 +133,13 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/comp.t.payload.ip6 b/tests/py/inet/comp.t.payload.ip6
index 69a13ed..a325d8c 100644
--- a/tests/py/inet/comp.t.payload.ip6
+++ b/tests/py/inet/comp.t.payload.ip6
@@ -44,6 +44,16 @@ ip6 test-ip6 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000033  : 0 [end]	element 00000055  : 0 [end]	element 00000067  : 0 [end]	element 00000088  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp flags { 0x33-0x55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -54,6 +64,16 @@ ip6 test-ip6 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != { 0x33-0x55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000033  : 0 [end]	element 00000056  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -93,6 +113,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -103,3 +133,13 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/comp.t.payload.netdev b/tests/py/inet/comp.t.payload.netdev
index cdeba2b..dec38ae 100644
--- a/tests/py/inet/comp.t.payload.netdev
+++ b/tests/py/inet/comp.t.payload.netdev
@@ -44,6 +44,16 @@ inet test-inet input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != {0x33, 0x55, 0x67, 0x88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000033  : 0 [end]	element 00000055  : 0 [end]	element 00000067  : 0 [end]	element 00000088  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp flags { 0x33-0x55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -54,6 +64,16 @@ inet test-inet input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp flags != { 0x33-0x55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000033  : 0 [end]	element 00000056  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 1b @ transport header + 1 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -93,6 +113,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # comp cpi { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -103,3 +133,13 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# comp cpi != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x0000006c ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t
index f822da7..e79eead 100644
--- a/tests/py/inet/esp.t
+++ b/tests/py/inet/esp.t
@@ -11,7 +11,7 @@ esp spi != 100;ok
 esp spi 111-222;ok
 esp spi != 111-222;ok
 esp spi { 100, 102};ok
-- esp spi != { 100, 102};ok
+esp spi != { 100, 102};ok
 esp spi { 100-102};ok
 - esp spi {100-102};ok
 
@@ -19,8 +19,6 @@ esp sequence 22;ok
 esp sequence 22-24;ok
 esp sequence != 22-24;ok
 esp sequence { 22, 24};ok
-- esp sequence != { 22, 24};ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+esp sequence != { 22, 24};ok
 esp sequence { 22-25};ok
-- esp sequence != { 22-25};ok
+esp sequence != { 22-25};ok
diff --git a/tests/py/inet/esp.t.payload.inet b/tests/py/inet/esp.t.payload.inet
index d41f766..ad68530 100644
--- a/tests/py/inet/esp.t.payload.inet
+++ b/tests/py/inet/esp.t.payload.inet
@@ -37,6 +37,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100, 102}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 64000000  : 0 [end]	element 66000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp spi { 100-102}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100-102}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 64000000  : 0 [end]	element 67000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -79,6 +99,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22, 24}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 18000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence { 22-25}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -89,3 +119,13 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22-25}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 1a000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/esp.t.payload.ip b/tests/py/inet/esp.t.payload.ip
index 5de41ae..f8ef9ec 100644
--- a/tests/py/inet/esp.t.payload.ip
+++ b/tests/py/inet/esp.t.payload.ip
@@ -37,6 +37,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100, 102}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 64000000  : 0 [end]	element 66000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp spi { 100-102}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -47,6 +57,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100-102}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 64000000  : 0 [end]	element 67000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -79,6 +99,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22, 24}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 16000000  : 0 [end]	element 18000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence { 22-25}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -89,3 +119,13 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22-25}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 1a000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/esp.t.payload.ip6 b/tests/py/inet/esp.t.payload.ip6
index 0bc2e70..4758492 100644
--- a/tests/py/inet/esp.t.payload.ip6
+++ b/tests/py/inet/esp.t.payload.ip6
@@ -37,6 +37,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100, 102}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 64000000  : 0 [end]	element 66000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp spi { 100-102}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -47,6 +57,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100-102}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 64000000  : 0 [end]	element 67000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -79,6 +99,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22, 24}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 16000000  : 0 [end]	element 18000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence { 22-25}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -89,3 +119,13 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22-25}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 1a000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/esp.t.payload.netdev b/tests/py/inet/esp.t.payload.netdev
index d41f766..ad68530 100644
--- a/tests/py/inet/esp.t.payload.netdev
+++ b/tests/py/inet/esp.t.payload.netdev
@@ -37,6 +37,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100, 102}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 64000000  : 0 [end]	element 66000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp spi { 100-102}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp spi != { 100-102}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 64000000  : 0 [end]	element 67000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -79,6 +99,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22, 24}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 18000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # esp sequence { 22-25}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -89,3 +119,13 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# esp sequence != { 22-25}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 1a000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000032 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
-- 
2.11.0.rc2

[PATCH nft 6/7] tests/py/{dccp,sctp,tcp}: Unmark inverted lookup

[Anatole Denis]

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
 tests/py/inet/dccp.t                |  15 ++--
 tests/py/inet/dccp.t.payload.inet   |  51 ++++++++++++
 tests/py/inet/dccp.t.payload.ip     |  61 ++++++++++++++
 tests/py/inet/dccp.t.payload.ip6    |  61 ++++++++++++++
 tests/py/inet/dccp.t.payload.netdev |  61 ++++++++++++++
 tests/py/inet/sctp.t                |  18 ++--
 tests/py/inet/sctp.t.payload.inet   |  80 ++++++++++++++++++
 tests/py/inet/sctp.t.payload.ip     |  80 ++++++++++++++++++
 tests/py/inet/sctp.t.payload.ip6    |  80 ++++++++++++++++++
 tests/py/inet/sctp.t.payload.netdev |  80 ++++++++++++++++++
 tests/py/inet/tcp.t                 |  32 +++----
 tests/py/inet/tcp.t.payload.inet    | 161 ++++++++++++++++++++++++++++++++++++
 tests/py/inet/tcp.t.payload.ip      | 161 ++++++++++++++++++++++++++++++++++++
 tests/py/inet/tcp.t.payload.ip6     | 161 ++++++++++++++++++++++++++++++++++++
 tests/py/inet/tcp.t.payload.netdev  | 161 ++++++++++++++++++++++++++++++++++++
 15 files changed, 1227 insertions(+), 36 deletions(-)

diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t
index f5f8b67..f0dd788 100644
--- a/tests/py/inet/dccp.t
+++ b/tests/py/inet/dccp.t
@@ -9,27 +9,22 @@
 dccp sport 21-35;ok
 dccp sport != 21-35;ok
 dccp sport {23, 24, 25};ok
-- dccp sport != { 27, 34};ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+dccp sport != {23, 24, 25};ok
 
 dccp sport { 20-50 };ok
 dccp sport ftp-data - re-mail-ck;ok;dccp sport 20-50
 dccp sport 20-50;ok
 dccp sport { 20-50};ok
-- dccp sport != {27-34};ok
-# dccp sport != {27-34};ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+dccp sport != { 20-50};ok
 
