[testsuite] ipt_iprange

Samuel Jean sj-netfilter at cookinglinux.org
Fri Dec 17 00:02:19 CET 2004


Hi rusty,

Here's a (probably complete) nfsim testsuite against ipt_iprange match.
By now, 27ipt_iprange-bad-addr.sim is failing.. safe to add into 
expected-failures.

Cheers,

Samuel

-------------- next part --------------
# Input some junk ip range.
# Obiously, this test must fail.
expect iptables iptables: command failed
iptables -A INPUT -m iprange --src-range 0.0.0.0-500.400.300.200
iptables -A INPUT -m iprange --dst-range 0.0.0.0-500.400.300.200

# Check if inputing the same option twice override previous one.
# This should ring the bell.
# Side note: Fixed in SVN since Mon Jul 12 07:16:54 2004 UTC, Revision 1407

iptables -A INPUT -m iprange --src-range 0.0.0.0-1.1.1.1 --src-range 1.1.1.1-2.2.2.2
iptables -A INPUT -m iprange --dst-range 0.0.0.0-1.1.1.1 --dst-range 1.1.1.1-2.2.2.2

# Giving a source and destination range should succeed.
expect ! iptables iptables: command failed
iptables -A INPUT -m iprange --src-range 0.0.0.0-1.1.1.1 --dst-range 1.1.1.1-2.2.2.2

# Invert
iptables -A INPUT -m iprange ! --src-range 0.0.0.0-1.1.1.1 ! --dst-range 1.1.1.1-2.2.2.2

# Remove me!
iptables -D INPUT -m iprange --src-range 0.0.0.0-1.1.1.1 --dst-range 1.1.1.1-2.2.2.2
iptables -D INPUT -m iprange ! --src-range 0.0.0.0-1.1.1.1 ! --dst-range 1.1.1.1-2.2.2.2

-------------- next part --------------
# Initial scenario: give a route for FORWARD'ed packets
route add 0.0.0.0/0 eth1

# Source address belong to this range ?
iptables -I INPUT -m iprange --src-range 10.0.0.0-10.0.0.5 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 10.0.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 192.168.0.1 0 tcp 1 2 SYN

# Source address doesn't belong to this range ?
iptables -I INPUT -m iprange ! --src-range 10.0.0.0-10.0.0.5 -j ACCEPT
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT {IPv4 192.168.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 tcp 1 2 SYN

# Destination address belong to this range ?
iptables -I INPUT -m iprange --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 10.0.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 192.168.0.1 0 tcp 1 2 SYN

# Destination address doesn't belong to this range ?
iptables -I FORWARD -m iprange ! --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 10.0.0.2 10.0.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 10.0.0.1 0 tcp 1 2 SYN

# Source and Destination belong..
iptables -I INPUT -m iprange --src-range 10.0.0.0-10.0.0.5 --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 10.0.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 192.168.0.1 0 tcp 1 2 SYN

# Source and Destination doesn't belong..
iptables -I FORWARD -m iprange ! --src-range 10.0.0.0-10.0.0.5 ! --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.1 10.0.0.2 0 6 1 2 SYN}
gen_ip IF=eth0 192.168.0.1 10.0.0.2 0 tcp 1 2 SYN



More information about the netfilter-devel mailing list