# This should fail but it doesn't because patch was lost
# somewhere in the outter limit.
# https://lists.netfilter.org/pipermail/netfilter-cvslog/2004-July/003454.html
expect iptables iptables: command failed
iptables -A INPUT -m ttl --ttl-eq -1
iptables -A INPUT -m ttl --ttl-gt 300
iptables -A INPUT -m ttl --ttl-lt -2000

# Test for match function.
# These should get NF_DROP verdict.
expect gen_ip hook:NF_IP_PRE_ROUTING iptable_nat NF_DROP *

iptables -t nat -I PREROUTING -m ttl --ttl-eq 50 -j DROP
gen_ip IF=eth0 TTL=50 192.168.0.2 192.168.0.1 0 tcp 1 2 SYN

iptables -t nat -I PREROUTING -m ttl --ttl-gt 51 -j DROP
gen_ip IF=eth0 TTL=55 192.168.0.2 192.168.0.1 0 tcp 1 2 SYN

iptables -t nat -I PREROUTING -m ttl --ttl-lt 50 -j DROP
gen_ip IF=eth0 TTL=49 192.168.0.2 192.168.0.1 0 tcp 1 2 SYN

# This packet with TTL=51 should be NF_ACCEPT'ed
expect gen_ip hook:NF_IP_PRE_ROUTING iptable_nat NF_ACCEPT *
gen_ip IF=eth0 TTL=51 192.168.0.2 192.168.0.1 0 tcp 1 2 SYN