From 223c6a87df0a9d1977f23dc5cc6d02bcaa569968 Mon Sep 17 00:00:00 2001
From: Florian Lehner <dev@der-flo.net>
Date: Sat, 25 Nov 2023 10:18:28 +0100
Subject: [PATCH] minor refactoring

Signed-off-by: Florian Lehner <dev@der-flo.net>
---
 bpf.go      |  18 +-
 bpf_test.go | 474 ++++++++++++++++++++++++++++++++--------------------
 2 files changed, 306 insertions(+), 186 deletions(-)

diff --git a/bpf.go b/bpf.go
index b600ca5..c8ac3bd 100644
--- a/bpf.go
+++ b/bpf.go
@@ -4,9 +4,10 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+	"sort"
+
 	"github.com/florianl/go-conntrack/internal/unix"
 	"golang.org/x/net/bpf"
-	"sort"
 )
 
 // Various errors which may occur when processing filters
@@ -123,7 +124,7 @@ func encodeValue(data []byte) (val uint32) {
 	return
 }
 
-func compareValue(masking bool, filterLen, dataLen, i uint32, bpfOp uint16, filter ConnAttr) []bpf.RawInstruction {
+func compareValue(masking bool, sameAttrType bool, filterLen, dataLen, i uint32, bpfOp uint16, filter ConnAttr) []bpf.RawInstruction {
 	var raw []bpf.RawInstruction
 
 	if masking {
@@ -358,10 +359,12 @@ func filterMarkAttribute(filters []ConnAttr) []bpf.RawInstruction {
 			mask := encodeValue(filter.Mask[i*4 : (i+1)*4])
 			tmp = bpf.RawInstruction{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, K: mask}
 			raw = append(raw, tmp)
+
 			val := encodeValue(filter.Data[i*4 : (i+1)*4])
 			val &= mask
 			tmp = bpf.RawInstruction{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, K: val, Jt: failedJump}
 			raw = append(raw, tmp)
+
 			tmp = bpf.RawInstruction{Op: unix.BPF_MISC | unix.BPF_TXA}
 			raw = append(raw, tmp)
 		}
@@ -407,11 +410,9 @@ func (nfct *Nfct) removeFilter() error {
 	return nfct.Con.RemoveBPF()
 }
 
-func fmtRawInstruction(index int, raw bpf.RawInstruction) string {
-	code := code2str(raw.Op & 0xFFFF)
-	return fmt.Sprintf("(%.4x) code=%30s\tjt=%.2x jf=%.2x k=%.8x\n",
-		index,
-		code,
+func fmtRawInstruction(raw bpf.RawInstruction) string {
+	return fmt.Sprintf("code=%30s\tjt=%.2x jf=%.2x k=%.8x",
+		code2str(raw.Op&0xFFFF),
 		raw.Jt&0xFF,
 		raw.Jf&0xFF,
 		raw.K&0xFFFFFFFF)
@@ -421,12 +422,13 @@ func fmtRawInstructions(raw []bpf.RawInstruction) string {
 	var output string
 
 	for i, instr := range raw {
-		output += fmtRawInstruction(i, instr)
+		output += fmt.Sprintf("(%.4x) %s\n", i, fmtRawInstruction(instr))
 	}
 
 	return output
 }
 
+// From libnetfilter_conntrack:src/conntrack/bsf.c
 func code2str(op uint16) string {
 	switch op {
 	case unix.BPF_LD | unix.BPF_IMM:
diff --git a/bpf_test.go b/bpf_test.go
index 508b563..8288a51 100644
--- a/bpf_test.go
+++ b/bpf_test.go
@@ -3,13 +3,14 @@ package conntrack
 import (
 	"encoding/binary"
 	"errors"
-	"github.com/florianl/go-conntrack/internal/unix"
 	"testing"
 
+	"github.com/florianl/go-conntrack/internal/unix"
+
 	"golang.org/x/net/bpf"
 )
 
