* [testsuite] ipt_multiport testcase
@ 2004-12-18 5:27 Samuel Jean
2005-01-01 22:06 ` Pablo Neira
0 siblings, 1 reply; 2+ messages in thread
From: Samuel Jean @ 2004-12-18 5:27 UTC (permalink / raw)
To: Rusty Russell; +Cc: netfilter-devel, Nicolas Bouliane
[-- Attachment #1: Type: text/plain, Size: 185 bytes --]
Hi Rusty,
Like the subject suggests, here's the ipt_multiport testcase.
This is your fourth christmas gift. This one was very expensive
so I hope you will like it.
Cheers,
--peejix
[-- Attachment #2: 36ipt_multiport-bad-args.sim --]
[-- Type: text/plain, Size: 2412 bytes --]
# the three options should work (expecting: success)
# Default maximum ports number supported by the library is 15
iptables -I INPUT -p tcp -m multiport --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -D INPUT -p tcp -m multiport --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -I INPUT -p tcp -m multiport --destination-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -D INPUT -p tcp -m multiport --destination-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -I INPUT -p tcp -m multiport --ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -D INPUT -p tcp -m multiport --ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
# Ensure UDP works too.. (expecting: success)
# One test should be sufficient
iptables -I INPUT -p udp -m multiport --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -D INPUT -p udp -m multiport --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
# Multiport doesn't support invert nor complains about it. (expecting: answer from rusty)
# Do we still test it Rusty ?
iptables -I INPUT -p tcp -m multiport ! --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -D INPUT -p tcp -m multiport ! --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -I INPUT -p tcp -m multiport ! --destination-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -D INPUT -p tcp -m multiport ! --destination-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -I INPUT -p tcp -m multiport ! --ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
iptables -D INPUT -p tcp -m multiport ! --ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
# Multiport doesn't support multiple options. (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -p tcp -m multiport --sports 1 --dports 2 --ports 3
expect iptables iptables: command failed
iptables -I INPUT -p tcp -m multiport --sports 1 --dports 2
# Can we override ourself ? (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -p tcp -m multiport --sports 1 --sports 1
expect iptables iptables: command failed
iptables -I INPUT -p tcp -m multiport --dports 2 --dports 2
expect iptables iptables: command failed
iptables -I INPUT -p tcp -m multiport --ports 3 --ports 3
# Reject ICMP and ALL (expecting: failure)
expect iptables iptables: command failed
iptables -I INPUT -p icmp -m multiport --ports 3
expect iptables iptables: command failed
iptables -I INPUT -m multiport --ports 3
[-- Attachment #3: 37ipt_multiport.sh --]
[-- Type: text/plain, Size: 915 bytes --]
#! /bin/sh
# For both TCP and UDP, test five ports against the three options
# where port 1 and port 5 are always the excluded twin (NF_ACCEPT'ed).
FLAG=" SYN"
for proto in 6 17; do
if [[ $proto == 17 ]]; then
unset FLAG
fi
for arg in sports dports ports
do
echo iptables -I INPUT -p $proto -m multiport --${arg} 2,3,4 -j DROP
for port in 1 2 3 4 5
do
case $port in
[1,5]) VERDICT=NF_ACCEPT ;;
*) VERDICT=NF_DROP ;;
esac
case $arg in
sports) PORTS="${port} 1" ;;
dports) PORTS="1 ${port}" ;;
ports) PORTS="${port} ${port}" ;;
esac
echo expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter $VERDICT \
{IPv4 192.168.0.2 192.168.0.1 0 $proto ${PORTS}$FLAG}
echo gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 $proto $PORTS $FLAG
done
echo iptables -D INPUT -p $proto -m multiport --${arg} 2,3,4 -j DROP
done
done > $TMPFILE
$NFSIM $NFSIM_ARGS < $TMPFILE
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [testsuite] ipt_multiport testcase
2004-12-18 5:27 [testsuite] ipt_multiport testcase Samuel Jean
@ 2005-01-01 22:06 ` Pablo Neira
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira @ 2005-01-01 22:06 UTC (permalink / raw)
To: Samuel Jean; +Cc: Rusty Russell, netfilter-devel, Nicolas Bouliane
Samuel Jean wrote:
># Multiport doesn't support invert nor complains about it. (expecting: answer from rusty)
># Do we still test it Rusty ?
>iptables -I INPUT -p tcp -m multiport ! --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
>iptables -D INPUT -p tcp -m multiport ! --source-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
>iptables -I INPUT -p tcp -m multiport ! --destination-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
>iptables -D INPUT -p tcp -m multiport ! --destination-ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
>iptables -I INPUT -p tcp -m multiport ! --ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
>iptables -D INPUT -p tcp -m multiport ! --ports 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
>
>
Phil Oester sent a patch to fix this some time ago, see:
https://lists.netfilter.org/pipermail/netfilter-devel/2004-September/016797.html
so it's fixed. BTW, thanks, your testsuites let me same quite some time.
--
Pablo
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-01-01 22:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-18 5:27 [testsuite] ipt_multiport testcase Samuel Jean
2005-01-01 22:06 ` Pablo Neira
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.