[testsuite] ipt_length
Samuel Jean
sj-netfilter at cookinglinux.org
Mon Dec 20 03:32:26 CET 2004
Hi rusty,
I broke my head to do a complete test against TCP, UDP and ICMP.
Once I finished, I looked at ipt_length.c to obviously open my eyes
on the fact we test against the IP header.
Should be not so bad..
Damnit :)
--peejix
-------------- next part --------------
# Send 5 packets with different length where datalen 0 & 4 are out of range.
# As it tests against the ip header, whatever layer4 proto we use is OK.
# TCP with no data ends up with a packet of 40 bytes.
iptables -I INPUT -m length --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length --length 41:43 -j DROP
# Invert the whole thing
iptables -I INPUT -m length ! --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length ! --length 41:43 -j DROP
-------------- next part --------------
# Test a normal straight rule (expecting: success)
iptables -I INPUT -m length --length 100
iptables -D INPUT -m length --length 100
iptables -I INPUT -m length --length 100:200
iptables -D INPUT -m length --length 100:200
iptables -I INPUT -m length --length :100
iptables -D INPUT -m length --length :100
iptables -I INPUT -m length --length 100:
iptables -D INPUT -m length --length 100:
iptables -I INPUT -m length --length :
iptables -D INPUT -m length --length :
# Test both invert argument (expecting: success)
iptables -I INPUT -m length ! --length 100
iptables -I INPUT -m length --length ! 100
# Twin options are not allowed (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -m length --length 100 --length 50
# Bad arguments (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -m length --length -1
expect iptables iptables: command failed
iptables -I INPUT -m length --length 50:100:150
More information about the netfilter-devel
mailing list