-func TestConstructFilter(t *testing.T) {
+func TestOldConstructFilter(t *testing.T) {
 	tests := []struct {
 		name     string
 		table    Table
@@ -25,92 +26,93 @@ func TestConstructFilter(t *testing.T) {
 			{Type: AttrOrigIPv4Src, Data: []byte{0x7F, 0x0, 0x0, 0x1}, Mask: []byte{0xff, 0xff, 0xff, 0xff}, Negate: true}, // SrcIP != 127.0.0.1
 			{Type: AttrOrigIPv6Src, Data: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, // SrcIP != ::1
 				Mask: []byte{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, Negate: true},
-		}, rawInstr: []bpf.RawInstruction{
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0050, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x0d, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x09, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x05, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x7f000001},
-			{Op: 0x0005, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x16, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x12, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000003},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x0e, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: 0x0015, Jt: 0x00, Jf: 0x0a, K: 0x00000000},
-			{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000008},
-			{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: 0x0015, Jt: 0x00, Jf: 0x07, K: 0x00000000},
-			{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x0000000c},
-			{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: 0x0015, Jt: 0x00, Jf: 0x04, K: 0x00000000},
-			{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000010},
-			{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0005, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x0e, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000002},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x0a, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x06, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0050, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0015, Jt: 0x02, Jf: 0x00, K: 0x00000011},
-			{Op: 0x0050, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000006},
-			{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x0c, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x08, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: 0x0015, Jt: 0x04, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0050, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000003},
-			{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-		}},
+		},
+			rawInstr: []bpf.RawInstruction{
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0050, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x0d, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x09, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x05, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x7f000001},
+				{Op: 0x0005, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x16, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x12, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000003},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x0e, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: 0x0015, Jt: 0x00, Jf: 0x0a, K: 0x00000000},
+				{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000008},
+				{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: 0x0015, Jt: 0x00, Jf: 0x07, K: 0x00000000},
+				{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x0000000c},
+				{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: 0x0015, Jt: 0x00, Jf: 0x04, K: 0x00000000},
+				{Op: 0x0040, Jt: 0x00, Jf: 0x00, K: 0x00000010},
+				{Op: 0x0054, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0005, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x0d, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000002},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x09, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x05, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0050, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0015, Jt: 0x02, Jf: 0x00, K: 0x00000011},
+				{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000006},
+				{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0000, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x0c, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x08, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0004, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0001, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: 0x0030, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: 0x0015, Jt: 0x04, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0007, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0050, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: 0x0015, Jt: 0x01, Jf: 0x00, K: 0x00000003},
+				{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: 0x0006, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+			},
+		},
 		{name: "tcp and port 22", table: Conntrack, filters: []ConnAttr{
 			{Type: AttrOrigL4Proto, Data: []byte{0x11}},       // TCP
 			{Type: AttrOrigPortDst, Data: []byte{0x00, 0x16}}, // 22
@@ -174,7 +176,7 @@ func TestConstructFilter(t *testing.T) {
 	}
 }
 
-func TestAttrMarkFilter(t *testing.T) {
+func TestConstructFilter(t *testing.T) {
 	mark1ByteValue := make([]byte, 4)
 	binary.BigEndian.PutUint32(mark1ByteValue, 1)
 	mark10ByteValue := make([]byte, 4)
@@ -186,116 +188,232 @@ func TestAttrMarkFilter(t *testing.T) {
 	mark1000ByteValue := make([]byte, 4)
 	binary.BigEndian.PutUint32(mark1000ByteValue, 1000)
 
