* [testsuite] ipt_recent
@ 2004-12-30 6:16 Samuel
2004-12-30 14:18 ` Stephen Frost
0 siblings, 1 reply; 2+ messages in thread
From: Samuel @ 2004-12-30 6:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: Rusty Russell, Nicolas Bouliane
[-- Attachment #1: Type: text/plain, Size: 137 bytes --]
Hi rusty,
Here's the testcase for the ipt_recent module.
Note that it really doesn't behave like I think it should.
Cheers,
--peejix
[-- Attachment #2: 40ipt_recent.sh --]
[-- Type: text/plain, Size: 6990 bytes --]
#! /bin/sh
{
##
# Test #1: Incoming packets with differents source addresses
# For each source ip .2, .3 & .4; throw 10 packets.
# Increase kernel time after all nth packets are sent.
# Do NOT increase time for fifth packet so we burst the balloon
# So get NF_DROP'ed on 5th packet in a 1hit/1sec ratio.
#
# Also test invert behaviour.
for p in '' '! '; do # Test normal and then negated rule
echo iptables -I INPUT -m recent --name testcase --rsource \
--hitcount 1 --seconds 1 ${p}--update -j DROP
echo iptables -A INPUT -m recent --name testcase --set --rsource -j ACCEPT
for pkt in 1 2 3 4 5 6 7 8 9 10; do # The 10 packets we send
for h in 2 3 4; do # From each of 192.168.0.2, .3 & .4
if [ ! "$pkt" -eq "5" ]; then
[ -z $p ] && verdict=NF_ACCEPT || verdict=NF_DROP
# Fifth packet triggers the 1:1 ratio.
else
# Negation doesn't behave as it should..
#[ -z $p ] && verdict=NF_DROP || verdict=NF_ACCEPT
# FIXME: This doesn't make much sense...
# It always match so expect NF_DROP.
verdict=NF_DROP
fi
echo expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter $verdict '*'
echo gen_ip IF=eth0 192.168.0.$h 192.168.0.1 0 17 1 2
done
# Increasing by one triggers the 1:1 ratio, use 2.
[ ! "$pkt" -eq "4" ] && echo time +2
done
echo iptables -D INPUT -m recent --name testcase --rsource \
--hitcount 1 --seconds 1 ${p}--update -j DROP
echo iptables -D INPUT -m recent --name testcase --set --rsource -j ACCEPT
done
##
# Test #2: Forwarded packets with differents destination addresses
# For each destination ip .2, .3 & .4; throw 10 packets.
# Increase kernel time after all nth packets are sent.
# Do NOT increase time for fifth packet so we burst the balloon
# So get NF_DROP'ed on 5th packet in a 1hit/1sec ratio.
#
# This doesn't increase coverage but at least make sure
# that feature works :)
#
# Also test invert behaviour. (Isn't it cool?)
for p in '' '! '; do # Test normal and then negated rule
echo iptables -I FORWARD -m recent --name testcase --rdest \
--hitcount 1 --seconds 1 ${p}--update -j DROP
echo iptables -A FORWARD -m recent --name testcase --set --rdest -j ACCEPT
for pkt in 1 2 3 4 5 6 7 8 9 10; do # The 10 packets we send
for h in 2 3 4; do # To each of 192.168.1.2, .3 & .4
if [ ! "$pkt" -eq "5" ]; then
[ -z $p ] && verdict=NF_ACCEPT || verdict=NF_DROP
# Fifth packet triggers the 1:1 ratio.
else
# Negation doesn't behave as it should..
#[ -z $p ] && verdict=NF_DROP || verdict=NF_ACCEPT
# FIXME: This doesn't make much sense...
# It always match so expect NF_DROP.
verdict=NF_DROP
fi
echo expect gen_ip hook:NF_IP_FORWARD iptable_filter $verdict '*'
echo gen_ip IF=eth0 192.168.0.1 192.168.1.$h 0 17 1 2
done
# Increasing by one triggers the 1:1 ratio, use 2.
[ ! "$pkt" -eq "4" ] && echo time +2
done
echo iptables -D FORWARD -m recent --name testcase --rdest \
--hitcount 1 --seconds 1 ${p}--update -j DROP
echo iptables -D FORWARD -m recent --name testcase --set --rdest -j ACCEPT
done
##
# Test #3: Using the TTL lookup feature.
# Throw 5 packets where the 1st and 5th are twins (same TTL)
# So get NF_DROP'ed on 5th packet
#
# Let's see how it behaves when we first stamp the TTL after routing
# and do the checkup before routing. (insane scenario, I know)
#
# I must admit I wasn't sure of the result, nice to see it works. --peejix
echo iptables -t mangle -I PREROUTING -m recent --name testcase --rsource \
--rttl --rcheck -j DROP
echo iptables -I INPUT -m recent --name testcase --set --rttl --rsource -j ACCEPT
for ttl in 50 51 52 53; do # The 4 packets we send
echo expect gen_ip hook:NF_IP_PRE_ROUTING iptable_mangle NF_ACCEPT '*'
echo gen_ip IF=eth0 TTL=$ttl 192.168.0.2 192.168.0.1 0 17 1 2
done
# The 5th packet that matches the TTL stamped
echo expect gen_ip hook:NF_IP_PRE_ROUTING iptable_mangle NF_DROP '*'
echo gen_ip IF=eth0 TTL=50 192.168.0.2 192.168.0.1 0 17 1 2
echo iptables -t mangle -D PREROUTING -m recent --name testcase --rsource \
--rttl --rcheck -j DROP
echo iptables -D INPUT -m recent --name testcase --set --rttl --rsource -j ACCEPT
