[netfilter-cvslog] r3563 - trunk/nfsim-testsuite/01iptables

rusty at netfilter.org rusty at netfilter.org
Mon Jan 3 10:44:53 CET 2005 

Author: rusty at netfilter.org
Date: 2005-01-03 10:44:52 +0100 (Mon, 03 Jan 2005)
New Revision: 3563

Added:
   trunk/nfsim-testsuite/01iptables/44multiport-r1.sim
   trunk/nfsim-testsuite/01iptables/44multiport.sim
Log:
Multiport test.  Inspired by Pablo's, only more systematic and thorough, and actually found a bug.


Added: trunk/nfsim-testsuite/01iptables/44multiport-r1.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/44multiport-r1.sim	2005-01-03 09:37:07 UTC (rev 3562)
+++ trunk/nfsim-testsuite/01iptables/44multiport-r1.sim	2005-01-03 09:44:52 UTC (rev 3563)
@@ -0,0 +1,74 @@
+# Test revision 1 of multiport (ie. with ranges).  Need revision 1.
+# XFAIL:linux:2.6.[0-9]
+# XFAIL:linux:2.6.10
+# XFAIL:iptables:1.2*
+
+# Source port 2-4
+iptables -I FORWARD -p tcp -m multiport --sports 2:4 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 3 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 3 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 4 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 4 1024 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 5 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 5 1024 SYN
+iptables -D FORWARD -p tcp -m multiport --source-ports 2:4 -j DROP
+
+# Destination port 2-4
+iptables -I FORWARD -p tcp -m multiport --dports 2:4 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 3 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 3 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 4 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 4 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 5 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 5 SYN
+iptables -D FORWARD -p tcp -m multiport --destination-ports 2:4 -j DROP
+
+# Either source or destination port 2-4.
+iptables -I FORWARD -p tcp -m multiport --ports 2:4 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 3 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 3 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 4 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 4 1 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 5 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 5 1 SYN
+iptables -D FORWARD -p tcp -m multiport --ports 2:4 -j DROP
+
+# More complex test
+iptables -I INPUT -p 6 -m multiport --sports 1:10,1000,1500:1501,2000:2005 -j DROP
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 192.168.0.2 192.168.0.1 0 6 1500 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1500 1 SYN
+
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 192.168.0.2 192.168.0.1 0 6 1501 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1501 1 SYN
+
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT {IPv4 192.168.0.2 192.168.0.1 0 6 1499 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1499 1 SYN
+
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT {IPv4 192.168.0.2 192.168.0.1 0 6 1502 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1502 1 SYN
+
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 192.168.0.2 192.168.0.1 0 6 2000 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 2000 1 SYN
+
+expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 192.168.0.2 192.168.0.1 0 6 2003 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 2003 1 SYN
+iptables -D INPUT -p 6 -m multiport --sports 1:10,1000,1500:1501,2000:2005 -j DROP
+
+# Parsing tests.
+expect iptables *invalid port*
+expect iptables iptables: command failed
+iptables -I INPUT -p 6 -m multiport --sports 1:10:30,40 -j DROP

