[netfilter-cvslog] r3464 - trunk/nfsim-testsuite/01iptables
rusty at netfilter.org
rusty at netfilter.org
Mon Dec 20 05:21:57 CET 2004
Author: rusty at netfilter.org
Date: 2004-12-20 05:21:57 +0100 (Mon, 20 Dec 2004)
New Revision: 3464
Added:
trunk/nfsim-testsuite/01iptables/39ipt_length.sim
Log:
Samuel Jean: [testsuite] ipt_length
{RR: Merged into one test. Should only be split if expectations differ}
Added: trunk/nfsim-testsuite/01iptables/39ipt_length.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/39ipt_length.sim 2004-12-20 03:41:07 UTC (rev 3463)
+++ trunk/nfsim-testsuite/01iptables/39ipt_length.sim 2004-12-20 04:21:57 UTC (rev 3464)
@@ -0,0 +1,56 @@
+# Send 5 packets with different length where datalen 0 & 4 are out of range.
+# As it tests against the ip header, whatever layer4 proto we use is OK.
+# TCP with no data ends up with a packet of 40 bytes.
+
+iptables -I INPUT -m length --length 41:43 -j DROP
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
+iptables -D INPUT -m length --length 41:43 -j DROP
+
+# Invert the whole thing
+iptables -I INPUT -m length ! --length 41:43 -j DROP
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
+iptables -D INPUT -m length ! --length 41:43 -j DROP
+# Test a normal straight rule (expecting: success)
+iptables -I INPUT -m length --length 100
+iptables -D INPUT -m length --length 100
+iptables -I INPUT -m length --length 100:200
+iptables -D INPUT -m length --length 100:200
+iptables -I INPUT -m length --length :100
+iptables -D INPUT -m length --length :100
+iptables -I INPUT -m length --length 100:
+iptables -D INPUT -m length --length 100:
+iptables -I INPUT -m length --length :
+iptables -D INPUT -m length --length :
+
+
+# Test both invert argument (expecting: success)
+iptables -I INPUT -m length ! --length 100
+iptables -I INPUT -m length --length ! 100
+
+# Twin options are not allowed (expecting: failure)
+expect iptables iptables: command failed
+iptables -I INPUT -m length --length 100 --length 50
+
+# Bad arguments (expecting: failure)
+expect iptables iptables: command failed
+iptables -I INPUT -m length --length -1
+expect iptables iptables: command failed
+iptables -I INPUT -m length --length 50:100:150
More information about the netfilter-cvslog
mailing list