-	tests := []struct {
-		name     string
+	tests := map[string]struct {
 		table    Table
 		filters  []ConnAttr
 		rawInstr []bpf.RawInstruction
 		err      error
 	}{
-		{name: "mark positive filter: [1]", table: Conntrack, filters: []ConnAttr{
-			{Type: AttrMark, Data: mark1ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
-		}, rawInstr: []bpf.RawInstruction{
-			//--- check subsys ---
-			{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			//--- check mark ---
-			{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
-			{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000008},
-			{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			//---- final verdict ----
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-		}},
-		{name: "mark positive filter: [10,50,1000]", table: Conntrack, filters: []ConnAttr{
-			{Type: AttrMark, Data: mark10ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
-			{Type: AttrMark, Data: mark50ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
-			{Type: AttrMark, Data: mark1000ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
-		}, rawInstr: []bpf.RawInstruction{
-			//--- check subsys ---
-			{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			//--- check mark ---
-			{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
-			{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000008},
-			{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x08, Jf: 0x00, K: 0x0000000a},
-			{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x05, Jf: 0x00, K: 0x00000032},
-			{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x000003e8},
-			{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			//---- final verdict ----
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-		}},
-		{name: "mark negative filter: [10,11]", table: Conntrack, filters: []ConnAttr{
-			{Type: AttrMark, Data: mark10ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: true},
-			{Type: AttrMark, Data: mark11ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: true},
-		}, rawInstr: []bpf.RawInstruction{
-			//--- check subsys ---
-			{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			//--- check mark ---
-			{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
-			{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000008},
-			{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
-			{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x05, Jf: 0x00, K: 0x0000000a},
-			{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-			{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x0000000b},
-			{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			{Op: unix.BPF_JMP | unix.BPF_JA, Jt: 0x00, Jf: 0x00, K: 0x00000001},
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
-			//---- final verdict ----
-			{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
-		}},
+		"mark positive filter: [1]": {
+			table: Conntrack,
+			filters: []ConnAttr{
+				{Type: AttrMark, Data: mark1ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
+			},
+			rawInstr: []bpf.RawInstruction{
+				//--- check subsys ---
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				//--- check mark ---
+				{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000008},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				//---- final verdict ----
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+			}},
+		"mark positive filter: [10,50,1000]": {
+			table: Conntrack,
+			filters: []ConnAttr{
+				{Type: AttrMark, Data: mark10ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
+				{Type: AttrMark, Data: mark50ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
+				{Type: AttrMark, Data: mark1000ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: false},
+			},
+			rawInstr: []bpf.RawInstruction{
+				//--- check subsys ---
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				//--- check mark ---
+				{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000008},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x08, Jf: 0x00, K: 0x0000000a},
+				{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x05, Jf: 0x00, K: 0x00000032},
+				{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x000003e8},
+				{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				//---- final verdict ----
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+			}},
+		"mark negative filter: [10,11]": {
+			table: Conntrack, filters: []ConnAttr{
+				{Type: AttrMark, Data: mark10ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: true},
+				{Type: AttrMark, Data: mark11ByteValue, Mask: []byte{255, 255, 255, 255}, Negate: true},
+			},
+			rawInstr: []bpf.RawInstruction{
+				//--- check subsys ---
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				//--- check mark ---
+				{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000008},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x05, Jf: 0x00, K: 0x0000000a},
+				{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x0000000b},
+				{Op: unix.BPF_MISC | unix.BPF_TXA, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_JMP | unix.BPF_JA, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				//---- final verdict ----
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+			}},
+		"tcp": {
+			table: Conntrack,
+			filters: []ConnAttr{
+				{Type: AttrOrigL4Proto, Data: []byte{0x06}}, // TCP
+			},
+			rawInstr: []bpf.RawInstruction{
+				// ---- check subsys ---
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				// ---- check proto ----
+				{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x0c, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_ADD | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000002},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x08, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_ADD | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x04, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000006},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				// ---- final verdict ----
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+			}},
+		"tcp or udp": {
+			table: Conntrack,
+			filters: []ConnAttr{
+				{Type: AttrOrigL4Proto, Data: []byte{0x06}}, // TCP
+				{Type: AttrOrigL4Proto, Data: []byte{0x11}}, // UDP
+			},
+			rawInstr: []bpf.RawInstruction{
+				// ---- check subsys ---
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				// ---- check proto ----
+				{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x0d, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_ADD | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000002},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x09, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_ADD | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x05, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x02, Jf: 0x00, K: 0x00000006},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000011},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				// ---- final verdict ----
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+			},
+		},
+		"src 127.0.0.1 or src 127.0.0.2 or src 127.0.0.3": {
+			table: Conntrack,
+			filters: []ConnAttr{
+				{Type: AttrOrigIPv4Src, Data: []byte{0x7F, 0x0, 0x0, 0x1}, Mask: []byte{0xff, 0xff, 0xff, 0xff}},
+				{Type: AttrOrigIPv4Src, Data: []byte{0x7F, 0x0, 0x0, 0x2}, Mask: []byte{0xff, 0xff, 0xff, 0xff}},
+				{Type: AttrOrigIPv4Src, Data: []byte{0x7F, 0x0, 0x0, 0x3}, Mask: []byte{0xff, 0xff, 0xff, 0xff}},
+			},
+			rawInstr: []bpf.RawInstruction{
+				// ---- check subsys ---
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				// ---- check src IPv4 ----
+				{Op: unix.BPF_LD | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000014},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x13, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_ADD | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x0f, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_ALU | unix.BPF_ADD | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_LDX | unix.BPF_IMM, Jt: 0x00, Jf: 0x00, K: 0x00000001},
+				{Op: unix.BPF_LD | unix.BPF_B | unix.BPF_ABS, Jt: 0x00, Jf: 0x00, K: 0xfffff00c},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x0b, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_MISC | unix.BPF_TAX, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x07, Jf: 0x00, K: 0x7f000001},
+				{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x04, Jf: 0x00, K: 0x7f000002},
+				{Op: unix.BPF_LD | unix.BPF_W | unix.BPF_IND, Jt: 0x00, Jf: 0x00, K: 0x00000004},
+				{Op: unix.BPF_ALU | unix.BPF_AND | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+				{Op: unix.BPF_JMP | unix.BPF_JEQ | unix.BPF_K, Jt: 0x01, Jf: 0x00, K: 0x7f000003},
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0x00000000},
+				// ---- final verdict ----
+				{Op: unix.BPF_RET | unix.BPF_K, Jt: 0x00, Jf: 0x00, K: 0xffffffff},
+			},
+		},
 	}
 
