[netfilter-cvslog] r3528 - trunk/nfsim-testsuite/01iptables

rusty at netfilter.org rusty at netfilter.org
Fri Dec 31 08:06:48 CET 2004


Author: rusty at netfilter.org
Date: 2004-12-31 08:06:48 +0100 (Fri, 31 Dec 2004)
New Revision: 3528

Added:
   trunk/nfsim-testsuite/01iptables/01icmp.sim
   trunk/nfsim-testsuite/01iptables/01tcp.sim
   trunk/nfsim-testsuite/01iptables/01udp.sim
Log:
More basic testing for protocol matching.


Added: trunk/nfsim-testsuite/01iptables/01icmp.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/01icmp.sim	2004-12-31 07:05:58 UTC (rev 3527)
+++ trunk/nfsim-testsuite/01iptables/01icmp.sim	2004-12-31 07:06:48 UTC (rev 3528)
@@ -0,0 +1,172 @@
+# Test simple matches for iptables: ICMP
+
+# Don't want conntrack to interfere with fragments.
+rmmod -a
+insmod ip_tables
+insmod iptable_filter
+
+# By type
+iptables -A FORWARD -p icmp --icmp-type 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 1 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 1 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 1
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 2 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 2 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 1
+iptables -D FORWARD -p icmp --icmp-type 2 -j DROP
+
+# By type and code
+iptables -A FORWARD -p icmp --icmp-type 2/2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 1 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 1 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 1
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 2 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 2 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 1
+iptables -D FORWARD -p icmp --icmp-type 2/2 -j DROP
+
+### Inverse tests
+
+# By type
+iptables -A FORWARD -p icmp ! --icmp-type 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 1 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 1 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 1
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 2 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 2 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 1
+iptables -D FORWARD -p icmp --icmp-type ! 2 -j DROP
+
+# By type and code
+iptables -A FORWARD -p icmp ! --icmp-type 2/2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 1 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 1 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 1 1
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 1 2 2 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 1 2 1 CONTAINS}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 1 2 1
+iptables -D FORWARD -p icmp --icmp-type ! 2/2 -j DROP
+
+# Check the type and code mnemonics: match by deleting rule.
+iptables -A FORWARD -p icmp --icmp-type echo-reply
+iptables -D FORWARD -p icmp --icmp-type 0
+
+iptables -A FORWARD -p icmp --icmp-type echo-reply
+iptables -D FORWARD -p icmp --icmp-type pong
+
+iptables -A FORWARD -p icmp --icmp-type destination-unreachable
+iptables -D FORWARD -p icmp --icmp-type 3
+
+iptables -A FORWARD -p icmp --icmp-type    network-unreachable
+iptables -D FORWARD -p icmp --icmp-type 3/0
+
+iptables -A FORWARD -p icmp --icmp-type    host-unreachable
+iptables -D FORWARD -p icmp --icmp-type 3/1
+
+iptables -A FORWARD -p icmp --icmp-type    protocol-unreachable
+iptables -D FORWARD -p icmp --icmp-type 3/2
+
+iptables -A FORWARD -p icmp --icmp-type    port-unreachable
+iptables -D FORWARD -p icmp --icmp-type 3/3
