Add IPv6 support to signature header conditions.

- "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets.
  They must be written in colon-hexadecimal representation and enclosed
  in square brackets (e.g. [fe80::1]).  Addresses #774.

- "icmp6" is now a valid protocol for use with "ip-proto" and "header"
  conditions.  This allows signatures to be written that can match
  against ICMPv6 payloads.  Addresses #880.

- "ip6" is now a valid protocol for use with the "header" condition.
  (also the "ip-proto" condition, but it results in a no-op in that
  case since signatures apply only to the inner-most IP packet when
  packets are tunneled).  This allows signatures to match specifically
  against IPv6 packets (whereas "ip" only matches against IPv4 packets).

- "ip-proto" conditions can now match against IPv6 packets.  Before,
  IPv6 packets were just silently ignored which meant DPD based on
  signatures did not function for IPv6 -- protocol analyzers would only
  get attached to a connection over IPv6 based on the well-known ports
  set in the "dpd_config" table.

doc/signatures.rst

@@ -83,9 +83,8 @@ Header Conditions
 ~~~~~~~~~~~~~~~~~
 
 Header conditions limit the applicability of the signature to a subset
-of traffic that contains matching packet headers. For TCP, this match
+of traffic that contains matching packet headers.  This type of matching
-is performed only for the first packet of a connection. For other
+is performed only for the first packet of a connection.
-protocols, it is done on each individual packet.
 
 There are pre-defined header conditions for some of the most used
 header fields. All of them generally have the format ``<keyword> <cmp>
@@ -95,14 +94,22 @@ one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``; and
 against. The following keywords are defined:
 
 ``src-ip``/``dst-ip <cmp> <address-list>``
-    Source and destination address, respectively. Addresses can be
+    Source and destination address, respectively. Addresses can be given
-    given as IP addresses or CIDR masks.
+    as IPv4 or IPv6 addresses or CIDR masks.  For IPv6 addresses/masks
+    the colon-hexadecimal representation of the address must be enclosed
+    in square brackets (e.g. ``[fe80::1]`` or ``[fe80::0]/16``).
 
-``src-port``/``dst-port`` ``<int-list>``
+``src-port``/``dst-port <cmp> <int-list>``
     Source and destination port, respectively.
 
-``ip-proto tcp|udp|icmp``
+``ip-proto <cmp> tcp|udp|icmp|icmp6|ip|ip6``
-    IP protocol.
+    IPv4 header's Protocol field or the Next Header field of the final
+    IPv6 header (i.e. either Next Header field in the fixed IPv6 header
+    if no extension headers are present or that field from the last
+    extension header in the chain).  Note that the IP-in-IP forms of
+    tunneling are automatically decapsulated by default and signatures
+    apply to only the inner-most packet, so specifying ``ip`` or ``ip6``
+    is a no-op.
 
 For lists of multiple values, they are sequentially compared against
 the corresponding header field. If at least one of the comparisons
@@ -116,20 +123,22 @@ condition can be defined either as
 
     header <proto>[<offset>:<size>] [& <integer>] <cmp> <value-list>
 
-This compares the value found at the given position of the packet
+This compares the value found at the given position of the packet header
-header with a list of values. ``offset`` defines the position of the
+with a list of values. ``offset`` defines the position of the value
-value within the header of the protocol defined by ``proto`` (which
+within the header of the protocol defined by ``proto`` (which can be
-can be ``ip``, ``tcp``, ``udp`` or ``icmp``). ``size`` is either 1, 2,
+``ip``, ``ip6``, ``tcp``, ``udp``, ``icmp`` or ``icmp6``). ``size`` is
-or 4 and specifies the value to have a size of this many bytes. If the
+either 1, 2, or 4 and specifies the value to have a size of this many
-optional ``& <integer>`` is given, the packet's value is first masked
+bytes. If the optional ``& <integer>`` is given, the packet's value is
-with the integer before it is compared to the value-list. ``cmp`` is
+first masked with the integer before it is compared to the value-list.
-one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``. ``value-list`` is
+``cmp`` is one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``.
-a list of comma-separated integers similar to those described above.
+``value-list`` is a list of comma-separated integers similar to those
-The integers within the list may be followed by an additional ``/
+described above.  The integers within the list may be followed by an
-mask`` where ``mask`` is a value from 0 to 32. This corresponds to the
+additional ``/ mask`` where ``mask`` is a value from 0 to 32. This
-CIDR notation for netmasks and is translated into a corresponding
+corresponds to the CIDR notation for netmasks and is translated into a
-bitmask applied to the packet's value prior to the comparison (similar
+corresponding bitmask applied to the packet's value prior to the
-to the optional ``& integer``).
+comparison (similar to the optional ``& integer``).  IPv6 address values
+are not allowed in the value-list, though you can still inspect any 1,
+2, or 4 byte section of an IPv6 header using this keyword.
 
 Putting it all together, this is an example condition that is
 equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``:
@@ -138,8 +147,8 @@ equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``:
 
     header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24
 
-Internally, the predefined header conditions are in fact just
+Note that the analogous example for IPv6 isn't currently possible since
-short-cuts and mapped into a generic condition.
+4 bytes is the max width of a value that can be compared.
 
 Content Conditions
 ~~~~~~~~~~~~~~~~~~

src/IPAddr.h

@@ -342,6 +342,21 @@ public:
 		return memcmp(&addr1.in6, &addr2.in6, sizeof(in6_addr)) < 0;
 		}
 
+	friend bool operator<=(const IPAddr& addr1, const IPAddr& addr2)
+		{
+		return addr1 < addr2 || addr1 == addr2;
+		}
+
+	friend bool operator>=(const IPAddr& addr1, const IPAddr& addr2)
+		{
+		return ! ( addr1 < addr2 );
+		}
+
+	friend bool operator>(const IPAddr& addr1, const IPAddr& addr2)
+		{
+		return ! ( addr1 <= addr2 );
+		}
+
 	/** Converts the address into the type used internally by the
 	  * inter-thread communication.
 	  */
@@ -583,6 +598,11 @@ public:
 		return net1.Prefix() == net2.Prefix() && net1.Length() == net2.Length();
 		}
 