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
 			rawInstr, err := constructFilter(tc.table, tc.filters)
 			if !errors.Is(err, tc.err) {
 				t.Fatal(err)
 			}
 			if len(rawInstr) != len(tc.rawInstr) {
-				t.Fatalf("different length:\n- want:\n%s\n-  got:\n%s", fmtRawInstructions(tc.rawInstr), fmtRawInstructions(rawInstr))
+				t.Fatalf("different length:\n- want:\n%s\n-  got:\n%s",
+					fmtRawInstructions(tc.rawInstr), fmtRawInstructions(rawInstr))
 			}
 			var isErr bool
 			for i, v := range rawInstr {
 				if v != tc.rawInstr[i] {
-					t.Errorf("unexpected instruction:\n- want:\n%s\n-  got:\n%s", fmtRawInstruction(i, tc.rawInstr[i]), fmtRawInstruction(i, rawInstr[i]))
+					t.Errorf("unexpected %d. instruction:\n- want:\n%s\n-  got:\n%s",
+						i, fmtRawInstruction(tc.rawInstr[i]), fmtRawInstruction(rawInstr[i]))
 					isErr = true
 				}
 			}
 
 			if isErr {
-				t.Fatalf("unexpected reply:\n- want:\n%s\n-  got:\n%s", fmtRawInstructions(tc.rawInstr), fmtRawInstructions(rawInstr))
+				t.Fatalf("unexpected reply:\n- want:\n%s\n-  got:\n%s",
+					fmtRawInstructions(tc.rawInstr), fmtRawInstructions(rawInstr))
 			}
 		})
 	}