 # dccp dport 21-35;ok
 # dccp dport != 21-35;ok
 dccp dport {23, 24, 25};ok
-# dccp dport != {27, 34};ok
+dccp dport != {23, 24, 25};ok
 dccp dport { 20-50};ok
-# dccp dport != {27-34};ok
+dccp dport != { 20-50};ok
 
 dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
-# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
+dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
 dccp type request;ok
 dccp type != request;ok
diff --git a/tests/py/inet/dccp.t.payload.inet b/tests/py/inet/dccp.t.payload.inet
index ccba6d0..b5a48f4 100644
--- a/tests/py/inet/dccp.t.payload.inet
+++ b/tests/py/inet/dccp.t.payload.inet
@@ -23,6 +23,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != {23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp sport { 20-50 }
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -59,6 +69,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport {23, 24, 25}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -69,6 +89,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport { 20-50}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -79,6 +109,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
 __set%d test-inet 3
 __set%d test-inet 0
@@ -90,6 +130,17 @@ inet test-inet input
   [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000000  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000006  : 0 [end]	element 00000008  : 0 [end]	element 0000000a  : 0 [end]	element 0000000c  : 0 [end]	element 0000000e  : 0 [end]	element 00000010  : 0 [end]	element 00000012  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type request
 inet test-inet input
   [ meta load l4proto => reg 1 ]
diff --git a/tests/py/inet/dccp.t.payload.ip b/tests/py/inet/dccp.t.payload.ip
index a02247f..b8844c5 100644
--- a/tests/py/inet/dccp.t.payload.ip
+++ b/tests/py/inet/dccp.t.payload.ip
@@ -23,6 +23,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp sport { 20-50 }
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -33,6 +43,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != { 20-50 }
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp sport ftp-data - re-mail-ck
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -59,6 +79,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport {23, 24, 25}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -69,6 +99,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport { 20-50}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -79,6 +119,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -90,6 +140,17 @@ ip test-ip4 input
   [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000000  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000006  : 0 [end]	element 00000008  : 0 [end]	element 0000000a  : 0 [end]	element 0000000c  : 0 [end]	element 0000000e  : 0 [end]	element 00000010  : 0 [end]	element 00000012  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type request
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
diff --git a/tests/py/inet/dccp.t.payload.ip6 b/tests/py/inet/dccp.t.payload.ip6
index c81a3a0..0f8aab1 100644
--- a/tests/py/inet/dccp.t.payload.ip6
+++ b/tests/py/inet/dccp.t.payload.ip6
@@ -23,6 +23,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp sport { 20-50 }
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -33,6 +43,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != { 20-50 }
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp sport ftp-data - re-mail-ck
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -59,6 +79,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport {23, 24, 25}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -69,6 +99,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport { 20-50}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -79,6 +119,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -90,6 +140,17 @@ ip6 test-ip6 input
   [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000000  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000006  : 0 [end]	element 00000008  : 0 [end]	element 0000000a  : 0 [end]	element 0000000c  : 0 [end]	element 0000000e  : 0 [end]	element 00000010  : 0 [end]	element 00000012  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type request
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
diff --git a/tests/py/inet/dccp.t.payload.netdev b/tests/py/inet/dccp.t.payload.netdev
index abb1fb9..3136931 100644
--- a/tests/py/inet/dccp.t.payload.netdev
+++ b/tests/py/inet/dccp.t.payload.netdev
@@ -23,6 +23,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != {23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp sport { 20-50 }
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -33,6 +43,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != { 20-50 }
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp sport ftp-data - re-mail-ck
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -59,6 +79,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp sport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport {23, 24, 25}
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -69,6 +99,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != {23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp dport { 20-50}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -79,6 +119,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp dport != { 20-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001400  : 0 [end]	element 00003300  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
 __set%d test-netdev 3
 __set%d test-netdev 0
@@ -90,6 +140,17 @@ netdev test-netdev ingress
   [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
   [ lookup reg 1 set __set%d ]
 
+# dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 00000000  : 0 [end]	element 00000002  : 0 [end]	element 00000004  : 0 [end]	element 00000006  : 0 [end]	element 00000008  : 0 [end]	element 0000000a  : 0 [end]	element 0000000c  : 0 [end]	element 0000000e  : 0 [end]	element 00000010  : 0 [end]	element 00000012  : 0 [end]
+netdev test-netdev ingress
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000021 ]
+  [ payload load 1b @ transport header + 8 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x0000001e ) ^ 0x00000000 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # dccp type request
 netdev test-netdev ingress
   [ meta load l4proto => reg 1 ]
diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t
index 9f522b4..5188b57 100644
--- a/tests/py/inet/sctp.t
+++ b/tests/py/inet/sctp.t
@@ -11,35 +11,33 @@ sctp sport != 23;ok
 sctp sport 23-44;ok
 sctp sport != 23-44;ok
 sctp sport { 23, 24, 25};ok
-- sctp sport != { 23, 24, 25};ok
+sctp sport != { 23, 24, 25};ok
 sctp sport { 23-44};ok
-- sctp sport != { 23-44};ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+sctp sport != { 23-44};ok
 
 sctp dport 23;ok
 sctp dport != 23;ok
 sctp dport 23-44;ok
 sctp dport != 23-44;ok
 sctp dport { 23, 24, 25};ok
-- sctp dport != { 23, 24, 25};ok
+sctp dport != { 23, 24, 25};ok
 sctp dport { 23-44};ok
-- sctp dport != { 23-44};ok
+sctp dport != { 23-44};ok
 