+
+iptables -A FORWARD -p icmp --icmp-type    fragmentation-needed
+iptables -D FORWARD -p icmp --icmp-type 3/4
+
+iptables -A FORWARD -p icmp --icmp-type    source-route-failed
+iptables -D FORWARD -p icmp --icmp-type 3/5
+
+iptables -A FORWARD -p icmp --icmp-type    network-unknown
+iptables -D FORWARD -p icmp --icmp-type 3/6
+
+iptables -A FORWARD -p icmp --icmp-type    host-unknown
+iptables -D FORWARD -p icmp --icmp-type 3/7
+
+iptables -A FORWARD -p icmp --icmp-type    network-prohibited
+iptables -D FORWARD -p icmp --icmp-type 3/9
+
+iptables -A FORWARD -p icmp --icmp-type    host-prohibited
+iptables -D FORWARD -p icmp --icmp-type 3/10
+
+iptables -A FORWARD -p icmp --icmp-type    TOS-network-unreachable
+iptables -D FORWARD -p icmp --icmp-type 3/11
+
+iptables -A FORWARD -p icmp --icmp-type    TOS-host-unreachable
+iptables -D FORWARD -p icmp --icmp-type 3/12
+
+iptables -A FORWARD -p icmp --icmp-type    communication-prohibited
+iptables -D FORWARD -p icmp --icmp-type 3/13
+
+iptables -A FORWARD -p icmp --icmp-type    host-precedence-violation
+iptables -D FORWARD -p icmp --icmp-type 3/14
+
+iptables -A FORWARD -p icmp --icmp-type    precedence-cutoff
+iptables -D FORWARD -p icmp --icmp-type 3/15
+
+iptables -A FORWARD -p icmp --icmp-type source-quench
+iptables -D FORWARD -p icmp --icmp-type 4
+
+iptables -A FORWARD -p icmp --icmp-type redirect
+iptables -D FORWARD -p icmp --icmp-type 5
+
+iptables -A FORWARD -p icmp --icmp-type    network-redirect
+iptables -D FORWARD -p icmp --icmp-type 5/0
+
+iptables -A FORWARD -p icmp --icmp-type    host-redirect
+iptables -D FORWARD -p icmp --icmp-type 5/1
+
+iptables -A FORWARD -p icmp --icmp-type    TOS-network-redirect
+iptables -D FORWARD -p icmp --icmp-type 5/2
+
+iptables -A FORWARD -p icmp --icmp-type    TOS-host-redirect
+iptables -D FORWARD -p icmp --icmp-type 5/3
+
+iptables -A FORWARD -p icmp --icmp-type echo-request
+iptables -D FORWARD -p icmp --icmp-type 8
+
+iptables -A FORWARD -p icmp --icmp-type echo-request
+iptables -D FORWARD -p icmp --icmp-type ping
+
+iptables -A FORWARD -p icmp --icmp-type router-advertisement
+iptables -D FORWARD -p icmp --icmp-type 9
+
+iptables -A FORWARD -p icmp --icmp-type router-solicitation
+iptables -D FORWARD -p icmp --icmp-type 10
+
+iptables -A FORWARD -p icmp --icmp-type time-exceeded
+iptables -D FORWARD -p icmp --icmp-type 11
+
+iptables -A FORWARD -p icmp --icmp-type time-exceeded
+iptables -D FORWARD -p icmp --icmp-type ttl-exceeded
+
+iptables -A FORWARD -p icmp --icmp-type    ttl-zero-during-transit
+iptables -D FORWARD -p icmp --icmp-type 11/0
+iptables -A FORWARD -p icmp --icmp-type    ttl-zero-during-reassembly
+iptables -D FORWARD -p icmp --icmp-type 11/1
+
+iptables -A FORWARD -p icmp --icmp-type parameter-problem
+iptables -D FORWARD -p icmp --icmp-type 12
+
+iptables -A FORWARD -p icmp --icmp-type    ip-header-bad
+iptables -D FORWARD -p icmp --icmp-type 12/0
+
+iptables -A FORWARD -p icmp --icmp-type    required-option-missing
+iptables -D FORWARD -p icmp --icmp-type 12/1
+
+iptables -A FORWARD -p icmp --icmp-type timestamp-request
+iptables -D FORWARD -p icmp --icmp-type 13
+
+iptables -A FORWARD -p icmp --icmp-type timestamp-reply
+iptables -D FORWARD -p icmp --icmp-type 14
+
+iptables -A FORWARD -p icmp --icmp-type address-mask-request
+iptables -D FORWARD -p icmp --icmp-type 17
+iptables -A FORWARD -p icmp --icmp-type address-mask-reply
+iptables -D FORWARD -p icmp --icmp-type 18