##
# Test #4: Using --hitcount in solo limiting 5 packets & more.
# We expect to NF_DROP 5th and 6th packet. IMO
#
# FIXME: Actually it only drops 6th packet. Shouldn't this
# acts the same on 5th packet ?
echo iptables -I INPUT -m recent --name testcase --rsource \
--hitcount 5 --rcheck -j DROP
echo iptables -A INPUT -m recent --name testcase --set --rsource -j ACCEPT
for pkt in 1 2 3 4 5; do # The 4 packets we send + an unexpected 5th
echo expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT '*'
echo gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 17 1 2
done
# The 5th and 6th packet _should_ get NF_DROP verdict
# However, only sixth packet will do. (Bug?)
echo expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP '*'
echo gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 17 1 2
echo iptables -D INPUT -m recent --name testcase --rsource \
--hitcount 5 --rcheck -j DROP
echo iptables -D INPUT -m recent --name testcase --set --rsource -j ACCEPT
##
# Test #5: Using --seconds in solo with a 1 seconds lap.
#
echo iptables -I INPUT -m recent --name testcase --rsource \
--seconds 1 --update -j DROP
echo iptables -A INPUT -m recent --name testcase --set --rsource -j ACCEPT
for pkt in 1 2 3 4 5; do # The 5 packets we send
# We do not increase time for 3rd packet. hence we expect NF_DROP
[ ! "$pkt" -eq "3" ] && { verdict=NF_ACCEPT; echo time +2; } || verdict=NF_DROP
echo expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter $verdict '*'
echo gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 17 1 2
done
echo iptables -D INPUT -m recent --name testcase --rsource \
--seconds 1 --update -j DROP
echo iptables -D INPUT -m recent --name testcase --set --rsource -j ACCEPT
##
# Test #6: Simplest scenario to introduce --remove thingie.
# (1) A new address is tagged (NF_ACCEPT)
# (2) The address match, so we remove from the list. (NF_DROP)
# (3) Back to step 1.
#
echo iptables -I INPUT -m recent --name testcase --rsource --remove -j DROP
echo iptables -A INPUT -m recent --name testcase --set --rsource -j ACCEPT
for loop in 1 2 3; do # Try this 3 time
for pkt in 1 2; do # Send 2 packets
[ "$pkt" -eq "2" ] && verdict=NF_DROP || verdict=NF_ACCEPT
echo expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter $verdict '*'
echo gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 17 1 2
done
done
echo iptables -D INPUT -m recent --name testcase --rsource --remove -j DROP
echo iptables -D INPUT -m recent --name testcase --set --rsource -j ACCEPT
##
# Test #7: Look for arguments that don't fit together
# --update, --set, --rcheck and --update are action parms.
for parm1 in '--update' '--set' '--rcheck' '--update'; do
for parm2 in '--update' '--set' '--rcheck' '--update'; do
echo expect iptables iptables: command failed
echo iptables -I INPUT -m recent --name testcase $parm1 $parm2
done
done
} > $TMPFILE
$NFSIM $NFSIM_ARGS < $TMPFILE
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [testsuite] ipt_recent
2004-12-30 6:16 [testsuite] ipt_recent Samuel
@ 2004-12-30 14:18 ` Stephen Frost
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Frost @ 2004-12-30 14:18 UTC (permalink / raw)
To: Samuel; +Cc: Rusty Russell, netfilter-devel, Nicolas Bouliane
[-- Attachment #1: Type: text/plain, Size: 1678 bytes --]
* Samuel (sj-netfilter@cookinglinux.org) wrote:
> Here's the testcase for the ipt_recent module.
Hey, that's kinda neat (that you can write a testcase like that :).
> Note that it really doesn't behave like I think it should.
I'm guessing you're referring to the 'FIXME'/'BUG' things below?
> # Test #4: Using --hitcount in solo limiting 5 packets & more.
> # We expect to NF_DROP 5th and 6th packet. IMO
> #
> # FIXME: Actually it only drops 6th packet. Shouldn't this
> # acts the same on 5th packet ?
> echo iptables -I INPUT -m recent --name testcase --rsource \
> --hitcount 5 --rcheck -j DROP
> echo iptables -A INPUT -m recent --name testcase --set --rsource -j ACCEPT
>
> for pkt in 1 2 3 4 5; do # The 4 packets we send + an unexpected 5th
> echo expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT '*'
> echo gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 17 1 2
> done
Well, you're using --rcheck and --set, and the --set is coming *after*
the --rcheck. --rcheck doesn't change anything, so when packet #5 comes
through the '--set' has been done *4* times. It isn't until packet #5
passes --set that the hitcount for that packet becomes 5. It's an
interesting thing to think about as to if --update should behave the
same way or not. At the moment it does because the
--update/modification logic is after the --update/check logic. That
wouldn't be too hard to change, but then that'd end up producing
different results than the --rcheck/--set above, which I'm not sure I
like.
Hope that helps. Were there any other issues? Looked like everything
else was correct, but I might have missed something.
Stephen
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-12-30 14:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-30 6:16 [testsuite] ipt_recent Samuel
2004-12-30 14:18 ` Stephen Frost
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.