 sctp checksum 1111;ok
 sctp checksum != 11;ok
 sctp checksum 21-333;ok
 sctp checksum != 32-111;ok
 sctp checksum { 22, 33, 44};ok
-- sctp checksum != { 22, 33, 44};ok
+sctp checksum != { 22, 33, 44};ok
 sctp checksum { 22-44};ok
-- sctp checksum != { 22-44};ok
+sctp checksum != { 22-44};ok
 
 sctp vtag 22;ok
 sctp vtag != 233;ok
 sctp vtag 33-45;ok
 sctp vtag != 33-45;ok
 sctp vtag {33, 55, 67, 88};ok
-- sctp vtag != {33, 55, 67, 88};ok
+sctp vtag != {33, 55, 67, 88};ok
 sctp vtag { 33-55};ok
-- sctp vtag != { 33-55};ok
+sctp vtag != { 33-55};ok
diff --git a/tests/py/inet/sctp.t.payload.inet b/tests/py/inet/sctp.t.payload.inet
index bc7fe7c..ecfcc72 100644
--- a/tests/py/inet/sctp.t.payload.inet
+++ b/tests/py/inet/sctp.t.payload.inet
@@ -37,6 +37,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp sport { 23-44}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport 23
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -86,6 +106,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport { 23-44}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -96,6 +126,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum 1111
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -135,6 +175,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22, 33, 44}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum { 22-44}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -145,6 +195,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22-44}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 2d000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -184,6 +244,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -194,3 +264,13 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/sctp.t.payload.ip b/tests/py/inet/sctp.t.payload.ip
index fa6ea43..4d8a724 100644
--- a/tests/py/inet/sctp.t.payload.ip
+++ b/tests/py/inet/sctp.t.payload.ip
@@ -37,6 +37,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp sport { 23-44}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -47,6 +57,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23-44}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport 23
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -86,6 +106,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23, 24, 25}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport { 23-44}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -96,6 +126,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23-44}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum 1111
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -135,6 +175,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22, 33, 44}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum { 22-44}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -145,6 +195,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22-44}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 2d000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -184,6 +244,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != {33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -194,3 +264,13 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/sctp.t.payload.ip6 b/tests/py/inet/sctp.t.payload.ip6
index 5d11369..5c63d2a 100644
--- a/tests/py/inet/sctp.t.payload.ip6
+++ b/tests/py/inet/sctp.t.payload.ip6
@@ -37,6 +37,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23, 24, 25}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp sport { 23-44}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -47,6 +57,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23-44}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport 23
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -86,6 +106,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23, 24, 25}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport { 23-44}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -96,6 +126,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23-44}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum 1111
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -135,6 +175,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22, 33, 44}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum { 22-44}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -145,6 +195,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22-44}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 2d000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -184,6 +244,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != {33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -194,3 +264,13 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/sctp.t.payload.netdev b/tests/py/inet/sctp.t.payload.netdev
index bc7fe7c..ecfcc72 100644
--- a/tests/py/inet/sctp.t.payload.netdev
+++ b/tests/py/inet/sctp.t.payload.netdev
@@ -37,6 +37,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp sport { 23-44}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp sport != { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport 23
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -86,6 +106,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23, 24, 25}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001700  : 0 [end]	element 00001800  : 0 [end]	element 00001900  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp dport { 23-44}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -96,6 +126,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp dport != { 23-44}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00001700  : 0 [end]	element 00002d00  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum 1111
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -135,6 +175,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22, 33, 44}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 16000000  : 0 [end]	element 21000000  : 0 [end]	element 2c000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp checksum { 22-44}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -145,6 +195,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp checksum != { 22-44}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 16000000  : 0 [end]	element 2d000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -184,6 +244,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != {33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # sctp vtag { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -194,3 +264,13 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# sctp vtag != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000084 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index 9618e53..d959284 100644
--- a/tests/py/inet/tcp.t
+++ b/tests/py/inet/tcp.t
@@ -11,14 +11,14 @@ tcp dport != 233;ok
 tcp dport 33-45;ok
 tcp dport != 33-45;ok
 tcp dport { 33, 55, 67, 88};ok
-- tcp dport != { 33, 55, 67, 88};ok
+tcp dport != { 33, 55, 67, 88};ok
 tcp dport { 33-55};ok
-- tcp dport != { 33-55};ok
+tcp dport != { 33-55};ok
 tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept
 tcp dport vmap { 22 : accept, 23 : drop };ok
 tcp dport vmap { 25:accept, 28:drop };ok
 tcp dport { 22, 53, 80, 110 };ok
-- tcp dport != { 22, 53, 80, 110 };ok
+tcp dport != { 22, 53, 80, 110 };ok
 # BUG: invalid expression type set
 # nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
 
@@ -27,9 +27,9 @@ tcp sport != 233;ok
 tcp sport 33-45;ok
 tcp sport != 33-45;ok
 tcp sport { 33, 55, 67, 88};ok
-- tcp sport != { 33, 55, 67, 88};ok
+tcp sport != { 33, 55, 67, 88};ok
 tcp sport { 33-55};ok
-- tcp sport != { 33-55};ok
+tcp sport != { 33-55};ok
 tcp sport vmap { 25:accept, 28:drop };ok
 
 tcp sport 8080 drop;ok
@@ -44,9 +44,9 @@ tcp sequence != 233;ok
 tcp sequence 33-45;ok
 tcp sequence != 33-45;ok
 tcp sequence { 33, 55, 67, 88};ok
-- tcp sequence != { 33, 55, 67, 88};ok
+tcp sequence != { 33, 55, 67, 88};ok
 tcp sequence { 33-55};ok
-- tcp sequence != { 33-55};ok
+tcp sequence != { 33-55};ok
 
 tcp ackseq 42949672 drop;ok
 tcp ackseq 22;ok
@@ -54,9 +54,9 @@ tcp ackseq != 233;ok
 tcp ackseq 33-45;ok
 tcp ackseq != 33-45;ok
 tcp ackseq { 33, 55, 67, 88};ok
-- tcp ackseq != { 33, 55, 67, 88};ok
+tcp ackseq != { 33, 55, 67, 88};ok
 tcp ackseq { 33-55};ok
-- tcp ackseq != { 33-55};ok
+tcp ackseq != { 33-55};ok
 
