Support to match elements marked with "nomatch" in hash:*net* sets

Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2012-09-21 21:03:24 +0200
committer: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2012-09-21 21:03:24 +0200
commit: 3a3794573386d0cb2930a9daad5615036c06f4e2 (patch)
tree: 52dc8066bff6301af9910a47f8e235336f77e8a8 /tests/match_flags.t
parent: 3578220cf27c3e7017dd8af6b17c08218cf632d0 (diff)
1 files changed, 49 insertions, 0 deletions
diff --git a/tests/match_flags.t b/tests/match_flags.t
new file mode 100644
index 0000000..8cede10
--- /dev/null
+++ b/tests/match_flags.t
@@ -0,0 +1,49 @@
+# Create sets and inet rules which call set match
+0 ./iptables.sh inet start_flags
+# Send probe packet from 10.0.0.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.1,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.0.1 tcp 1025 test
+# Send probe packet from 10.0.0.2,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.255,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch
+# Send probe packet from 10.0.1.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.1.0 tcp 1025 test
+# Destroy sets and rules
+0 ./iptables.sh inet stop
+# Create sets and inet rules which call set match, reversed rule order
+0 ./iptables.sh inet start_flags_reversed
+# Send probe packet from 10.0.0.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.1,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.0.1 tcp 1025 test
+# Send probe packet from 10.0.0.2,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.255,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch
+# Send probe packet from 10.0.1.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.1.0 tcp 1025 test
+# Destroy sets and rules
+0 ./iptables.sh inet stop
+# eof
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2012-09-21 21:03:24 +0200
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2012-09-21 21:03:24 +0200
commit	3a3794573386d0cb2930a9daad5615036c06f4e2 (patch)
tree	52dc8066bff6301af9910a47f8e235336f77e8a8 /tests/match_flags.t
parent	3578220cf27c3e7017dd8af6b17c08218cf632d0 (diff)