Added: trunk/nfsim-testsuite/01iptables/01tcp.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/01tcp.sim	2004-12-31 07:05:58 UTC (rev 3527)
+++ trunk/nfsim-testsuite/01iptables/01tcp.sim	2004-12-31 07:06:48 UTC (rev 3528)
@@ -0,0 +1,206 @@
+# Test simple matches for iptables: TCP
+
+# Don't want conntrack to interfere with fragments.
+rmmod -a
+insmod ip_tables
+insmod iptable_filter
+
+# By source port
+iptables -A FORWARD -p tcp --sport 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+iptables -D FORWARD -p tcp --source-port 2 -j DROP
+
+# By source port range
+iptables -A FORWARD -p tcp --sport 2:5 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 3 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 3 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 4 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 4 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 5 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 5 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 6 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 6 2 SYN
+iptables -D FORWARD -p tcp --source-port 2:5 -j DROP
+
+# By destination port
+iptables -A FORWARD -p tcp --dport 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+iptables -D FORWARD -p tcp --destination-port 2 -j DROP
+
+# By destination port range
+iptables -A FORWARD -p tcp --dport 2:5 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 3 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 3 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 4 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 4 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 5 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 5 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 6 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 6 SYN
+iptables -D FORWARD -p tcp --destination-port 2:5 -j DROP
+
+# By flags: --syn
+iptables -A FORWARD -p tcp --syn -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN/FIN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN/FIN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN/ACK}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN/ACK
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN/RST}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN/RST
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 ACK}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 ACK
+iptables -D FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j DROP
+
+# By flags: general
+iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PSH NONE -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 NONE}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 NONE
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 ACK}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 ACK
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 RST}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 RST
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 FIN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 FIN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 URG}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 URG
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 PSH}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 PSH
+iptables -D FORWARD -p tcp --tcp-flags ALL NONE -j DROP
+
+# By TCP option (TYPE, LEN, ...)
+iptables -A FORWARD -p tcp --tcp-option 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=2,4,0,0}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=2,4,0,0
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2,2,4,0,0}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2,2,4,0,0
+iptables -D FORWARD -p tcp --tcp-option 2 -j DROP
+
+# Special case: invalid options don't lock up machine.
+iptables -A FORWARD -p tcp --tcp-option 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,0,0,0}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,0,0,0
+iptables -D FORWARD -p tcp --tcp-option 2 -j DROP
+
+# Special case: fragment at offset 1: will ALWAYS drop as "can't tell".
+iptables -A FORWARD -p tcp --sport 2 -j ACCEPT
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP *
+gen_ip IF=eth0 FRAG=8,16 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+iptables -D FORWARD -p tcp --sport 2 -j ACCEPT
+
+# Fragments can never be examined, even if data would look like match.
+iptables -A FORWARD -p tcp --sport 1 -j DROP
+expect gen_ip send:eth1 {IPv4 FRAG=32 192.168.0.3 192.168.1.2}
+gen_ip IF=eth0 FRAG=32,32 192.168.0.3 192.168.1.2 0 6 1 2 SYN DATA 000000000000\x00\x01
+
+## FIXME: Test truncated packets.
+
+### Inverted tests.
+# By source port
+iptables -A FORWARD -p tcp ! --sport 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 1 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+iptables -D FORWARD -p tcp --source-port ! 2 -j DROP
+
+# By source port range
+iptables -A FORWARD -p tcp ! --sport 2:5 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 1 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 3 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 3 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 4 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 4 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 5 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 5 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 6 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 6 2 SYN
+iptables -D FORWARD -p tcp --source-port ! 2:5 -j DROP
+
+# By destination port
+iptables -A FORWARD -p tcp ! --dport 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+iptables -D FORWARD -p tcp --destination-port ! 2 -j DROP
+
+# By destination port range
+iptables -A FORWARD -p tcp ! --dport 2:5 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 3 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 3 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 4 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 4 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 5 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 5 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 6 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 6 SYN
+iptables -D FORWARD -p tcp --destination-port ! 2:5 -j DROP
+
+# By flags: --syn
+iptables -A FORWARD -p tcp ! --syn -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN/FIN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN/FIN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN/ACK}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN/ACK
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN/RST}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN/RST
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 ACK}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 ACK
+iptables -D FORWARD -p tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
+
+# By flags: general
+iptables -A FORWARD -p tcp ! --tcp-flags SYN,ACK,FIN,RST,URG,PSH NONE -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 NONE}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 NONE
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 ACK}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 ACK
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 RST}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 RST
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 FIN}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 FIN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 URG}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 URG
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 PSH}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 PSH
+iptables -D FORWARD -p tcp --tcp-flags ! ALL NONE -j DROP
+
+# By TCP option (TYPE, LEN, ...)
+iptables -A FORWARD -p tcp ! --tcp-option 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=2,4,0,0}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=2,4,0,0
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2,2,4,0,0}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 6 2 1 SYN OPT=3,4,2,2,2,4,0,0
+iptables -D FORWARD -p tcp --tcp-option ! 2 -j DROP

