[netfilter-cvslog] r3444 - trunk/nfsim-testsuite/01iptables

rusty at netfilter.org rusty at netfilter.org
Sat Dec 18 14:26:44 CET 2004


Author: rusty at netfilter.org
Date: 2004-12-18 14:26:43 +0100 (Sat, 18 Dec 2004)
New Revision: 3444

Modified:
   trunk/nfsim-testsuite/01iptables/01reject.sim
Log:
Beef up coverage of REJECT target.


Modified: trunk/nfsim-testsuite/01iptables/01reject.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/01reject.sim	2004-12-18 13:25:36 UTC (rev 3443)
+++ trunk/nfsim-testsuite/01iptables/01reject.sim	2004-12-18 13:26:43 UTC (rev 3444)
@@ -4,5 +4,73 @@
 # expect to get dropped, and an ICMP error back at us.
 expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
 expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 3 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
 
+# nothing in return for an ICMP error.
+expect gen_err hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 30 1 3 0 CONTAINS 192.168.0.1 192.168.0.2 10 17 1 2}
+expect ! gen_err send:eth0*
+gen_err IF=eth0 LEN=30 192.168.0.2 3 0 192.168.0.1 192.168.0.2 10 17 1 2
+
+iptables -D INPUT -j REJECT
+
+# All the different species of reject.
+iptables -A INPUT -j REJECT --reject-with icmp-net-unreachable
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
+expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 0 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
 gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
+iptables -D INPUT -j REJECT --reject-with icmp-net-unreachable
+
+iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
+expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 1 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
+iptables -D INPUT -j REJECT --reject-with icmp-host-unreachable
+
+iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
+expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 2 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
+iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
+expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 3 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
+iptables -D INPUT -j REJECT --reject-with icmp-port-unreachable
+
+iptables -A INPUT -j REJECT --reject-with icmp-net-prohibited
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
+expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 9 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
+iptables -D INPUT -j REJECT --reject-with icmp-net-prohibited
+
+iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
+expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 10 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
+iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
+
+iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 10 17 1 2}
+expect gen_ip send:eth0 {IPv4 192.168.0.1 192.168.0.2 38 1 3 13 CONTAINS 192.168.0.2 192.168.0.1 10 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 10 17 1 2
+iptables -D INPUT -j REJECT --reject-with icmp-admin-prohibited
+
+# tcp-reset needs to be attached to -p tcp (and not inverted!).
+expect iptables iptables: command failed
+iptables -A INPUT -j REJECT --reject-with tcp-reset
+
+expect iptables iptables: command failed
+iptables -A INPUT -p ! tcp -j REJECT --reject-with tcp-reset
+
+# Find it even if other matches come first.
+iptables -A INPUT -m limit --limit 1/s -m tos --tos 0 -p tcp -j REJECT --reject-with tcp-reset
+iptables -D INPUT -m limit --limit 1/s -m tos --tos 0 -p tcp -j REJECT --reject-with tcp-reset
+
+iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+
+expect gen_ip hook:NF_IP_LOCAL_IN * NF_DROP {IPv4 192.168.0.2 192.168.0.1 0 6 1 2 SYN}
+expect gen_ip send:eth0 {IPv4 DF 192.168.0.1 192.168.0.2 0 6 2 1 RST/ACK ACK=1}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
+iptables -D INPUT -p tcp -j REJECT --reject-with tcp-reset
+




More information about the netfilter-cvslog mailing list