Reachability:
  # traffic to loopback should be reachable in from the right source
  - Ingress: [r1@Eth0]
    Egress: [r4@Loopback0]
    DstIp: [10.0.0.1/32]
    SrcIp: [70.4.194.0/24]
    Protocol: [0-255]
    DstPort: [0-65535]
    SrcPort: [0-65535]
    # check reachability for any single failure. the set of 
    # possible failures should exclude the ingress and egress
    # interfaces, since that makes the query trivially false.
    MaxFailures: 1
  # traffic between hosts should not be reachable in general
  - Ingress: [r1@Eth0]
    Egress: [r4@Eth3]
    DstIp: [70.4.193.0/24]
    SrcIp: [0.0.0.0/0]
    Protocol: [0-255]
    DstPort: [0-65535]
    SrcPort: [0-65535]
    MaxFailures: 0
  # traffic between hosts should not be reachable for TCP SSH traffic if from the wrong source
  - Ingress: [r1@Eth0]
    Egress: [r4@Eth3]
    DstIp: [70.4.193.0/24]
    SrcIp: [0.0.0.0/0]
    Protocol: [6-6]
    DstPort: [22-22]
    SrcPort: [0-65535]
    MaxFailures: 0
  # traffic between hosts should be reachable for TCP SSH traffic from the right source
  - Ingress: [r1@Eth0]
    Egress: [r4@Eth3]
    DstIp: [70.4.193.0/24]
    SrcIp: [70.4.194.0/24]
    Protocol: [6-6]
    DstPort: [22-22]
    SrcPort: [0-65535]
    MaxFailures: 1
  # splitting a prefix should not affect reachability
  - Ingress: [r1@Eth0]
    Egress: [r4@Eth3]
    DstIp: [70.4.193.0/24]
    SrcIp: [70.4.194.0/25, 70.4.194.128/25]
    Protocol: [6-6]
    DstPort: [22-22]
    SrcPort: [0-65535]
    MaxFailures: 1
  # traffic between hosts should be reachable for UDP, but not when 2 failures are allowed
  - Ingress: [r1@Eth0]
    Egress: [r4@Eth3]
    DstIp: [70.4.193.0/24]
    SrcIp: [70.4.194.0/24]
    Protocol: [17-17]
    DstPort: [0-65535]
    SrcPort: [0-65535]
    MaxFailures: 2