Added: trunk/nfsim-testsuite/01iptables/01udp.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/01udp.sim	2004-12-31 07:05:58 UTC (rev 3527)
+++ trunk/nfsim-testsuite/01iptables/01udp.sim	2004-12-31 07:06:48 UTC (rev 3528)
@@ -0,0 +1,110 @@
+# Test simple matches for iptables: UDP
+
+# Don't want conntrack to interfere with fragments.
+rmmod -a
+insmod ip_tables
+insmod iptable_filter
+
+# By source port
+iptables -A FORWARD -p udp --sport 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 1 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 1 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+iptables -D FORWARD -p udp --source-port 2 -j DROP
+
+# By source port range
+iptables -A FORWARD -p udp --sport 2:5 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 1 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 1 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 3 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 3 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 4 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 4 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 5 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 5 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 6 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 6 2
+iptables -D FORWARD -p udp --source-port 2:5 -j DROP
+
+# By destination port
+iptables -A FORWARD -p udp --dport 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 1}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 1
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+iptables -D FORWARD -p udp --destination-port 2 -j DROP
+
+# By destination port range
+iptables -A FORWARD -p udp --dport 2:5 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 1}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 1
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 3}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 3
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 4}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 4
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 5}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 5
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 6}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 6
+iptables -D FORWARD -p udp --destination-port 2:5 -j DROP
+
+# Fragments can never be examined, even if data would look like match.
+iptables -A FORWARD -p udp --sport 1 -j DROP
+expect gen_ip send:eth1 {IPv4 FRAG=8 192.168.0.3 192.168.1.2}
+gen_ip IF=eth0 FRAG=8,8 192.168.0.3 192.168.1.2 0 17 1 2 DATA \x00\x01
+
+# FIXME: Test truncated packet
+
+### Inverted tests.
+# By source port
+iptables -A FORWARD -p udp ! --sport 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 1 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 1 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+iptables -D FORWARD -p udp --source-port ! 2 -j DROP
+
+# By source port range
+iptables -A FORWARD -p udp ! --sport 2:5 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 1 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 1 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 3 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 3 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 4 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 4 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 5 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 5 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 6 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 6 2
+iptables -D FORWARD -p udp --source-port ! 2:5 -j DROP
+
+# By destination port
+iptables -A FORWARD -p udp ! --dport 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 1}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 1
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+iptables -D FORWARD -p udp --destination-port ! 2 -j DROP
+
+# By destination port range
+iptables -A FORWARD -p udp ! --dport 2:5 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 1}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 1
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 2
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 3}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 3
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 4}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 4
+expect gen_ip send:eth1 {IPv4 192.168.0.3 192.168.1.2 0 17 2 5}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 5
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.3 192.168.1.2 0 17 2 6}
+gen_ip IF=eth0 192.168.0.3 192.168.1.2 0 17 2 6
+iptables -D FORWARD -p udp --destination-port ! 2:5 -j DROP




More information about the netfilter-cvslog mailing list