+	friend bool operator!=(const IPPrefix& net1, const IPPrefix& net2)
+		{
+		return ! (net1 == net2);
+		}
+
 	/**
 	 * Comparison operator IP prefixes. This defines a well-defined order for
 	 * IP prefix. However, the order does not necessarily corresponding to their
@@ -600,6 +620,21 @@ public:
 			return false;
 		}
 
+	friend bool operator<=(const IPPrefix& net1, const IPPrefix& net2)
+		{
+		return net1 < net2 || net1 == net2;
+		}
+
+	friend bool operator>=(const IPPrefix& net1, const IPPrefix& net2)
+		{
+		return ! (net1 < net2 );
+		}
+
+	friend bool operator>(const IPPrefix& net1, const IPPrefix& net2)
+		{
+		return ! ( net1 <= net2 );
+		}
+
 private:
 	IPAddr prefix;	// We store it as an address with the non-prefix bits masked out via Mask().
 	uint8_t length;	// The bit length of the prefix relative to full IPv6 addr.

src/RuleMatcher.cc

@@ -1,4 +1,5 @@
 #include <algorithm>
+#include <functional>
 
 #include "config.h"
 
@@ -41,6 +42,23 @@ RuleHdrTest::RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size,
 	level = 0;
 	}
 
+RuleHdrTest::RuleHdrTest(Prot arg_prot, Comp arg_comp, vector<IPPrefix> arg_v)
+	{
+	prot = arg_prot;
+	offset = 0;
+	size = 0;
+	comp = arg_comp;
+	vals = new maskedvalue_list;
+	prefix_vals = arg_v;
+	sibling = 0;
+	child = 0;
+	pattern_rules = 0;
+	pure_rules = 0;
+	ruleset = new IntSet;
+	id = ++idcounter;
+	level = 0;
+	}
+
 Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
 					const RuleEndpointState* state) const
 	{
@@ -63,6 +81,8 @@ RuleHdrTest::RuleHdrTest(RuleHdrTest& h)
 	loop_over_list(*h.vals, i)
 		vals->append(new MaskedValue(*(*h.vals)[i]));
 
+	prefix_vals = h.prefix_vals;
+
 	for ( int j = 0; j < Rule::TYPES; ++j )
 		{
 		loop_over_list(h.psets[j], k)
@@ -114,6 +134,10 @@ bool RuleHdrTest::operator==(const RuleHdrTest& h)
 		     (*vals)[i]->mask != (*h.vals)[i]->mask )
 			return false;
 
+	for ( size_t i = 0; i < prefix_vals.size(); ++i )
+		if ( ! (prefix_vals[i] == h.prefix_vals[i]) )
+			return false;
+
 	return true;
 	}
 
@@ -129,6 +153,9 @@ void RuleHdrTest::PrintDebug()
 		fprintf(stderr, " 0x%08x/0x%08x",
 				(*vals)[i]->val, (*vals)[i]->mask);
 
+	for ( size_t i = 0; i < prefix_vals.size(); ++i )
+		fprintf(stderr, " %s", prefix_vals[i].AsString().c_str());
+
 	fprintf(stderr, "\n");
 	}
 
@@ -410,29 +437,129 @@ static inline uint32 getval(const u_char* data, int size)
 	}
 
 
-// A line which can be inserted into the macros below for debugging
-// fprintf(stderr, "%.06f %08x & %08x %s %08x\n", network_time, v, (mvals)[i]->mask, #op, (mvals)[i]->val);
-
 // Evaluate a value list (matches if at least one value matches).
-#define DO_MATCH_OR( mvals, v, op )	\
+template <typename FuncT>
-	{	\
+static inline bool match_or(const maskedvalue_list& mvals, uint32 v, FuncT comp)
-	loop_over_list((mvals), i)	\
+	{
-		{	\
+	loop_over_list(mvals, i)
-		if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val )	\
+		{
-			goto match;	\
+		if ( comp(v & mvals[i]->mask, mvals[i]->val) )
-		}	\
+			return true;
-	goto no_match;	\
+		}
+	return false;
+	}
+
+// Evaluate a prefix list (matches if at least one value matches).
+template <typename FuncT>
+static inline bool match_or(const vector<IPPrefix>& prefixes, const IPAddr& a,
+                            FuncT comp)
+	{
+	for ( size_t i = 0; i < prefixes.size(); ++i )
+		{
+		IPAddr masked(a);
+		masked.Mask(prefixes[i].LengthIPv6());
+		if ( comp(masked, prefixes[i].Prefix()) )
+			return true;
+		}
+	return false;
 	}
 
