diff options
author | Neil Wilson <neil@aldur.co.uk> | 2017-03-16 11:49:03 +0000 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-03-17 12:40:51 +0100 |
commit | 29b390a2122143997a651e6b25d7496e62ead2a1 (patch) | |
tree | 03d1604ab5edbec82272e67dcd01d8fee0bd07a5 /tests/conntrack | |
parent | 39398cd3c1e488e099ea186ad1e5b725c2f09d1d (diff) |
conntrack: Support IPv6 NAT
Refactor and improve nat support to allow conntrack to manage IPv6
NAT entries.
Refactor and improve conntrack nat tests to include IPv6 NAT.
Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/conntrack')
-rw-r--r-- | tests/conntrack/testsuite/00create | 6 | ||||
-rw-r--r-- | tests/conntrack/testsuite/03nat | 8 | ||||
-rw-r--r-- | tests/conntrack/testsuite/07nat6 | 56 |
3 files changed, 70 insertions, 0 deletions
diff --git a/tests/conntrack/testsuite/00create b/tests/conntrack/testsuite/00create index 40e2c19..afe4342 100644 --- a/tests/conntrack/testsuite/00create +++ b/tests/conntrack/testsuite/00create @@ -18,3 +18,9 @@ -I -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; OK # delete reverse -D -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK +# create a v6 conntrack +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +# delete v6 conntrack +-D -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK +# mismatched address family +-I -s 2001:DB8::1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD diff --git a/tests/conntrack/testsuite/03nat b/tests/conntrack/testsuite/03nat index f94e8ff..014feb8 100644 --- a/tests/conntrack/testsuite/03nat +++ b/tests/conntrack/testsuite/03nat @@ -36,5 +36,13 @@ -L --dst-nat 3.3.3.3:81 ; OK # show -L --dst-nat 1.1.1.1:80 ; OK +# badport +-L --dst-nat 1.1.1.1: ; BAD +# badport +-L --dst-nat 1.1.1.1::; BAD +# badport +-L --dst-nat 1.1.1.1:80:80; BAD +# badport +-L --dst-nat 1.1.1.1:65536; BAD # delete -D -s 1.1.1.1 ; OK diff --git a/tests/conntrack/testsuite/07nat6 b/tests/conntrack/testsuite/07nat6 new file mode 100644 index 0000000..8cecd8e --- /dev/null +++ b/tests/conntrack/testsuite/07nat6 @@ -0,0 +1,56 @@ +# create dummy +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +# show +-L --dst-nat ; OK +# show +-L --dst-nat 2001:DB8::3.3.3.3 ; OK +# show +-L --src-nat ; OK +# delete +-D -s 2001:DB8::1.1.1.1 ; OK +# create dummy again +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --src-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +# show +-L --src-nat ; OK +# show +-L --src-nat 2001:DB8::3.3.3.3 ; OK +# show +-L --dst-nat ; OK +# show any-nat +-L --any-nat ; OK +# delete +-D -s 2001:DB8::1.1.1.1 ; OK +# bad combination +-L --dst-nat --any-nat ; BAD +# bad combination +-L --src-nat --any-nat ; BAD +# bad combination +-L --src-nat --dst-nat --any-nat ; BAD +# create +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat [2001:DB8::3.3.3.3]:80 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK +# show +-L --dst-nat [2001:DB8::3.3.3.3]:80 ; OK +# show +-L --any-nat [2001:DB8::3.3.3.3]:80 ; OK +# show +-L --dst-nat [2001:DB8::3.3.3.3]:81 ; OK +# show +-L --dst-nat [2001:DB8::1.1.1.1]:80 ; OK +# noport +-L --dst-nat [2001:DB8::1.1.1.1]: ; BAD +# badport +-L --dst-nat [2001:DB8::1.1.1.1]:: ; BAD +# badport +-L --dst-nat [2001:DB8::1.1.1.1]:80:80 ; BAD +# badport +-L --dst-nat [2001:DB8::1.1.1.1]:65536 ; BAD +# delete +-D -s 2001:DB8::1.1.1.1 ; OK +# mismatched address family +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat 3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +# mismatched address family +-I -s 1.1.1.1 -d 2.2.2.2 --dst-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +# create - brackets only for ports in nat +-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat [2001:DB8::3.3.3.3] -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +# create - brackets rejected elsewhere +-I -s [2001:DB8::1.1.1.1] -d 2001:DB8::2.2.2.2 --dst-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD |