[testsuite] ipt_length

Samuel Jean sj-netfilter at cookinglinux.org
Mon Dec 20 03:32:26 CET 2004


Hi rusty,

I broke my head to do a complete test against TCP, UDP and ICMP.
Once I finished, I looked at ipt_length.c to obviously open my eyes
on the fact we test against the IP header.

Should be not so bad..

Damnit :)

--peejix
-------------- next part --------------
# Send 5 packets with different length where datalen 0 & 4 are out of range.
# As it tests against the ip header, whatever layer4 proto we use is OK.
# TCP with no data ends up with a packet of 40 bytes.

iptables -I INPUT -m length --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length --length 41:43 -j DROP

# Invert the whole thing
iptables -I INPUT -m length ! --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length ! --length 41:43 -j DROP
-------------- next part --------------
# Test a normal straight rule (expecting: success)
iptables -I INPUT -m length --length 100
iptables -D INPUT -m length --length 100
iptables -I INPUT -m length --length 100:200
iptables -D INPUT -m length --length 100:200
iptables -I INPUT -m length --length :100
iptables -D INPUT -m length --length :100
iptables -I INPUT -m length --length 100:
iptables -D INPUT -m length --length 100:
iptables -I INPUT -m length --length :
iptables -D INPUT -m length --length :


# Test both invert argument (expecting: success)
iptables -I INPUT -m length ! --length 100
iptables -I INPUT -m length --length ! 100

# Twin options are not allowed (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -m length --length 100 --length 50

# Bad arguments (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -m length --length -1
expect iptables iptables: command failed
iptables -I INPUT -m length --length 50:100:150


More information about the netfilter-devel mailing list