[netfilter-cvslog] r3547 - trunk/nfsim-testsuite/01iptables

rusty at netfilter.org rusty at netfilter.org
Sun Jan 2 12:33:40 CET 2005 

Author: rusty at netfilter.org
Date: 2005-01-02 12:33:40 +0100 (Sun, 02 Jan 2005)
New Revision: 3547

Added:
   trunk/nfsim-testsuite/01iptables/42limit.sim
Log:
Test for limit

Added: trunk/nfsim-testsuite/01iptables/42limit.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/42limit.sim	2005-01-02 11:28:07 UTC (rev 3546)
+++ trunk/nfsim-testsuite/01iptables/42limit.sim	2005-01-02 11:33:40 UTC (rev 3547)
@@ -0,0 +1,105 @@
+# limit match
+
+# Second one in a second, minute, hour, day should be dropped.
+iptables -A FORWARD -m limit --limit-burst 1 --limit 1/sec -j LOG --log-prefix=MATCHED!
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +1
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -m limit --limit-burst 1 --limit 1/sec -j LOG --log-prefix=MATCHED!
+
+iptables -A FORWARD -m limit --limit-burst 1 --limit 1/min -j LOG --log-prefix=MATCHED!
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +59
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +1
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -m limit --limit-burst 1 --limit 1/min -j LOG --log-prefix=MATCHED!
+
+iptables -A FORWARD -m limit --limit-burst 1 --limit 1/hour -j LOG --log-prefix=MATCHED!
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +3599
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +1
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -m limit --limit-burst 1 --limit 1/hour -j LOG --log-prefix=MATCHED!
+
+iptables -A FORWARD -m limit --limit-burst 1 --limit 1/day -j LOG --log-prefix=MATCHED!
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +86399
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +1
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -m limit --limit-burst 1 --limit 1/day -j LOG --log-prefix=MATCHED!
+
+# Test playing with --limit-burst.
+iptables -A FORWARD -m limit --limit-burst 2 --limit 1/min -j LOG --log-prefix=MATCHED!
+# Two pass, one fails.
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+# Another one can get through after 1 minute.
+time +59
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+time +1
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+# After two minutes, we're back to letting two through.
+time +120
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+expect ! gen_ip *MATCHED!*
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 3
+iptables -D FORWARD -m limit --limit-burst 2 --limit 1/min -j LOG --log-prefix=MATCHED!
+
+# Test parsing
+# default
+iptables -A FORWARD -m limit
+iptables -D FORWARD -m limit --limit 3/hour --limit-burst 5
+
+# /sec is the default
+iptables -A FORWARD -m limit --limit 1/sec
+iptables -D FORWARD -m limit --limit 1
+
+iptables -A FORWARD -m limit --limit 60/min
+iptables -D FORWARD -m limit --limit 1/sec
+
+iptables -A FORWARD -m limit --limit 60/hour
+iptables -D FORWARD -m limit --limit 1/min
+
+iptables -A FORWARD -m limit --limit 24/day
+iptables -D FORWARD -m limit --limit 1/hour
+
+# Test output
+iptables -A FORWARD -m limit --limit 5/second --limit-burst 10
+expect iptables * limit: avg 5/sec burst 10
+iptables -L FORWARD
+iptables -D FORWARD -m limit --limit 5/second --limit-burst 10
+

More information about the netfilter-cvslog mailing list