 // Evaluate a value list (doesn't match if any value matches).
-#define DO_MATCH_NOT_AND( mvals, v, op )	\
+template <typename FuncT>
-	{	\
+static inline bool match_not_and(const maskedvalue_list& mvals, uint32 v,
-	loop_over_list((mvals), i)	\
+                                 FuncT comp)
-		{	\
+	{
-		if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val )	\
+	loop_over_list(mvals, i)
-			goto no_match;	\
+		{
-		}	\
+		if ( comp(v & mvals[i]->mask, mvals[i]->val) )
-	goto match;	\
+			return false;
+		}
+	return true;
+	}
+
+// Evaluate a prefix list (doesn't match if any value matches).
+template <typename FuncT>
+static inline bool match_not_and(const vector<IPPrefix>& prefixes,
+                                 const IPAddr& a, FuncT comp)
+	{
+	for ( size_t i = 0; i < prefixes.size(); ++i )
+		{
+		IPAddr masked(a);
+		masked.Mask(prefixes[i].LengthIPv6());
+		if ( comp(masked, prefixes[i].Prefix()) )
+			return false;
+		}
+	return true;
+	}
+
+static inline bool compare(const maskedvalue_list& mvals, uint32 v,
+                           RuleHdrTest::Comp comp)
+	{
+	switch ( comp ) {
+		case RuleHdrTest::EQ:
+			return match_or(mvals, v, std::equal_to<uint32>());
+			break;
+
+		case RuleHdrTest::NE:
+			return match_not_and(mvals, v, std::equal_to<uint32>());
+			break;
+
+		case RuleHdrTest::LT:
+			return match_or(mvals, v, std::less<uint32>());
+			break;
+
+		case RuleHdrTest::GT:
+			return match_or(mvals, v, std::greater<uint32>());
+			break;
+
+		case RuleHdrTest::LE:
+			return match_or(mvals, v, std::less_equal<uint32>());
+			break;
+
+		case RuleHdrTest::GE:
+			return match_or(mvals, v, std::greater_equal<uint32>());
+			break;
+
+		default:
+			reporter->InternalError("unknown comparison type");
+			break;
+	}
+	return false;
+	}
+
+static inline bool compare(const vector<IPPrefix>& prefixes, const IPAddr& a,
+                           RuleHdrTest::Comp comp)
+	{
+	switch ( comp ) {
+		case RuleHdrTest::EQ:
+			return match_or(prefixes, a, std::equal_to<IPAddr>());
+			break;
+
+		case RuleHdrTest::NE:
+			return match_not_and(prefixes, a, std::equal_to<IPAddr>());
+			break;
+
+		case RuleHdrTest::LT:
+			return match_or(prefixes, a, std::less<IPAddr>());
+			break;
+
+		case RuleHdrTest::GT:
+			return match_or(prefixes, a, std::greater<IPAddr>());
+			break;
+
+		case RuleHdrTest::LE:
+			return match_or(prefixes, a, std::less_equal<IPAddr>());
+			break;
+
+		case RuleHdrTest::GE:
+			return match_or(prefixes, a, std::greater_equal<IPAddr>());
+			break;
+
+		default:
+			reporter->InternalError("unknown comparison type");
+			break;
+	}
+	return false;
 	}
 
 RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer,
@@ -492,66 +619,52 @@ RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer,
 
 		if ( ip )
 			{
-			// Get start of transport layer.
-			const u_char* transport = ip->Payload();
-
 			// Descend the RuleHdrTest tree further.
 			for ( RuleHdrTest* h = hdr_test->child; h;
 			      h = h->sibling )
 				{
-				const u_char* data;
+				bool match = false;
 
 				// Evaluate the header test.
 				switch ( h->prot ) {
+				case RuleHdrTest::NEXT:
+					match = compare(*h->vals, ip->NextProto(), h->comp);
+					break;
+
 				case RuleHdrTest::IP:
-					data = (const u_char*) ip->IP4_Hdr();
+					if ( ! ip->IP4_Hdr() )
+						continue;
+					match = compare(*h->vals, getval((const u_char*)ip->IP4_Hdr() + h->offset, h->size), h->comp);
+					break;
+
+				case RuleHdrTest::IPv6:
+					if ( ! ip->IP6_Hdr() )
+						continue;
+					match = compare(*h->vals, getval((const u_char*)ip->IP6_Hdr() + h->offset, h->size), h->comp);
 					break;
 
 				case RuleHdrTest::ICMP:
+				case RuleHdrTest::ICMPv6:
 				case RuleHdrTest::TCP:
 				case RuleHdrTest::UDP:
-					data = transport;
+					match = compare(*h->vals, getval(ip->Payload() + h->offset, h->size), h->comp);
+					break;
+
+				case RuleHdrTest::IPSrc:
+					match = compare(h->prefix_vals, ip->IPHeaderSrcAddr(), h->comp);
+					break;
+
+				case RuleHdrTest::IPDst:
+					match = compare(h->prefix_vals, ip->IPHeaderDstAddr(), h->comp);
 					break;
 
 				default:
-					data = 0;
 					reporter->InternalError("unknown protocol");
+					break;
 				}
 
-				// ### data can be nil here if it's an
+				if ( match )
-				// IPv6 packet and we're doing an IP test.
+					tests.append(h);
-				if ( ! data )
-					continue;
-
-				// Sorry for the hidden gotos :-)
-				switch ( h->comp ) {
-					case RuleHdrTest::EQ:
-						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), ==);
-
-					case RuleHdrTest::NE:
-						DO_MATCH_NOT_AND(*h->vals, getval(data + h->offset, h->size), ==);
-
-					case RuleHdrTest::LT:
-						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <);
-
-					case RuleHdrTest::GT:
-						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >);
-
-					case RuleHdrTest::LE:
-						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <=);
-
-					case RuleHdrTest::GE:
-						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >=);
-
-					default:
-						reporter->InternalError("unknown comparision type");
-				}
-
-no_match:
-				continue;
-
-match:
-				tests.append(h);
 				}
 			}
 		}
@@ -1050,8 +1163,11 @@ static Val* get_bro_val(const char* label)
 	}
 
 
-// Converts an atomic Val and appends it to the list
+// Converts an atomic Val and appends it to the list.  For subnet types,
-static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
+// if the prefix_vector param isn't null, appending to that is preferred
+// over appending to the masked val list.
+static bool val_to_maskedval(Val* v, maskedvalue_list* append_to,
+                             vector<IPPrefix>* prefix_vector)
 	{
 	MaskedValue* mval = new MaskedValue;
 
