[testsuite] ipt

All of lore.kernel.org
 help / color / mirror / Atom feed

* [testsuite] ipt_length
@ 2004-12-20  2:32 Samuel Jean
  0 siblings, 0 replies; only message in thread
From: Samuel Jean @ 2004-12-20  2:32 UTC (permalink / raw)
  To: Rusty Russell; +Cc: netfilter-devel, Nicolas Bouliane

[-- Attachment #1: Type: text/plain, Size: 232 bytes --]

Hi rusty,

I broke my head to do a complete test against TCP, UDP and ICMP.
Once I finished, I looked at ipt_length.c to obviously open my eyes
on the fact we test against the IP header.

Should be not so bad..

Damnit :)

--peejix

[-- Attachment #2: 39ipt_length.sim --]
[-- Type: text/plain, Size: 1549 bytes --]

# Send 5 packets with different length where datalen 0 & 4 are out of range.
# As it tests against the ip header, whatever layer4 proto we use is OK.
# TCP with no data ends up with a packet of 40 bytes.

iptables -I INPUT -m length --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length --length 41:43 -j DROP

# Invert the whole thing
iptables -I INPUT -m length ! --length 41:43 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 1 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 2 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 3 6 1 2 SYN
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP *
gen_ip IF=eth0 192.168.0.2 192.168.0.1 4 6 1 2 SYN
iptables -D INPUT -m length ! --length 41:43 -j DROP

[-- Attachment #3: 38ipt_length-bad-args.sim --]
[-- Type: text/plain, Size: 961 bytes --]

# Test a normal straight rule (expecting: success)
iptables -I INPUT -m length --length 100
iptables -D INPUT -m length --length 100
iptables -I INPUT -m length --length 100:200
iptables -D INPUT -m length --length 100:200
iptables -I INPUT -m length --length :100
iptables -D INPUT -m length --length :100
iptables -I INPUT -m length --length 100:
iptables -D INPUT -m length --length 100:
iptables -I INPUT -m length --length :
iptables -D INPUT -m length --length :


# Test both invert argument (expecting: success)
iptables -I INPUT -m length ! --length 100
iptables -I INPUT -m length --length ! 100

# Twin options are not allowed (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -m length --length 100 --length 50

# Bad arguments (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -m length --length -1
expect iptables iptables: command failed
iptables -I INPUT -m length --length 50:100:150

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2004-12-20  2:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-20  2:32 [testsuite] ipt_length Samuel Jean

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.