 - tcp doff 22;ok
 - tcp doff != 233;ok
@@ -71,7 +71,7 @@ tcp ackseq { 33-55};ok
 # BUG: It is accepted but it is not shown then. tcp reserver
 
 tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop;ok
-- tcp flags != { fin, urg, ecn, cwr} drop;ok
+tcp flags != { fin, urg, ecn, cwr} drop;ok
 tcp flags cwr;ok
 tcp flags != cwr;ok
 
@@ -81,18 +81,18 @@ tcp window != 233;ok
 tcp window 33-45;ok
 tcp window != 33-45;ok
 tcp window { 33, 55, 67, 88};ok
-- tcp window != { 33, 55, 67, 88};ok
+tcp window != { 33, 55, 67, 88};ok
 tcp window { 33-55};ok
-- tcp window != { 33-55};ok
+tcp window != { 33-55};ok
 
 tcp checksum 22;ok
 tcp checksum != 233;ok
 tcp checksum 33-45;ok
 tcp checksum != 33-45;ok
 tcp checksum { 33, 55, 67, 88};ok
-- tcp checksum != { 33, 55, 67, 88};ok
+tcp checksum != { 33, 55, 67, 88};ok
 tcp checksum { 33-55};ok
-- tcp checksum != { 33-55};ok
+tcp checksum != { 33-55};ok
 
 tcp urgptr 1234 accept;ok
 tcp urgptr 22;ok
@@ -100,8 +100,8 @@ tcp urgptr != 233;ok
 tcp urgptr 33-45;ok
 tcp urgptr != 33-45;ok
 tcp urgptr { 33, 55, 67, 88};ok
-- tcp urgptr != { 33, 55, 67, 88};ok
+tcp urgptr != { 33, 55, 67, 88};ok
 tcp urgptr { 33-55};ok
-- tcp urgptr != { 33-55};ok
+tcp urgptr != { 33-55};ok
 
 tcp doff 8;ok
diff --git a/tests/py/inet/tcp.t.payload.inet b/tests/py/inet/tcp.t.payload.inet
index 354d013..583fcd4 100644
--- a/tests/py/inet/tcp.t.payload.inet
+++ b/tests/py/inet/tcp.t.payload.inet
@@ -37,6 +37,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport {telnet, http, https} accept
 __set%d test-inet 3
 __set%d test-inet 0
@@ -88,6 +108,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 22, 53, 80, 110 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001600  : 0 [end]	element 00003500  : 0 [end]	element 00005000  : 0 [end]	element 00006e00  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -127,6 +157,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -137,6 +177,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport vmap { 25:accept, 28:drop }
 __map%d test-inet b
 __map%d test-inet 0
@@ -227,6 +277,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sequence { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -237,6 +297,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq 42949672 drop
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -284,6 +354,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -294,6 +374,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
 __set%d test-inet 3
 __set%d test-inet 0
@@ -305,6 +395,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# tcp flags != { fin, urg, ecn, cwr} drop
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000080  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 drop ]
+
 # tcp flags cwr
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -366,6 +467,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp window { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -376,6 +487,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -415,6 +536,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -425,6 +556,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr 1234 accept
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -472,6 +613,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -482,6 +633,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp doff 8
 inet test-inet input
   [ meta load l4proto => reg 1 ]
diff --git a/tests/py/inet/tcp.t.payload.ip b/tests/py/inet/tcp.t.payload.ip
index d70a176..065a2b1 100644
--- a/tests/py/inet/tcp.t.payload.ip
+++ b/tests/py/inet/tcp.t.payload.ip
@@ -37,6 +37,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -47,6 +57,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport {telnet, http, https} accept
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -88,6 +108,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 22, 53, 80, 110 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00001600  : 0 [end]	element 00003500  : 0 [end]	element 00005000  : 0 [end]	element 00006e00  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -127,6 +157,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -137,6 +177,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport vmap { 25:accept, 28:drop }
 __map%d test-ip4 b
 __map%d test-ip4 0
@@ -227,6 +277,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sequence { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -237,6 +297,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq 42949672 drop
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -284,6 +354,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -294,6 +374,16 @@ ip test-ip4 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
 __set%d test-ip4 3
 __set%d test-ip4 0
@@ -305,6 +395,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# tcp flags != { fin, urg, ecn, cwr} drop
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00000001  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000080  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 drop ]
+
 # tcp flags cwr
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -366,6 +467,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp window { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -376,6 +487,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -415,6 +536,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -425,6 +556,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr 1234 accept
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -472,6 +613,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -482,6 +633,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp doff 8
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
diff --git a/tests/py/inet/tcp.t.payload.ip6 b/tests/py/inet/tcp.t.payload.ip6
index 4e9c413..a4ddc16 100644
--- a/tests/py/inet/tcp.t.payload.ip6
+++ b/tests/py/inet/tcp.t.payload.ip6
@@ -37,6 +37,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -47,6 +57,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport {telnet, http, https} accept
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -88,6 +108,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 22, 53, 80, 110 }
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00001600  : 0 [end]	element 00003500  : 0 [end]	element 00005000  : 0 [end]	element 00006e00  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -127,6 +157,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -137,6 +177,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport vmap { 25:accept, 28:drop }
 __map%d test-ip6 b
 __map%d test-ip6 0
@@ -227,6 +277,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sequence { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -237,6 +297,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq 42949672 drop
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -284,6 +354,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -294,6 +374,16 @@ ip6 test-ip6 input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
 __set%d test-ip6 3
 __set%d test-ip6 0
@@ -305,6 +395,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# tcp flags != { fin, urg, ecn, cwr} drop
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00000001  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000080  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 drop ]
+
 # tcp flags cwr
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -366,6 +467,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp window { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -376,6 +487,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -415,6 +536,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -425,6 +556,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr 1234 accept
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -472,6 +613,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -482,6 +633,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp doff 8
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
diff --git a/tests/py/inet/tcp.t.payload.netdev b/tests/py/inet/tcp.t.payload.netdev
index 854f4bb..dd79898 100644
--- a/tests/py/inet/tcp.t.payload.netdev
+++ b/tests/py/inet/tcp.t.payload.netdev
@@ -37,6 +37,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -47,6 +57,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp dport {telnet, http, https} accept
 __set%d test-inet 3
 __set%d test-inet 0
@@ -88,6 +108,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 2 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp dport != { 22, 53, 80, 110 }
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00001600  : 0 [end]	element 00003500  : 0 [end]	element 00005000  : 0 [end]	element 00006e00  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -127,6 +157,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -137,6 +177,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sport != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sport vmap { 25:accept, 28:drop }
 __map%d test-inet b
 __map%d test-inet 0
@@ -227,6 +277,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp sequence { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -237,6 +297,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp sequence != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq 42949672 drop
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -284,6 +354,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 21000000  : 0 [end]	element 37000000  : 0 [end]	element 43000000  : 0 [end]	element 58000000  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp ackseq { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -294,6 +374,16 @@ inet test-inet input
   [ payload load 4b @ transport header + 8 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp ackseq != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 21000000  : 0 [end]	element 38000000  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 4b @ transport header + 8 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
 __set%d test-inet 3
 __set%d test-inet 0
@@ -305,6 +395,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# tcp flags != { fin, urg, ecn, cwr} drop
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00000001  : 0 [end]	element 00000020  : 0 [end]	element 00000040  : 0 [end]	element 00000080  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 1b @ transport header + 13 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 drop ]
+
 # tcp flags cwr
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -366,6 +467,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp window { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -376,6 +487,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 14 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp window != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 14 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum 23456 drop
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -423,6 +544,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp checksum { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -433,6 +564,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 16 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 16 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr 1234 accept
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -480,6 +621,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp urgptr { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -490,6 +641,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 18 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# tcp urgptr != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 18 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # tcp doff 8
 inet test-inet input
   [ meta load l4proto => reg 1 ]
-- 
2.11.0.rc2