@@ -1071,29 +1187,37 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
 
 		case TYPE_SUBNET:
 			{
-			const uint32* n;
+			if ( prefix_vector )
-			uint32 m[4];
-			v->AsSubNet().Prefix().GetBytes(&n);
-			v->AsSubNetVal()->Mask().CopyIPv6(m);
-
-			for ( unsigned int i = 0; i < 4; ++i )
-				m[i] = ntohl(m[i]);
-
-			bool is_v4_mask = m[0] == 0xffffffff &&
-						m[1] == m[0] && m[2] == m[0];
-
-			if ( v->AsSubNet().Prefix().GetFamily() == IPv4 &&
-			     is_v4_mask )
 				{
-				mval->val = ntohl(*n);
+				prefix_vector->push_back(v->AsSubNet());
-				mval->mask = m[3];
+				delete mval;
+				return true;
 				}
-
 			else
 				{
-				rules_error("IPv6 subnets not supported");
+				const uint32* n;
-				mval->val = 0;
+				uint32 m[4];
-				mval->mask = 0;
+				v->AsSubNet().Prefix().GetBytes(&n);
+				v->AsSubNetVal()->Mask().CopyIPv6(m);
+
+				for ( unsigned int i = 0; i < 4; ++i )
+					m[i] = ntohl(m[i]);
+
+				bool is_v4_mask = m[0] == 0xffffffff &&
+				                          m[1] == m[0] && m[2] == m[0];
+
+
+				if ( v->AsSubNet().Prefix().GetFamily() == IPv4 && is_v4_mask )
+					{
+					mval->val = ntohl(*n);
+					mval->mask = m[3];
+					}
+				else
+					{
+					rules_error("IPv6 subnets not supported");
+					mval->val = 0;
+					mval->mask = 0;
+					}
 				}
 			}
 			break;
@@ -1108,7 +1232,8 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
 	return true;
 	}
 
-void id_to_maskedvallist(const char* id, maskedvalue_list* append_to)
+void id_to_maskedvallist(const char* id, maskedvalue_list* append_to,
+                         vector<IPPrefix>* prefix_vector)
 	{
 	Val* v = get_bro_val(id);
 	if ( ! v )
@@ -1118,7 +1243,7 @@ void id_to_maskedvallist(const char* id, maskedvalue_list* append_to)
 		{
 		val_list* vals = v->AsTableVal()->ConvertToPureList()->Vals();
 		loop_over_list(*vals, i )
-			if ( ! val_to_maskedval((*vals)[i], append_to) )
+			if ( ! val_to_maskedval((*vals)[i], append_to, prefix_vector) )
 			{
 				delete_vals(vals);
 				return;
@@ -1128,7 +1253,7 @@ void id_to_maskedvallist(const char* id, maskedvalue_list* append_to)
 		}
 
 	else
-		val_to_maskedval(v, append_to);
+		val_to_maskedval(v, append_to, prefix_vector);
 	}
 
 char* id_to_str(const char* id)

src/RuleMatcher.h

@@ -2,7 +2,9 @@
 #define sigs_h
 
 #include <limits.h>
+#include <vector>
 
+#include "IPAddr.h"
 #include "BroString.h"
 #include "List.h"
 #include "RE.h"
@@ -59,17 +61,19 @@ declare(PList, BroString);
 typedef PList(BroString) bstr_list;
 
 // Get values from Bro's script-level variables.
-extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to);
+extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to,
+                                vector<IPPrefix>* prefix_vector = 0);
 extern char* id_to_str(const char* id);
 extern uint32 id_to_uint(const char* id);
 
 class RuleHdrTest {
 public:
 	enum Comp { LE, GE, LT, GT, EQ, NE };
-	enum Prot { NOPROT, IP, ICMP, TCP, UDP };
+	enum Prot { NOPROT, IP, IPv6, ICMP, ICMPv6, TCP, UDP, NEXT, IPSrc, IPDst };
 
 	RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size,
 			Comp arg_comp, maskedvalue_list* arg_vals);
+	RuleHdrTest(Prot arg_prot, Comp arg_comp, vector<IPPrefix> arg_v);
 	~RuleHdrTest();
 
 	void PrintDebug();
@@ -86,6 +90,7 @@ private:
 	Prot prot;
 	Comp comp;
 	maskedvalue_list* vals;
+	vector<IPPrefix> prefix_vals; // for use with IPSrc/IPDst comparisons
 	uint32 offset;
 	uint32 size;
 

src/rule-parse.y

@@ -1,13 +1,27 @@
 %{
 #include <stdio.h>
+#include <netinet/in.h>
+#include <vector>
+#include "config.h"
 #include "RuleMatcher.h"
 #include "Reporter.h"
+#include "IPAddr.h"
+#include "net_util.h"
 
 extern void begin_PS();
 extern void end_PS();
 
 Rule* current_rule = 0;
 const char* current_rule_file = 0;
+
+static uint8_t mask_to_len(uint32_t mask)
+	{
+	if ( mask == 0xffffffff ) return 32;
+	uint32_t x = ~mask + 1;
+	uint8_t len;
+	for ( len = 0; len < 32 && (! (x & (1<<len))); ++len );
+	return len;
+	}
 %}
 
 %token TOK_COMP
@@ -21,6 +35,7 @@ const char* current_rule_file = 0;
 %token TOK_IDENT
 %token TOK_INT
 %token TOK_IP
+%token TOK_IP6
 %token TOK_IP_OPTIONS
 %token TOK_IP_OPTION_SYM
 %token TOK_IP_PROTO
@@ -49,7 +64,9 @@ const char* current_rule_file = 0;
 %type <hdr_test> hdr_expr
 %type <range> range rangeopt
 %type <vallist> value_list
+%type <prefix_val_list> prefix_value_list
 %type <mval> TOK_IP value
+%type <prefixval> TOK_IP6 prefix_value
 %type <prot> TOK_PROT
 %type <ptype> TOK_PATTERN_TYPE
 
