[netfilter-cvslog] r3423 - trunk/nfsim-testsuite/01iptables

rusty at netfilter.org rusty at netfilter.org
Fri Dec 17 05:33:29 CET 2004 

Author: rusty at netfilter.org
Date: 2004-12-17 05:33:29 +0100 (Fri, 17 Dec 2004)
New Revision: 3423

Added:
   trunk/nfsim-testsuite/01iptables/00simple.sim
Log:
Add simple tests for basic iptables functionality (core matches).


Added: trunk/nfsim-testsuite/01iptables/00simple.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/00simple.sim	2004-12-17 04:14:42 UTC (rev 3422)
+++ trunk/nfsim-testsuite/01iptables/00simple.sim	2004-12-17 04:33:29 UTC (rev 3423)
@@ -0,0 +1,105 @@
+# Test simple matches for iptables
+
+# Don't want conntrack to interfere with fragments.
+
+rmmod -a
+insmod ip_tables
+insmod iptable_filter
+
+# By source address
+iptables -A FORWARD -s 192.168.0.2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -s 192.168.0.2 -j DROP
+
+# By destination address
+iptables -A FORWARD -d 192.168.1.2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.3 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.3 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -d 192.168.1.2 -j DROP
+
+# By input interface
+iptables -A FORWARD -i eth1 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.1.2 192.168.0.2 0 3}
+gen_ip IF=eth1 192.168.1.2 192.168.0.2 0 3
+iptables -D FORWARD -i eth1 -j DROP
+
+# By output interface
+iptables -A FORWARD -o eth0 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.1.2 192.168.0.2 0 3}
+gen_ip IF=eth1 192.168.1.2 192.168.0.2 0 3
+iptables -D FORWARD -o eth0 -j DROP
+
+# By proto
+iptables -A FORWARD -p 4 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 4}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 4
+iptables -D FORWARD -p 4 -j DROP
+
+# By fragment
+iptables -A FORWARD -f -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 FRAG=8 192.168.0.2 192.168.1.2}
+gen_ip IF=eth0 FRAG=8,100 192.168.0.2 192.168.1.2 108 3
+iptables -D FORWARD -f -j DROP
+
+### Inverted tests
+
+# By source address
+iptables -A FORWARD -s ! 192.168.0.3 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -s ! 192.168.0.3 -j DROP
+
+# By destination address
+iptables -A FORWARD -d ! 192.168.1.3 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.3 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.3 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -d ! 192.168.1.3 -j DROP
+
+# By input interface
+iptables -A FORWARD -i ! eth0 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.1.2 192.168.0.2 0 3}
+gen_ip IF=eth1 192.168.1.2 192.168.0.2 0 3
+iptables -D FORWARD -i ! eth0 -j DROP
+
+# By output interface
+iptables -A FORWARD -o ! eth1 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.1.2 192.168.0.2 0 3}
+gen_ip IF=eth1 192.168.1.2 192.168.0.2 0 3
+iptables -D FORWARD -o ! eth1 -j DROP
+
+# By proto
+iptables -A FORWARD -p ! 3 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 4}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 4
+iptables -D FORWARD -p ! 3 -j DROP
+
+# By fragment
+iptables -A FORWARD ! -f -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip send:eth1 {IPv4 FRAG=8 192.168.0.2 192.168.1.2}
+gen_ip IF=eth0 FRAG=8,100 192.168.0.2 192.168.1.2 108 3
+iptables -D FORWARD ! -f -j DROP

More information about the netfilter-cvslog mailing list