# Send 5 packets with different length where datalen 0 & 4 are out of range.
# As it tests against the ip header, whatever layer4 proto we use is OK.
# TCP with no data ends up with a packet of 40 bytes.

iptables -I INPUT -m length --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length --length 41:43 -j DROP

# Invert the whole thing
iptables -I INPUT -m length ! --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length ! --length 41:43 -j DROP