@@ -57,6 +74,8 @@ const char* current_rule_file = 0;
 	Rule* rule;
 	RuleHdrTest* hdr_test;
 	maskedvalue_list* vallist;
+	vector<IPPrefix>* prefix_val_list;
+	IPPrefix* prefixval;
 
 	bool bl;
 	int val;
@@ -91,11 +110,11 @@ rule_attr_list:
 	;
 
 rule_attr:
-		TOK_DST_IP TOK_COMP value_list
+		TOK_DST_IP TOK_COMP prefix_value_list
 			{
 			current_rule->AddHdrTest(new RuleHdrTest(
-				RuleHdrTest::IP, 16, 4,
+				RuleHdrTest::IPDst,
-				(RuleHdrTest::Comp) $2, $3));
+				(RuleHdrTest::Comp) $2, *($3)));
 			}
 
 	|	TOK_DST_PORT TOK_COMP value_list
@@ -123,10 +142,14 @@ rule_attr:
 			{
 			int proto = 0;
 			switch ( $3 ) {
-			case RuleHdrTest::ICMP: proto = 1; break;
+			case RuleHdrTest::ICMP: proto = IPPROTO_ICMP; break;
+			case RuleHdrTest::ICMPv6: proto = IPPROTO_ICMPV6; break;
+			// signature matching against outer packet headers of IP-in-IP
+			// tunneling not supported, so do a no-op there
 			case RuleHdrTest::IP: proto = 0; break;
-			case RuleHdrTest::TCP: proto = 6; break;
+			case RuleHdrTest::IPv6: proto = 0; break;
-			case RuleHdrTest::UDP: proto = 17; break;
+			case RuleHdrTest::TCP: proto = IPPROTO_TCP; break;
+			case RuleHdrTest::UDP: proto = IPPROTO_UDP; break;
 			default:
 				rules_error("internal_error: unknown protocol");
 			}
@@ -140,16 +163,20 @@ rule_attr:
 				val->mask = 0xffffffff;
 				vallist->append(val);
 
+				// offset & size params are dummies, actual next proto value in
+				// header is retrieved dynamically via IP_Hdr::NextProto()
 				current_rule->AddHdrTest(new RuleHdrTest(
-					RuleHdrTest::IP, 9, 1,
+					RuleHdrTest::NEXT, 0, 0,
 					(RuleHdrTest::Comp) $2, vallist));
 				}
 			}
 
 	|	TOK_IP_PROTO TOK_COMP value_list
 			{
+			// offset & size params are dummies, actual next proto value in
+			// header is retrieved dynamically via IP_Hdr::NextProto()
 			current_rule->AddHdrTest(new RuleHdrTest(
-				RuleHdrTest::IP, 9, 1,
+				RuleHdrTest::NEXT, 0, 0,
 				(RuleHdrTest::Comp) $2, $3));
 			}
 
@@ -193,11 +220,11 @@ rule_attr:
 	|	TOK_SAME_IP
 			{ current_rule->AddCondition(new RuleConditionSameIP()); }
 
-	|	TOK_SRC_IP TOK_COMP value_list
+	|	TOK_SRC_IP TOK_COMP prefix_value_list
 			{
 			current_rule->AddHdrTest(new RuleHdrTest(
-				RuleHdrTest::IP, 12, 4,
+				RuleHdrTest::IPSrc,
-				(RuleHdrTest::Comp) $2, $3));
+				(RuleHdrTest::Comp) $2, *($3)));
 			}
 
 	|	TOK_SRC_PORT TOK_COMP value_list
@@ -254,6 +281,38 @@ value_list:
 			}
 	;
 
+prefix_value_list:
+		prefix_value_list ',' prefix_value
+			{
+			$$ = $1;
+			$$->push_back(*($3));
+			}
+	|	prefix_value_list ',' TOK_IDENT
+			{
+			$$ = $1;
+			id_to_maskedvallist($3, 0, $1);
+			}
+	|	prefix_value
+			{
+			$$ = new vector<IPPrefix>();
+			$$->push_back(*($1));
+			}
+	|	TOK_IDENT
+			{
+			$$ = new vector<IPPrefix>();
+			id_to_maskedvallist($1, 0, $$);
+			}
+	;
+
+prefix_value:
+		TOK_IP
+			{
+			$$ = new IPPrefix(IPAddr(IPv4, &($1.val), IPAddr::Host),
+			                  mask_to_len($1.mask));
+			}
+	|	TOK_IP6
+	;
+
 value:
 		TOK_INT
 			{ $$.val = $1; $$.mask = 0xffffffff; }

src/rule-scan.l

@@ -1,24 +1,37 @@
 %{
-typedef unsigned int uint32;
-
 #include <string.h>
+#include <string>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include "RuleMatcher.h"
+#include "IPAddr.h"
+#include "util.h"
 #include "rule-parse.h"
 
 int rules_line_number = 0;
+
+static string extract_ipv6(string s)
+	{
+	if ( s.substr(0, 3) == "[0x" )
+		s = s.substr(3, s.find("]") - 3);
+	else
+		s = s.substr(1, s.find("]") - 1);
+	return s;
+	}
 %}
 
 %x PS
 
+OWS	[ \t]*
 WS	[ \t]+
 D	[0-9]+
 H	[0-9a-fA-F]+
+HEX {H}
 STRING	\"([^\n\"]|\\\")*\"
 ID	([0-9a-zA-Z_-]+::)*[0-9a-zA-Z_-]+
+IP6	("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]")
 RE	\/(\\\/)?([^/]|[^\\]\\\/)*\/
 META	\.[^ \t]+{WS}[^\n]+
 PID	([0-9a-zA-Z_-]|"::")+
@@ -34,6 +47,19 @@ PID	([0-9a-zA-Z_-]|"::")+
 	\n	++rules_line_number;
 }
 
+{IP6}	{
+	rules_lval.prefixval = new IPPrefix(IPAddr(extract_ipv6(yytext)), 128);
+	return TOK_IP6;
+	}
+
+{IP6}{OWS}"/"{OWS}{D}	{
+	char* l = strchr(yytext, '/');
+	*l++ = '\0';
+	int len = atoi(l);
+	rules_lval.prefixval = new IPPrefix(IPAddr(extract_ipv6(yytext)), len);
+	return TOK_IP6;
+	}
+
 [!\]\[{}&:,]	return rules_text[0];
 
 "<="	{ rules_lval.val = RuleHdrTest::LE; return TOK_COMP; }
@@ -45,7 +71,9 @@ PID	([0-9a-zA-Z_-]|"::")+
 "!="	{ rules_lval.val = RuleHdrTest::NE; return TOK_COMP; }
 
 ip	{ rules_lval.val = RuleHdrTest::IP; return TOK_PROT; }
+ip6	{ rules_lval.val = RuleHdrTest::IPv6; return TOK_PROT; }
 icmp	{ rules_lval.val = RuleHdrTest::ICMP; return TOK_PROT; }
+icmp6	{ rules_lval.val = RuleHdrTest::ICMPv6; return TOK_PROT; }
 tcp	{ rules_lval.val = RuleHdrTest::TCP; return TOK_PROT; }
 udp	{ rules_lval.val = RuleHdrTest::UDP; return TOK_PROT; }
 
