[netfilter-cvslog] r3424 - trunk/nfsim-testsuite/01iptables
rusty at netfilter.org
rusty at netfilter.org
Fri Dec 17 05:34:32 CET 2004
Author: rusty at netfilter.org
Date: 2004-12-17 05:34:32 +0100 (Fri, 17 Dec 2004)
New Revision: 3424
Added:
trunk/nfsim-testsuite/01iptables/27ipt_iprange-bad-addr.sim
trunk/nfsim-testsuite/01iptables/28ipt_iprange.sim
Log:
Patch from peejix: ipt_iprange tests (modified by Rusty)
Added: trunk/nfsim-testsuite/01iptables/27ipt_iprange-bad-addr.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/27ipt_iprange-bad-addr.sim 2004-12-17 04:33:29 UTC (rev 3423)
+++ trunk/nfsim-testsuite/01iptables/27ipt_iprange-bad-addr.sim 2004-12-17 04:34:32 UTC (rev 3424)
@@ -0,0 +1,24 @@
+# Input some junk ip range.
+# Obiously, this test must fail.
+expect iptables iptables: command failed
+iptables -A INPUT -m iprange --src-range 0.0.0.0-500.400.300.200
+expect iptables iptables: command failed
+iptables -A INPUT -m iprange --dst-range 0.0.0.0-500.400.300.200
+
+# Check if inputing the same option twice override previous one.
+# This should ring the bell.
+# Side note: Fixed in SVN since Mon Jul 12 07:16:54 2004 UTC, Revision 1407
+
+iptables -A INPUT -m iprange --src-range 0.0.0.0-1.1.1.1 --src-range 1.1.1.1-2.2.2.2
+iptables -A INPUT -m iprange --dst-range 0.0.0.0-1.1.1.1 --dst-range 1.1.1.1-2.2.2.2
+
+# Giving a source and destination range should succeed.
+iptables -A INPUT -m iprange --src-range 0.0.0.0-1.1.1.1 --dst-range 1.1.1.1-2.2.2.2
+
+# Invert
+iptables -A INPUT -m iprange ! --src-range 0.0.0.0-1.1.1.1 ! --dst-range 1.1.1.1-2.2.2.2
+
+# Remove me!
+iptables -D INPUT -m iprange --src-range 0.0.0.0-1.1.1.1 --dst-range 1.1.1.1-2.2.2.2
+iptables -D INPUT -m iprange ! --src-range 0.0.0.0-1.1.1.1 ! --dst-range 1.1.1.1-2.2.2.2
+
Added: trunk/nfsim-testsuite/01iptables/28ipt_iprange.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/28ipt_iprange.sim 2004-12-17 04:33:29 UTC (rev 3423)
+++ trunk/nfsim-testsuite/01iptables/28ipt_iprange.sim 2004-12-17 04:34:32 UTC (rev 3424)
@@ -0,0 +1,137 @@
+# Source address belong to this range ?
+iptables -I FORWARD -m iprange --src-range 192.168.0.11-192.168.0.13 -j DROP
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.10 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.10 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.11 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.11 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.12 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.12 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.13 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.13 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.14 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.14 192.168.1.99 0 tcp 1 2 SYN
+iptables -D FORWARD -m iprange --src-range 192.168.0.11-192.168.0.13 -j DROP
+
+# Source address doesn't belong to this range ?
+iptables -I FORWARD -m iprange ! --src-range 192.168.0.11-192.168.0.13 -j DROP
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.10 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.10 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.11 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.11 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.12 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.12 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.13 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.13 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.14 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.14 192.168.1.99 0 tcp 1 2 SYN
+iptables -D FORWARD -m iprange ! --src-range 192.168.0.11-192.168.0.13 -j DROP
+
+# Destination address belong to this range ?
+iptables -I FORWARD -m iprange --dst-range 192.168.1.11-192.168.1.13 -j DROP
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.10 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.10 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.99 192.168.1.11 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.11 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.99 192.168.1.12 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.12 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.99 192.168.1.13 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.13 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.14 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.14 0 tcp 1 2 SYN
+iptables -D FORWARD -m iprange --dst-range 192.168.1.11-192.168.1.13 -j DROP
+
+# Destination address doesn't belong to this range ?
+iptables -I FORWARD -m iprange ! --dst-range 192.168.1.11-192.168.1.13 -j DROP
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.99 192.168.1.10 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.10 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.11 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.11 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.12 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.12 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.13 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.13 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.99 192.168.1.14 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.14 0 tcp 1 2 SYN
+iptables -D FORWARD -m iprange ! --dst-range 192.168.1.11-192.168.1.13 -j DROP
+
+# Source and Destination belong..
+iptables -I FORWARD -m iprange --src-range 192.168.0.11-192.168.0.13 --dst-range 192.168.1.11-192.168.1.13 -j DROP
+
+ # Just destination not sufficient.
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.10 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.10 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.11 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.11 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.12 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.12 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.13 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.13 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.14 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.14 0 tcp 1 2 SYN
+
+ # Just source not sufficient.
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.10 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.10 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.11 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.11 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.12 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.12 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.13 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.13 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.14 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.14 192.168.1.99 0 tcp 1 2 SYN
+
+ # Need both.
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.10 192.168.1.10 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.10 192.168.1.10 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.11 192.168.1.11 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.11 192.168.1.11 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.12 192.168.1.12 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.12 192.168.1.12 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.13 192.168.1.13 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.13 192.168.1.13 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.14 192.168.1.14 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.14 192.168.1.14 0 tcp 1 2 SYN
+
+iptables -D FORWARD -m iprange --src-range 192.168.0.11-192.168.0.13 --dst-range 192.168.1.11-192.168.1.13 -j DROP
+
+# Source and Destination doesn't belong..
+iptables -I FORWARD -m iprange ! --src-range 192.168.0.11-192.168.0.13 ! --dst-range 192.168.1.11-192.168.1.13 -j DROP
+
+ # Destination in range is sufficient.
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.99 192.168.1.10 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.10 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.11 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.11 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.12 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.12 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.99 192.168.1.13 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.13 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.99 192.168.1.14 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.99 192.168.1.14 0 tcp 1 2 SYN
+
+ # Source in range is sufficient.
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.10 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.10 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.11 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.11 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.12 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.12 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.13 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.13 192.168.1.99 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.14 192.168.1.99 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.14 192.168.1.99 0 tcp 1 2 SYN
+
+ # Both works, too.
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.10 192.168.1.10 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.10 192.168.1.10 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.11 192.168.1.11 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.11 192.168.1.11 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.12 192.168.1.12 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.12 192.168.1.12 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_ACCEPT {IPv4 192.168.0.13 192.168.1.13 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.13 192.168.1.13 0 tcp 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.14 192.168.1.14 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.14 192.168.1.14 0 tcp 1 2 SYN
+
+iptables -D FORWARD -m iprange ! --src-range 192.168.0.11-192.168.0.13 ! --dst-range 192.168.1.11-192.168.1.13 -j DROP
More information about the netfilter-cvslog
mailing list