[PATCH nft 7/7] tests/py/{udp,udplite}: Unmark inverted set lookup

[Anatole Denis]

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
 tests/py/inet/udp.t                    | 24 ++++-----
 tests/py/inet/udp.t.payload.inet       | 95 ++++++++++++++++++++++++++++++++++
 tests/py/inet/udp.t.payload.ip         | 95 ++++++++++++++++++++++++++++++++++
 tests/py/inet/udp.t.payload.ip6        | 95 ++++++++++++++++++++++++++++++++++
 tests/py/inet/udp.t.payload.netdev     | 95 ++++++++++++++++++++++++++++++++++
 tests/py/inet/udplite.t                | 14 ++---
 tests/py/inet/udplite.t.payload.inet   | 74 ++++++++++++++++++++++++++
 tests/py/inet/udplite.t.payload.ip     | 74 ++++++++++++++++++++++++++
 tests/py/inet/udplite.t.payload.ip6    | 74 ++++++++++++++++++++++++++
 tests/py/inet/udplite.t.payload.netdev | 74 ++++++++++++++++++++++++++
 10 files changed, 692 insertions(+), 22 deletions(-)

diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t
index 060985c..2f16e6a 100644
--- a/tests/py/inet/udp.t
+++ b/tests/py/inet/udp.t
@@ -11,45 +11,39 @@ udp sport != 60 accept;ok
 udp sport 50-70 accept;ok
 udp sport != 50-60 accept;ok
 udp sport { 49, 50} drop;ok
-- udp sport != { 50, 60} accept;ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+udp sport != { 50, 60} accept;ok
 udp sport { 12-40};ok
-- udp sport != { 13-24};ok
+udp sport != { 13-24};ok
 
 udp dport 80 accept;ok
 udp dport != 60 accept;ok
 udp dport 70-75 accept;ok
 udp dport != 50-60 accept;ok
 udp dport { 49, 50} drop;ok
-- udp dport != { 50, 60} accept;ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+udp dport != { 50, 60} accept;ok
 udp dport { 70-75} accept;ok
-- udp dport != { 50-60} accept;ok
+udp dport != { 50-60} accept;ok
 
 udp length 6666;ok
 udp length != 6666;ok
 udp length 50-65 accept;ok
 udp length != 50-65 accept;ok
 udp length { 50, 65} accept;ok
-- udp length != { 50, 65} accept;ok
+udp length != { 50, 65} accept;ok
 udp length { 35-50};ok
-- udp length != { 35-50};ok
+udp length != { 35-50};ok
 
 udp checksum 6666 drop;ok
-- udp checksum != { 444, 555} accept;ok
-# BUG: invalid expression type set
-# nft: src/evaluate.c:975: expr_evaluate_relational: Assertion '0' failed.
+udp checksum != { 444, 555} accept;ok
 
 udp checksum 22;ok
 udp checksum != 233;ok
 udp checksum 33-45;ok
 udp checksum != 33-45;ok
 udp checksum { 33, 55, 67, 88};ok
-- udp checksum != { 33, 55, 67, 88};ok
+udp checksum != { 33, 55, 67, 88};ok
 udp checksum { 33-55};ok
-- udp checksum != { 33-55};ok
+udp checksum != { 33-55};ok
 