Added: trunk/nfsim-testsuite/01iptables/44multiport.sim
===================================================================
--- trunk/nfsim-testsuite/01iptables/44multiport.sim	2005-01-03 09:37:07 UTC (rev 3562)
+++ trunk/nfsim-testsuite/01iptables/44multiport.sim	2005-01-03 09:44:52 UTC (rev 3563)
@@ -0,0 +1,448 @@
+# Test classic multiport.
+
+## TCP tests
+# Source port 2, not 1 or 3.
+iptables -I FORWARD -p tcp -m multiport --sports 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 1024 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 3 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 3 1024 SYN
+iptables -D FORWARD -p tcp -m multiport --source-ports 2 -j DROP
+
+# Destination port 2, not 1 or 3.
+iptables -I FORWARD -p tcp -m multiport --dports 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 2 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 3 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 3 SYN
+iptables -D FORWARD -p tcp -m multiport --destination-ports 2 -j DROP
+
+# Either destination or source ports 2.
+iptables -I FORWARD -p tcp -m multiport --ports 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 1 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 3 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 3 1 SYN
+iptables -D FORWARD -p tcp -m multiport --ports 2 -j DROP
+
+# All 15 multiple source ports.
+iptables -I FORWARD -p tcp -m multiport --sports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 3 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 3 1024 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 4 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 4 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 5 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 5 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 6 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 6 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 7 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 7 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 8 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 8 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 9 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 9 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 10 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 10 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 11 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 11 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 12 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 12 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 13 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 13 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 14 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 14 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 15 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 15 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 16 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 16 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 17 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 17 1024 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 18 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 18 1024 SYN
+iptables -D FORWARD -p tcp -m multiport --sports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+
+# All 15 multiple destination ports.
+iptables -I FORWARD -p tcp -m multiport --dports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 3 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 3 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 4 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 4 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 5 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 5 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 6 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 6 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 7 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 7 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 8 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 8 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 9 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 9 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 10 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 10 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 11 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 11 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 12 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 12 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 13 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 13 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 14 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 14 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 15 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 15 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 16 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 16 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 17 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 17 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 18 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 18 SYN
+iptables -D FORWARD -p tcp -m multiport --destination-ports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+
+# All 15 multiple either ports.
+iptables -I FORWARD -p tcp -m multiport --ports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 2 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 2 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 3 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 3 1024 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 4 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 4 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 5 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 5 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 6 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 6 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 7 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 7 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 8 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 8 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 9 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 9 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 10 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 10 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 11 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 11 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 12 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 12 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 13 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 13 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 14 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 14 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 15 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 15 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 16 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 16 1024 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 17 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 17 1024 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 18 1024 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 18 1024 SYN
+
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 1 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 1 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 2 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 2 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 3 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 3 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 4 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 4 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 5 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 5 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 6 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 6 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 7 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 7 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 8 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 8 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 9 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 9 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 10 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 10 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 11 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 11 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 12 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 12 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 13 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 13 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 14 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 14 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 15 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 15 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 16 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 16 SYN
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 6 1024 17 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 17 SYN
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 6 1024 18 SYN}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 6 1024 18 SYN
+iptables -D FORWARD -p tcp -m multiport --ports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+
+## UDP tests
+# Source port 2, not 1 or 3.
+iptables -I FORWARD -p udp -m multiport --sports 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 2 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 2 1024
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 3 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 3 1024
+iptables -D FORWARD -p udp -m multiport --source-ports 2 -j DROP
+
+# Destination port 2, not 1 or 3.
+iptables -I FORWARD -p udp -m multiport --dports 2 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 1}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 1
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 2}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 2
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 3
+iptables -D FORWARD -p udp -m multiport --destination-ports 2 -j DROP
+
+# Either destination or source ports 2.
+iptables -I FORWARD -p udp -m multiport --ports 2 -j DROP
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1 2}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 2 2}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 2 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 2 1}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 2 1
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 3 1}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 3 1
+iptables -D FORWARD -p udp -m multiport --ports 2 -j DROP
+
+# All 15 multiple source ports.
+iptables -I FORWARD -p udp -m multiport --sports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 2 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 2 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 3 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 3 1024
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 4 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 4 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 5 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 5 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 6 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 6 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 7 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 7 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 8 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 8 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 9 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 9 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 10 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 10 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 11 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 11 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 12 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 12 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 13 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 13 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 14 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 14 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 15 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 15 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 16 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 16 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 17 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 17 1024
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 18 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 18 1024
+iptables -D FORWARD -p udp -m multiport --sports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+
+# All 15 multiple destination ports.
+iptables -I FORWARD -p udp -m multiport --dports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 1}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 1
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 2}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 3
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 4}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 4
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 5}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 5
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 6}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 6
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 7}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 7
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 8}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 8
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 9}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 9
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 10}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 10
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 11}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 11
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 12}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 12
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 13}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 13
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 14}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 14
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 15}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 15
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 16}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 16
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 17}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 17
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 18}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 18
+iptables -D FORWARD -p udp -m multiport --destination-ports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+
+# All 15 multiple either ports.
+iptables -I FORWARD -p udp -m multiport --ports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 2 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 2 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 3 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 3 1024
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 4 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 4 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 5 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 5 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 6 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 6 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 7 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 7 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 8 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 8 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 9 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 9 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 10 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 10 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 11 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 11 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 12 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 12 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 13 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 13 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 14 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 14 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 15 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 15 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 16 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 16 1024
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 17 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 17 1024
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 18 1024}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 18 1024
+
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 1}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 1
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 2}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 2
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 3}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 3
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 4}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 4
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 5}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 5
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 6}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 6
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 7}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 7
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 8}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 8
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 9}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 9
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 10}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 10
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 11}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 11
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 12}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 12
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 13}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 13
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 14}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 14
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 15}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 15
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 16}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 16
+expect gen_ip hook:NF_IP_FORWARD * NF_DROP {IPv4 192.168.0.2 192.168.1.2 0 17 1024 17}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 17
+expect gen_ip send:eth1 {IPv4 192.168.0.2 192.168.1.2 0 17 1024 18}
+gen_ip IF=eth0 192.168.0.2 192.168.1.2 0 17 1024 18
+iptables -D FORWARD -p udp -m multiport --ports 2,3,5,6,7,8,9,10,11,12,13,14,15,16,17 -j DROP
+
+## Various parsing checks.
+# Must be udp or tcp
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p icmp -m multiport --ports 1
+
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -m multiport --ports 1
+
+# Must not be inverted
+#expect iptables *multiport*
+#expect iptables iptables: command failed
+#iptables -A FORWARD -p ! udp -m multiport --ports 1
+#
+#expect iptables *multiport*
+#expect iptables iptables: command failed
+#iptables -A FORWARD -p ! tcp -m multiport --ports 1
+
+# Doesn't support invert.
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport ! --sports 1
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --sports ! 1
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport ! --dports 1
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --dports ! 1
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport ! --ports 1
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --ports ! 1
+
+# Doesn't support more than one option at once.
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --ports 1 --sports 1
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --ports 1 --dports 1
+expect iptables *multiport*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --sports 1 --dports 1
+
+# by name: echo is 7. systat is TCP only, 11. rlp is UDP only, 39.
+iptables -A FORWARD -p tcp -m multiport --dports systat,100,echo
+iptables -D FORWARD -p tcp -m multiport --dports 11,100,7
+iptables -A FORWARD -p udp -m multiport --dports rlp,100,echo
+iptables -D FORWARD -p udp -m multiport --dports 39,100,7
+
+# Only 15 ports.
+expect iptables *too many ports*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --sports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
+expect iptables *too many ports*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --dports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
+expect iptables *too many ports*
+expect iptables iptables: command failed
+iptables -A FORWARD -p tcp -m multiport --ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16

More information about the netfilter-cvslog mailing list