@@ -123,7 +151,7 @@ http	{ rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
 ftp	{ rules_lval.val = Rule::FTP; return TOK_PATTERN_TYPE; }
 finger	{ rules_lval.val = Rule::FINGER; return TOK_PATTERN_TYPE; }
 
-{D}("."{D}){3}"/"{D}	{
+{D}("."{D}){3}{OWS}"/"{OWS}{D}	{
 	char* s = strchr(yytext, '/');
 	*s++ = '\0';
 

testing/btest/Baseline/signatures.dpd/dpd-ipv4.out

@@ -0,0 +1,79 @@
+dpd_config, {
+
+}
+signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
+ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
+ftp_request 141.142.220.235:50003 - USER anonymous
+ftp_reply 199.233.217.249:21 - 331 Guest login ok, type your name as password.
+signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_server
+ftp_request 141.142.220.235:50003 - PASS test
+ftp_reply 199.233.217.249:21 - 230 
+ftp_reply 199.233.217.249:21 - 0     The NetBSD Project FTP Server located in Redwood City, CA, USA
+ftp_reply 199.233.217.249:21 - 0     1 Gbps connectivity courtesy of                          ,        ,
+ftp_reply 199.233.217.249:21 - 0     Internet Systems Consortium                 WELCOME!    /(        )`
+ftp_reply 199.233.217.249:21 - 0                                                             \ \___   / |
+ftp_reply 199.233.217.249:21 - 0       +--- Currently Supported Platforms ----+              /- _  `-/  '
+ftp_reply 199.233.217.249:21 - 0       |  acorn[26,32], algor, alpha, amd64,  |             (/\/ \ \   /\
+ftp_reply 199.233.217.249:21 - 0       |   amiga[,ppc], arc, atari, bebox,    |             / /   | `    \
+ftp_reply 199.233.217.249:21 - 0       |   cats, cesfic, cobalt, dreamcast,   |             O O   ) /    |
+ftp_reply 199.233.217.249:21 - 0       |  evb[arm,mips,ppc,sh3], hp[300,700], |             `-^--'`<     '
+ftp_reply 199.233.217.249:21 - 0       |       hpc[arm,mips,sh], i386,        |            (_.)  _  )   /
+ftp_reply 199.233.217.249:21 - 0       |      ibmnws, iyonix, luna68k,        |              .___/`    /
+ftp_reply 199.233.217.249:21 - 0       |    mac[m68k,ppc], mipsco, mmeye,     |               `-----' /
+ftp_reply 199.233.217.249:21 - 0       |      mvme[m68k,ppc], netwinders,     |  <----.     __ / __   \
+ftp_reply 199.233.217.249:21 - 0       |   news[m68k,mips], next68k, ofppc,   |  <----|====O)))==) \) /====
+ftp_reply 199.233.217.249:21 - 0       | playstation2, pmax, prep, sandpoint, |  <----'    `--' `.__,' \
+ftp_reply 199.233.217.249:21 - 0       |  sbmips, sgimips, shark, sparc[,64], |               |        |
+ftp_reply 199.233.217.249:21 - 0       |      sun[2,3], vax, x68k, xen        |                \       /
+ftp_reply 199.233.217.249:21 - 0       +--------------------------------------+           ______( (_  / \_____
+ftp_reply 199.233.217.249:21 - 0       See our website at http://www.NetBSD.org/        ,'  ,-----'   |       \
+ftp_reply 199.233.217.249:21 - 0        We log all FTP transfers and commands.          `--{__________)  (FL) \/
+ftp_reply 199.233.217.249:21 - 0 230-
+ftp_reply 199.233.217.249:21 - 0     EXPORT NOTICE
+ftp_reply 199.233.217.249:21 - 0     
+ftp_reply 199.233.217.249:21 - 0     Please note that portions of this FTP site contain cryptographic
+ftp_reply 199.233.217.249:21 - 0     software controlled under the Export Administration Regulations (EAR).
+ftp_reply 199.233.217.249:21 - 0     
+ftp_reply 199.233.217.249:21 - 0     None of this software may be downloaded or otherwise exported or
+ftp_reply 199.233.217.249:21 - 0     re-exported into (or to a national or resident of) Cuba, Iran, Libya,
+ftp_reply 199.233.217.249:21 - 0     Sudan, North Korea, Syria or any other country to which the U.S. has
+ftp_reply 199.233.217.249:21 - 0     embargoed goods.
+ftp_reply 199.233.217.249:21 - 0     
+ftp_reply 199.233.217.249:21 - 0     By downloading or using said software, you are agreeing to the
+ftp_reply 199.233.217.249:21 - 0     foregoing and you are representing and warranting that you are not
+ftp_reply 199.233.217.249:21 - 0     located in, under the control of, or a national or resident of any
+ftp_reply 199.233.217.249:21 - 0     such country or on any such list.
+ftp_reply 199.233.217.249:21 - 230 Guest login ok, access restrictions apply.
+ftp_request 141.142.220.235:50003 - SYST 
+ftp_reply 199.233.217.249:21 - 215 UNIX Type: L8 Version: NetBSD-ftpd 20100320
+ftp_request 141.142.220.235:50003 - PASV 
+ftp_reply 199.233.217.249:21 - 227 Entering Passive Mode (199,233,217,249,221,90)
+ftp_request 141.142.220.235:50003 - LIST 
+ftp_reply 199.233.217.249:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
+ftp_reply 199.233.217.249:21 - 226 Transfer complete.
+ftp_request 141.142.220.235:50003 - TYPE I
+ftp_reply 199.233.217.249:21 - 200 Type set to I.
+ftp_request 141.142.220.235:50003 - PASV 
+ftp_reply 199.233.217.249:21 - 227 Entering Passive Mode (199,233,217,249,221,91)
+ftp_request 141.142.220.235:50003 - RETR robots.txt
+ftp_reply 199.233.217.249:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
+ftp_reply 199.233.217.249:21 - 226 Transfer complete.
+ftp_request 141.142.220.235:50003 - TYPE A
+ftp_reply 199.233.217.249:21 - 200 Type set to A.
+ftp_request 141.142.220.235:50003 - PORT 141,142,220,235,131,46
+ftp_reply 199.233.217.249:21 - 200 PORT command successful.
+ftp_request 141.142.220.235:50003 - LIST 
+ftp_reply 199.233.217.249:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
+ftp_reply 199.233.217.249:21 - 226 Transfer complete.
+ftp_request 141.142.220.235:50003 - TYPE I
+ftp_reply 199.233.217.249:21 - 200 Type set to I.
+ftp_request 141.142.220.235:50003 - PORT 141,142,220,235,147,203
+ftp_reply 199.233.217.249:21 - 200 PORT command successful.
+ftp_request 141.142.220.235:50003 - RETR robots.txt
+ftp_reply 199.233.217.249:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
+ftp_reply 199.233.217.249:21 - 226 Transfer complete.
+ftp_request 141.142.220.235:50003 - QUIT 
+ftp_reply 199.233.217.249:21 - 221 
+ftp_reply 199.233.217.249:21 - 0     Data traffic for this session was 154 bytes in 2 files.
+ftp_reply 199.233.217.249:21 - 0     Total traffic for this session was 4037 bytes in 4 transfers.
+ftp_reply 199.233.217.249:21 - 221 Thank you for using the FTP service on ftp.NetBSD.org.