 # limit impact to lo
 iif "lo" udp checksum set 0;ok
diff --git a/tests/py/inet/udp.t.payload.inet b/tests/py/inet/udp.t.payload.inet
index 8fdffbf..ca27953 100644
--- a/tests/py/inet/udp.t.payload.inet
+++ b/tests/py/inet/udp.t.payload.inet
@@ -42,6 +42,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp sport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp sport { 12-40}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -52,6 +63,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp sport != { 13-24}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000d00  : 0 [end]	element 00001900  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp dport 80 accept
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -96,6 +117,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp dport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp dport { 70-75} accept
 __set%d test-inet 7
 __set%d test-inet 0
@@ -107,6 +139,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp dport != { 50-60} accept
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00003200  : 0 [end]	element 00003d00  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length 6666
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -149,6 +192,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp length != { 50, 65} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00004100  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length { 35-50}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -159,6 +213,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp length != { 35-50}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002300  : 0 [end]	element 00003300  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum 6666 drop
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -167,6 +231,17 @@ inet test-inet input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udp checksum != { 444, 555} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp checksum 22
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -206,6 +281,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -216,6 +301,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # iif "lo" udp checksum set 0
 inet test-inet input
   [ meta load iif => reg 1 ]
diff --git a/tests/py/inet/udp.t.payload.ip b/tests/py/inet/udp.t.payload.ip
index 1d41017..9f1d0c7 100644
--- a/tests/py/inet/udp.t.payload.ip
+++ b/tests/py/inet/udp.t.payload.ip
@@ -42,6 +42,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp sport != { 50, 60} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp sport { 12-40}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -52,6 +63,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp sport != { 13-24}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000d00  : 0 [end]	element 00001900  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp dport 80 accept
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -96,6 +117,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp dport != { 50, 60} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp dport { 70-75} accept
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -107,6 +139,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp dport != { 50-60} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00003200  : 0 [end]	element 00003d00  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length 6666
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -149,6 +192,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp length != { 50, 65} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003200  : 0 [end]	element 00004100  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length { 35-50}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -159,6 +213,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp length != { 35-50}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002300  : 0 [end]	element 00003300  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum 6666 drop
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -167,6 +231,17 @@ ip test-ip4 input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udp checksum != { 444, 555} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp checksum 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -206,6 +281,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -216,6 +301,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # iif "lo" udp checksum set 0
 ip test-ip4 input
   [ meta load iif => reg 1 ]
diff --git a/tests/py/inet/udp.t.payload.ip6 b/tests/py/inet/udp.t.payload.ip6
index 17b6679..af17e1c 100644
--- a/tests/py/inet/udp.t.payload.ip6
+++ b/tests/py/inet/udp.t.payload.ip6
@@ -42,6 +42,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp sport != { 50, 60} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp sport { 12-40}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -52,6 +63,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp sport != { 13-24}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00000d00  : 0 [end]	element 00001900  : 1 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp dport 80 accept
 ip6 test-ip6 input 
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -96,6 +117,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp dport != { 50, 60} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp dport { 70-75} accept
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -107,6 +139,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp dport != { 50-60} accept
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00003200  : 0 [end]	element 00003d00  : 1 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length 6666
 ip6 test-ip6 input 
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -149,6 +192,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp length != { 50, 65} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00003200  : 0 [end]	element 00004100  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length { 35-50}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -159,6 +213,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp length != { 35-50}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002300  : 0 [end]	element 00003300  : 1 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum 6666 drop
 ip6 test-ip6 input 
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -167,6 +231,17 @@ ip6 test-ip6 input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udp checksum != { 444, 555} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp checksum 22
 ip6 test-ip6 input 
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -206,6 +281,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33, 55, 67, 88}
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum { 33-55}
 __set%d test-ip6 7
 __set%d test-ip6 0
@@ -216,6 +301,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33-55}
+__set%d test-ip6 7
+__set%d test-ip6 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # iif "lo" udp checksum set 0
 ip6 test-ip6 input
   [ meta load iif => reg 1 ]
diff --git a/tests/py/inet/udp.t.payload.netdev b/tests/py/inet/udp.t.payload.netdev
index 9e93ae4..832c913 100644
--- a/tests/py/inet/udp.t.payload.netdev
+++ b/tests/py/inet/udp.t.payload.netdev
@@ -42,6 +42,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp sport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp sport { 12-40}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -52,6 +63,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp sport != { 13-24}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00000d00  : 0 [end]	element 00001900  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp dport 80 accept
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -96,6 +117,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udp dport != { 50, 60} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00003c00  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp dport { 70-75} accept
 __set%d test-inet 7
 __set%d test-inet 0
@@ -107,6 +139,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp dport != { 50-60} accept
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00003200  : 0 [end]	element 00003d00  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length 6666
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -149,6 +192,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udp length != { 50, 65} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00003200  : 0 [end]	element 00004100  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp length { 35-50}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -159,6 +213,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 4 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp length != { 35-50}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002300  : 0 [end]	element 00003300  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 4 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum 6666 drop
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -167,6 +231,17 @@ inet test-inet input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udp checksum != { 444, 555} accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udp checksum 22
 inet test-inet input 
   [ meta load l4proto => reg 1 ]
@@ -206,6 +281,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33, 55, 67, 88}
+__set%d test-inet 3
+__set%d test-inet 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udp checksum { 33-55}
 __set%d test-inet 7
 __set%d test-inet 0
@@ -216,6 +301,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udp checksum != { 33-55}
+__set%d test-inet 7
+__set%d test-inet 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # iif "lo" udp checksum set 0
 netdev test-netdev ingress
   [ meta load iif => reg 1 ]
diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t
index 2800036..7c22acb 100644
--- a/tests/py/inet/udplite.t
+++ b/tests/py/inet/udplite.t
@@ -11,18 +11,18 @@ udplite sport != 60 accept;ok
 udplite sport 50-70 accept;ok
 udplite sport != 50-60 accept;ok
 udplite sport { 49, 50} drop;ok
-- udplite sport != { 50, 60} accept;ok
+udplite sport != { 49, 50} accept;ok
 udplite sport { 12-40};ok
-- udplite sport != { 13-24};ok
+udplite sport != { 12-40};ok
 
 udplite dport 80 accept;ok
 udplite dport != 60 accept;ok
 udplite dport 70-75 accept;ok
 udplite dport != 50-60 accept;ok
 udplite dport { 49, 50} drop;ok
-- udplite dport != { 50, 60} accept;ok
+udplite dport != { 49, 50} accept;ok
 udplite dport { 70-75} accept;ok
-- udplite dport != { 50-60} accept;ok
+udplite dport != { 70-75} accept;ok
 
 - udplite csumcov 6666;ok
 - udplite csumcov != 6666;ok
@@ -34,12 +34,12 @@ udplite dport { 70-75} accept;ok
 - udplite csumcov != { 35-50};ok
 
 udplite checksum 6666 drop;ok
-- udplite checksum != { 444, 555} accept;ok
+udplite checksum != { 444, 555} accept;ok
 udplite checksum 22;ok
 udplite checksum != 233;ok
 udplite checksum 33-45;ok
 udplite checksum != 33-45;ok
 udplite checksum { 33, 55, 67, 88};ok
-- udplite checksum != { 33, 55, 67, 88};ok
+udplite checksum != { 33, 55, 67, 88};ok
 udplite checksum { 33-55};ok
-- udplite checksum != { 33-55};ok
+udplite checksum != { 33-55};ok
diff --git a/tests/py/inet/udplite.t.payload.inet b/tests/py/inet/udplite.t.payload.inet
index ad2c970..eb3dc07 100644
--- a/tests/py/inet/udplite.t.payload.inet
+++ b/tests/py/inet/udplite.t.payload.inet
@@ -42,6 +42,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite sport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite sport { 12-40}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -52,6 +63,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite sport != { 12-40}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000c00  : 0 [end]	element 00002900  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite dport 80 accept
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -96,6 +117,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite dport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite dport { 70-75} accept
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -107,6 +139,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udplite dport != { 70-75} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00004600  : 0 [end]	element 00004c00  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 6666 drop
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -115,6 +158,17 @@ inet test-inet input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udplite checksum != { 444, 555} accept
+__set%d test-inet 3
+__set%d test-inet 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+inet test-inet input 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -154,6 +208,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite checksum { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -164,3 +228,13 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/udplite.t.payload.ip b/tests/py/inet/udplite.t.payload.ip
index 8321c23..c1ecc9d 100644
--- a/tests/py/inet/udplite.t.payload.ip
+++ b/tests/py/inet/udplite.t.payload.ip
@@ -42,6 +42,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite sport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite sport { 12-40}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -52,6 +63,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite sport != { 12-40}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000c00  : 0 [end]	element 00002900  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite dport 80 accept
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -96,6 +117,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite dport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite dport { 70-75} accept
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -107,6 +139,17 @@ ip test-ip4 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udplite dport != { 70-75} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00004600  : 0 [end]	element 00004c00  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 6666 drop
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -115,6 +158,17 @@ ip test-ip4 input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udplite checksum != { 444, 555} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+ip test-ip4 input 
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 22
 ip test-ip4 input
   [ payload load 1b @ network header + 9 => reg 1 ]
@@ -154,6 +208,16 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite checksum { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -164,3 +228,13 @@ ip test-ip4 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip test-ip4 input
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/udplite.t.payload.ip6 b/tests/py/inet/udplite.t.payload.ip6
index dce215d..47f25cd 100644
--- a/tests/py/inet/udplite.t.payload.ip6
+++ b/tests/py/inet/udplite.t.payload.ip6
@@ -42,6 +42,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite sport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite sport { 12-40}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -52,6 +63,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite sport != { 12-40}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000c00  : 0 [end]	element 00002900  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite dport 80 accept
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -96,6 +117,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite dport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite dport { 70-75} accept
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -107,6 +139,17 @@ ip6 test-ip6 input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udplite dport != { 70-75} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00004600  : 0 [end]	element 00004c00  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 6666 drop
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -115,6 +158,17 @@ ip6 test-ip6 input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udplite checksum != { 444, 555} accept
+__set%d test-ip6 3
+__set%d test-ip6 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+ip6 test-ip6 input 
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 22
 ip6 test-ip6 input
   [ payload load 1b @ network header + 6 => reg 1 ]
@@ -154,6 +208,16 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite checksum { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -164,3 +228,13 @@ ip6 test-ip6 input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+ip6 test-ip6 input
+  [ payload load 1b @ network header + 6 => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
diff --git a/tests/py/inet/udplite.t.payload.netdev b/tests/py/inet/udplite.t.payload.netdev
index ad2c970..565935a 100644
--- a/tests/py/inet/udplite.t.payload.netdev
+++ b/tests/py/inet/udplite.t.payload.netdev
@@ -42,6 +42,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite sport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite sport { 12-40}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -52,6 +63,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 0 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite sport != { 12-40}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00000c00  : 0 [end]	element 00002900  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 0 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite dport 80 accept
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -96,6 +117,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 drop ]
 
+# udplite dport != { 49, 50} accept
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00003100  : 0 [end]	element 00003200  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite dport { 70-75} accept
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -107,6 +139,17 @@ inet test-inet input
   [ lookup reg 1 set __set%d ]
   [ immediate reg 0 accept ]
 
+# udplite dport != { 70-75} accept
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00004600  : 0 [end]	element 00004c00  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 6666 drop
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -115,6 +158,17 @@ inet test-inet input
   [ cmp eq reg 1 0x00000a1a ]
   [ immediate reg 0 drop ]
 
+# udplite checksum != { 444, 555} accept
+__set%d test-netdev 3
+__set%d test-netdev 0
+	element 0000bc01  : 0 [end]	element 00002b02  : 0 [end]
+netdev test-netdev ingress 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+  [ immediate reg 0 accept ]
+
 # udplite checksum 22
 inet test-inet input
   [ meta load l4proto => reg 1 ]
@@ -154,6 +208,16 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33, 55, 67, 88}
+__set%d test-ip4 3
+__set%d test-ip4 0
+	element 00002100  : 0 [end]	element 00003700  : 0 [end]	element 00004300  : 0 [end]	element 00005800  : 0 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
 # udplite checksum { 33-55}
 __set%d test-ip4 7
 __set%d test-ip4 0
@@ -164,3 +228,13 @@ inet test-inet input
   [ payload load 2b @ transport header + 6 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
+# udplite checksum != { 33-55}
+__set%d test-ip4 7
+__set%d test-ip4 0
+	element 00000000  : 1 [end]	element 00002100  : 0 [end]	element 00003800  : 1 [end]
+inet test-inet input
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000088 ]
+  [ payload load 2b @ transport header + 6 => reg 1 ]
+  [ lookup reg 1 set __set%d 0x1 ]
+
-- 
2.11.0.rc2

Re: [PATCH nft 1/7] Interpret OP_NEQ against a set as OP_LOOKUP

[Pablo Neira Ayuso]

On Thu, Nov 24, 2016 at 03:16:20PM +0100, Anatole Denis wrote:
> Now that the support for inverted matching is in the kernel and in libnftnl, add
> it to nftables too.
> 
> This fixes bug #888
> 
> Signed-off-by: Anatole Denis <anatole@rezel.net>
> ---
> This patch is heavily based off those of Yuxuan Shui from 2014
> (https://marc.info/?l=netfilter-devel&m=140682484411296)
> 
>  src/evaluate.c            | 14 ++++++++++++++
>  src/netlink_delinearize.c | 10 ++++++++++
>  src/netlink_linearize.c   | 14 +++++++++-----
>  3 files changed, 33 insertions(+), 5 deletions(-)
> 
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 8b113c8..bb46615 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1541,6 +1541,20 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
>  			if (byteorder_conversion(ctx, &rel->right, left->byteorder) < 0)
>  				return -1;
>  			break;
> +		case EXPR_SET:
> +			assert(rel->op == OP_NEQ);
> +			right = rel->right =
> +				implicit_set_declaration(ctx, "__set%d",
> +							 left->dtype, left->len,
> +							 right);
> +			/* fall through */
> +		case EXPR_SET_REF:
> +			assert(rel->op == OP_NEQ);

Thanks for working on this.

I think we're almost there, we need a bit more code here to catch
these two error cases:

"the referenced set does not exist"

and

"datatype mismatch, expected %s, set has type %s"

See line 1481 in src/evaluate.c for the OP_LOOKUP case.

If I'm on the right track, please also test that these errors cases
work as intended.

Re : [PATCH nft 1/7] Interpret OP_NEQ against a set as OP_LOOKUP

[Anatole Denis]

Le 28/11/2016 12:39:05, Pablo Neira Ayuso a écrit :
> On Thu, Nov 24, 2016 at 03:16:20PM +0100, Anatole Denis wrote:
> > Now that the support for inverted matching is in the kernel and in
> libnftnl, add
> > it to nftables too.
> > 
> > This fixes bug #888
> > 
> > Signed-off-by: Anatole Denis <anatole@rezel.net>
> > ---
> > This patch is heavily based off those of Yuxuan Shui from 2014
> > (https://marc.info/?l=netfilter-devel&m=140682484411296)
> > 
> >  src/evaluate.c            | 14 ++++++++++++++
> >  src/netlink_delinearize.c | 10 ++++++++++
> >  src/netlink_linearize.c   | 14 +++++++++-----
> >  3 files changed, 33 insertions(+), 5 deletions(-)
> > 
> > diff --git a/src/evaluate.c b/src/evaluate.c
> > index 8b113c8..bb46615 100644
> > --- a/src/evaluate.c
> > +++ b/src/evaluate.c
> > @@ -1541,6 +1541,20 @@ static int expr_evaluate_relational(struct
> eval_ctx *ctx, struct expr **expr)
> >  			if (byteorder_conversion(ctx, &rel->right,
> left->byteorder) < 0)
> >  				return -1;
> >  			break;
> > +		case EXPR_SET:
> > +			assert(rel->op == OP_NEQ);
> > +			right = rel->right =
> > +				implicit_set_declaration(ctx,
> "__set%d",
> > +							 left->dtype, left->len,
> > +							 right);
> > +			/* fall through */
> > +		case EXPR_SET_REF:
> > +			assert(rel->op == OP_NEQ);
> 
> Thanks for working on this.
> 
> I think we're almost there, we need a bit more code here to catch
> these two error cases:
> 
> "the referenced set does not exist"

I believe this error is not the best way to handle this issue. I sent a patch to the list with a proposed change to catch it earlier, removing the need to check for it here. In case that other patch is refused, I will send v2 with this check added.

> 
> and
> 
> "datatype mismatch, expected %s, set has type %s"

This one is handled for OP_NEQ/OP_FLAGCMP in general at line 1526. The error messages are almost identical, the lookup one being "Error: datatype mismatch, expected %s, set has type %s" while the NEQ error is "Error: datatype mismatch, expected %s, expression has type %s" ("set" vs "expression").

> 
> See line 1481 in src/evaluate.c for the OP_LOOKUP case.
> 
> If I'm on the right track, please also test that these errors cases
> work as intended.
> 

The case for a lookup/inverse lookup into a nonexistent set is tested in ip/sets.t and ip6/sets. (somewhere in patches 3 and 4). I'll send a v2 of these tests with a test for datatype mismatch added.
Considering the previous remarks (and the other patches), do you think I still should change the error handling code ?

Re: Re : [PATCH nft 1/7] Interpret OP_NEQ against a set as OP_LOOKUP

[Pablo Neira Ayuso]

On Mon, Nov 28, 2016 at 05:49:58PM +0100, Anatole Denis wrote:
> Le 28/11/2016 12:39:05, Pablo Neira Ayuso a écrit :
[...]
> I believe this error is not the best way to handle this issue. I
> sent a patch to the list with a proposed change to catch it earlier,
> removing the need to check for it here. In case that other patch is
> refused, I will send v2 with this check added.

I see, you're refering to the patchset you sent later on.

[...]
> The case for a lookup/inverse lookup into a nonexistent set is
> tested in ip/sets.t and ip6/sets. (somewhere in patches 3 and 4).
> I'll send a v2 of these tests with a test for datatype mismatch
> added.

Send me a follow up patch for this if you think this can help us
increase test coverage, that will be appreciated.

> Considering the previous remarks (and the other patches), do
> you think I still should change the error handling code ?

I think this is fine so I applied your patchses. The check for
datatype == NULL was not going to the core of the problem indeed.

Thanks.

Re: [PATCH nft 1/7] Interpret OP_NEQ against a set as OP_LOOKUP

[Pablo Neira Ayuso]

On Thu, Nov 24, 2016 at 03:16:20PM +0100, Anatole Denis wrote:
> Now that the support for inverted matching is in the kernel and in libnftnl, add
> it to nftables too.
> 
> This fixes bug #888

Applied, thanks!