testing/btest/Baseline/signatures.dpd/dpd-ipv6.out

@@ -0,0 +1,100 @@
+dpd_config, {
+
+}
+signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
+ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
+ftp_reply [2001:470:4867:99::21]:21 - 331 Guest login ok, type your name as password.
+signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_server
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - PASS test
+ftp_reply [2001:470:4867:99::21]:21 - 230 
+ftp_reply [2001:470:4867:99::21]:21 - 0     The NetBSD Project FTP Server located in Redwood City, CA, USA
+ftp_reply [2001:470:4867:99::21]:21 - 0     1 Gbps connectivity courtesy of                          ,        ,
+ftp_reply [2001:470:4867:99::21]:21 - 0     Internet Systems Consortium                 WELCOME!    /(        )`
+ftp_reply [2001:470:4867:99::21]:21 - 0                                                             \ \___   / |
+ftp_reply [2001:470:4867:99::21]:21 - 0       +--- Currently Supported Platforms ----+              /- _  `-/  '
+ftp_reply [2001:470:4867:99::21]:21 - 0       |  acorn[26,32], algor, alpha, amd64,  |             (/\/ \ \   /\
+ftp_reply [2001:470:4867:99::21]:21 - 0       |   amiga[,ppc], arc, atari, bebox,    |             / /   | `    \
+ftp_reply [2001:470:4867:99::21]:21 - 0       |   cats, cesfic, cobalt, dreamcast,   |             O O   ) /    |
+ftp_reply [2001:470:4867:99::21]:21 - 0       |  evb[arm,mips,ppc,sh3], hp[300,700], |             `-^--'`<     '
+ftp_reply [2001:470:4867:99::21]:21 - 0       |       hpc[arm,mips,sh], i386,        |            (_.)  _  )   /
+ftp_reply [2001:470:4867:99::21]:21 - 0       |      ibmnws, iyonix, luna68k,        |              .___/`    /
+ftp_reply [2001:470:4867:99::21]:21 - 0       |    mac[m68k,ppc], mipsco, mmeye,     |               `-----' /
+ftp_reply [2001:470:4867:99::21]:21 - 0       |      mvme[m68k,ppc], netwinders,     |  <----.     __ / __   \
+ftp_reply [2001:470:4867:99::21]:21 - 0       |   news[m68k,mips], next68k, ofppc,   |  <----|====O)))==) \) /====
+ftp_reply [2001:470:4867:99::21]:21 - 0       | playstation2, pmax, prep, sandpoint, |  <----'    `--' `.__,' \
+ftp_reply [2001:470:4867:99::21]:21 - 0       |  sbmips, sgimips, shark, sparc[,64], |               |        |
+ftp_reply [2001:470:4867:99::21]:21 - 0       |      sun[2,3], vax, x68k, xen        |                \       /
+ftp_reply [2001:470:4867:99::21]:21 - 0       +--------------------------------------+           ______( (_  / \_____
+ftp_reply [2001:470:4867:99::21]:21 - 0       See our website at http://www.NetBSD.org/        ,'  ,-----'   |       \
+ftp_reply [2001:470:4867:99::21]:21 - 0        We log all FTP transfers and commands.          `--{__________)  (FL) \/
+ftp_reply [2001:470:4867:99::21]:21 - 0 230-
+ftp_reply [2001:470:4867:99::21]:21 - 0     EXPORT NOTICE
+ftp_reply [2001:470:4867:99::21]:21 - 0     
+ftp_reply [2001:470:4867:99::21]:21 - 0     Please note that portions of this FTP site contain cryptographic
+ftp_reply [2001:470:4867:99::21]:21 - 0     software controlled under the Export Administration Regulations (EAR).
+ftp_reply [2001:470:4867:99::21]:21 - 0     
+ftp_reply [2001:470:4867:99::21]:21 - 0     None of this software may be downloaded or otherwise exported or
+ftp_reply [2001:470:4867:99::21]:21 - 0     re-exported into (or to a national or resident of) Cuba, Iran, Libya,
+ftp_reply [2001:470:4867:99::21]:21 - 0     Sudan, North Korea, Syria or any other country to which the U.S. has
+ftp_reply [2001:470:4867:99::21]:21 - 0     embargoed goods.
+ftp_reply [2001:470:4867:99::21]:21 - 0     
+ftp_reply [2001:470:4867:99::21]:21 - 0     By downloading or using said software, you are agreeing to the
+ftp_reply [2001:470:4867:99::21]:21 - 0     foregoing and you are representing and warranting that you are not
+ftp_reply [2001:470:4867:99::21]:21 - 0     located in, under the control of, or a national or resident of any
+ftp_reply [2001:470:4867:99::21]:21 - 0     such country or on any such list.
+ftp_reply [2001:470:4867:99::21]:21 - 230 Guest login ok, access restrictions apply.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SYST 
+ftp_reply [2001:470:4867:99::21]:21 - 215 UNIX Type: L8 Version: NetBSD-ftpd 20100320
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - FEAT 
+ftp_reply [2001:470:4867:99::21]:21 - 211 Features supported
+ftp_reply [2001:470:4867:99::21]:21 - 0  MDTM
+ftp_reply [2001:470:4867:99::21]:21 - 0  MLST Type*;Size*;Modify*;Perm*;Unique*;
+ftp_reply [2001:470:4867:99::21]:21 - 0  REST STREAM
+ftp_reply [2001:470:4867:99::21]:21 - 0  SIZE
+ftp_reply [2001:470:4867:99::21]:21 - 0  TVFS
+ftp_reply [2001:470:4867:99::21]:21 - 211 End
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - PWD 
+ftp_reply [2001:470:4867:99::21]:21 - 257 "/" is the current directory.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV 
+ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57086|)
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - LIST 
+ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
+ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV 
+ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57087|)
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - NLST 
+ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for 'file list'.
+ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - TYPE I
+ftp_reply [2001:470:4867:99::21]:21 - 200 Type set to I.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SIZE robots.txt
+ftp_reply [2001:470:4867:99::21]:21 - 213 77
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV 
+ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57088|)
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - RETR robots.txt
+ftp_reply [2001:470:4867:99::21]:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
+ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - MDTM robots.txt
+ftp_reply [2001:470:4867:99::21]:21 - 213 20090816112038
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SIZE robots.txt
+ftp_reply [2001:470:4867:99::21]:21 - 213 77
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49189|
+ftp_reply [2001:470:4867:99::21]:21 - 200 EPRT command successful.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - RETR robots.txt
+ftp_reply [2001:470:4867:99::21]:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
+ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - MDTM robots.txt
+ftp_reply [2001:470:4867:99::21]:21 - 213 20090816112038
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - TYPE A
+ftp_reply [2001:470:4867:99::21]:21 - 200 Type set to A.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49190|
+ftp_reply [2001:470:4867:99::21]:21 - 200 EPRT command successful.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - LIST 
+ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
+ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
+ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - QUIT 
+ftp_reply [2001:470:4867:99::21]:21 - 221 
+ftp_reply [2001:470:4867:99::21]:21 - 0     Data traffic for this session was 154 bytes in 2 files.
+ftp_reply [2001:470:4867:99::21]:21 - 0     Total traffic for this session was 4512 bytes in 5 transfers.
+ftp_reply [2001:470:4867:99::21]:21 - 221 Thank you for using the FTP service on ftp.NetBSD.org.

testing/btest/Baseline/signatures.dpd/nosig-ipv4.out

@@ -0,0 +1,3 @@
+dpd_config, {
+
+}

testing/btest/Baseline/signatures.dpd/nosig-ipv6.out

@@ -0,0 +1,3 @@
+dpd_config, {
+
+}

testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq

testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v4-masks/dst-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne

testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq

testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v4/dst-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne

testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq

testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v6-masks/dst-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne

testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq

testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne-list

testing/btest/Baseline/signatures.dst-ip-header-condition-v6/dst-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-ip6.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-eq

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - dst-port-eq-list

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - dst-port-eq

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gt.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gt

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte1.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gte1

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-gte2.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gte2

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lt.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lt

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte1.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lte1

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-lte2.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lte2

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-ne-list

testing/btest/Baseline/signatures.dst-port-header-condition/dst-port-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-ne

testing/btest/Baseline/signatures.header-header-condition/icmp.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - icmp

testing/btest/Baseline/signatures.header-header-condition/icmp6.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=128/icmp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=129/icmp] - icmp6

testing/btest/Baseline/signatures.header-header-condition/ip-mask.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - ip-mask

testing/btest/Baseline/signatures.header-header-condition/ip.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - ip

testing/btest/Baseline/signatures.header-header-condition/ip6.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - ip6

testing/btest/Baseline/signatures.header-header-condition/tcp.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/tcp, resp_h=127.0.0.1, resp_p=80/tcp] - tcp

testing/btest/Baseline/signatures.header-header-condition/udp.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - udp

testing/btest/Baseline/signatures.header-header-condition/val-mask.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - val-mask

testing/btest/Baseline/signatures.id-lookup/id.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - id

testing/btest/Baseline/signatures.ip-proto-header-condition/icmp6_in_ip6.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=128/icmp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=129/icmp] - icmp6

testing/btest/Baseline/signatures.ip-proto-header-condition/icmp_in_ip4.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - icmp

testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip4.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/tcp, resp_h=127.0.0.1, resp_p=80/tcp] - tcp

testing/btest/Baseline/signatures.ip-proto-header-condition/tcp_in_ip6.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/tcp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=80/tcp] - tcp

testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip4.out

@@ -0,0 +1 @@
+signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - udp

testing/btest/Baseline/signatures.ip-proto-header-condition/udp_in_ip6.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - udp

testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq-list

testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq

testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne-list

testing/btest/Baseline/signatures.src-ip-header-condition-v4-masks/src-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne

testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq-list

testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq

testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne-list

testing/btest/Baseline/signatures.src-ip-header-condition-v4/src-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne

testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq-list

testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq

testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne-list

testing/btest/Baseline/signatures.src-ip-header-condition-v6-masks/src-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne

testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq-list

testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-eq.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq

testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne-list.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne-list

testing/btest/Baseline/signatures.src-ip-header-condition-v6/src-ip-ne.out

@@ -0,0 +1 @@
+signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne