ipset 5: IPv6 port related and manpage fixes, more testsv5.0-pre4

- getting ports for family INET6 fixed
- more manpage polishing
- tests to check the iptables/ip6tables match and target added

5 files changed, 192 insertions, 0 deletions

diff --git a/tests/check_klog.sh b/tests/check_klog.sh
new file mode 100755
index 0000000..489fa71
--- /dev/null
+++ b/tests/check_klog.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# set -x
+set -e
+
+# arguments: ipaddr proto port setname ...
+
+expand_ipv6() {
+	# incomplete, but for our addresses it's OK
+	addr=
+	n=0
+	while read a; do
+		n=$((n+1))
+		if [ -z "$a" ]; then
+			addr="$addr::"
+		else
+			case `echo $a | wc -c` in
+			4) a="0$a";;
+			3) a="00$a";;
+			2) a="000$a";;
+			esac
+			addr="$addr$a:"
+		fi
+	done < <(echo $1 | tr : '\n')
+	addr=`echo $addr | sed -e 's/:$//'`
+	null=
+	while [ $n -le 8 ]; do
+		null="$null:0000"
+		n=$((n+1))
+	done
+	addr=`echo $addr | sed -e "s/::/$null/"`
+	echo $addr
+}
+
+ipaddr=`expand_ipv6 $1`; shift
+proto=`echo $1 | tr a-z A-Z`; shift
+port=$1; shift
+
+for setname in $@; do
+	match=`grep -e "in set $setname: .* SRC=$ipaddr .* PROTO=$proto SPT=$port .*" /var/log/kern.log`
+	if [ -z "$match" ]; then
+		echo "no match!"
+		exit 1
+	fi
+done
+exit 0
diff --git a/tests/iptables.sh b/tests/iptables.sh
new file mode 100755
index 0000000..935b236
--- /dev/null
+++ b/tests/iptables.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+set -e
+
+# We play with the following networks:
+# inet: 10.255.255.0/24
+# 	10.255.255.0-31 in ip1
+# 	10.255.255.32-63 in ip2
+# 	rest in ipport
+# inet6: 1002:1002:1002:1002::/64
+#	1002:1002:1002:1002::1 in ip1
+#	1002:1002:1002:1002::32 in ip2
+#	rest in ipport
+
+case "$1" in
+inet)
+	cmd=iptables
+	family=
+	NET=10.255.255.0/24
+	IP1=10.255.255.1
+	IP2=10.255.255.32
+	;;
+inet6)
+	cmd=ip6tables
+	family="family inet6"
+	NET=1002:1002:1002:1002::/64
+	IP1=1002:1002:1002:1002::1
+	IP2=1002:1002:1002:1002::32
+	;;
+*)
+	echo "Usage: $0 inet|inet6 start|stop"
+	exit 1
+	;;
+esac
+
+
+case "$2" in
+start)
+	../src/ipset n ip1 hash:ip $family 2>/dev/null
+	../src/ipset a ip1 $IP1 2>/dev/null
+	../src/ipset n ip2 hash:ip $family 2>/dev/null
+	../src/ipset a ip2 $IP2 2>/dev/null
+	../src/ipset n ipport hash:ip,port $family proto any 2>/dev/null
+	../src/ipset n list list:set 2>/dev/null
+	../src/ipset a list ipport 2>/dev/null
+	../src/ipset a list ip1 2>/dev/null
+	$cmd -A INPUT ! -s $NET -j ACCEPT
+	$cmd -A INPUT -m set ! --match-set ip1 src \
+		      -m set ! --match-set ip2 src \
+		      -j SET --add-set ipport src,src
+	$cmd -A INPUT -m set --match-set ip1 src \
+		      -j LOG --log-prefix "in set ip1: "
+	$cmd -A INPUT -m set --match-set ip2 src \
+		      -j LOG --log-prefix "in set ip2: "
+	$cmd -A INPUT -m set --match-set ipport src,src \
+		      -j LOG --log-prefix "in set ipport: "
+	$cmd -A INPUT -m set --match-set list src,src \
+		      -j LOG --log-prefix "in set list: "
+	$cmd -A OUTPUT -d $NET -j DROP
+	cat /dev/null > .foo.err
+	;;
+stop)
+	$cmd -F
+	$cmd -X
+	../src/ipset -F 2>/dev/null
+	../src/ipset -X 2>/dev/null
+	;;
+*)
+	echo "Usage: $0 start|stop"
+	exit 1
+	;;
+esac
diff --git a/tests/match_target.t b/tests/match_target.t
new file mode 100644
index 0000000..8c3f3f9
--- /dev/null
+++ b/tests/match_target.t
@@ -0,0 +1,21 @@
+# Create sets and inet rules which call set match and SET target
+0 ./iptables.sh inet start
+# Send probe packet from 10.255.255.64,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 10.255.255.64 tcp 1025 ipport list
+# Send probe packet from 10.255.255.64,udp:1025 
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 10.255.255.64 udp 1025 ipport list
+# Send probe packet from 10.255.255.1,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.1 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 10.255.255.1 tcp 1025 ip1 list
+# Send probe packet from 10.255.255.32,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.32 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 10.255.255.32 tcp 1025 ip2
+# Destroy sets and rules
+0 ./iptables.sh inet stop
+# eof
diff --git a/tests/match_target6.t b/tests/match_target6.t
new file mode 100644
index 0000000..58888bd
--- /dev/null
+++ b/tests/match_target6.t
@@ -0,0 +1,21 @@
+# Create sets and inet6 rules which call set match and SET target
+0 ./iptables.sh inet6 start
+# Send probe packet from 1002:1002:1002:1002::64,tcp:1025
+0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p tcp -td 80 -ts 1025 ::1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 1002:1002:1002:1002::64 tcp 1025 ipport list
+# Send probe packet from 1002:1002:1002:1002::64,udp:1025 
+0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p udp -ud 80 -us 1025 ::1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 1002:1002:1002:1002::64 udp 1025 ipport list
+# Send probe packet from 1002:1002:1002:1002::1,tcp:1025
+0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::1 -p tcp -td 80 -ts 1025 ::1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 1002:1002:1002:1002::1 tcp 1025 ip1 list
+# Send probe packet from 1002:1002:1002:1002::32,tcp:1025
+0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::32 -p tcp -td 80 -ts 1025 ::1
+# Check that proper sets matched and target worked
+0 ./check_klog.sh 1002:1002:1002:1002::32 tcp 1025 ip2
+# Destroy sets and rules
+0 ./iptables.sh inet6 stop
+# eof
diff --git a/tests/runtest.sh b/tests/runtest.sh
index ccd057e..32702c9 100755
--- a/tests/runtest.sh
+++ b/tests/runtest.sh
@@ -10,8 +10,40 @@ tests="$tests nethash hash:net hash:net6"
 tests="$tests setlist"
 tests="$tests iptree iptreemap"
 
+add_tests() {
+	# inet|inet6 network
+	if [ $1 = "inet" ]; then
+		cmd=iptables-save
+		add=match_target
+	else
+		cmd=ip6tables-save
+		add=match_target6
+	fi
+	modprobe ip_tables
+	if [ ! -e /var/log/kern.log -a -z "`grep 'kernel: ip_tables: ' /var/log/kern/log`" ]; then
+		echo "The destination for kernel log is not /var/log/kern.log, skipping $1 match and target tests"
+		return
+	fi
+	if [ `$cmd -t filter | wc -l` -eq 7 -a \
+	     `$cmd -t filter | grep ACCEPT | wc -l` -eq 3 ]; then
+	     	if [ -z "`which sendip`" ]; then
+	     		echo "sendip utility is missig: skipping $1 match and target tests"
+	     	elif [ -n "`netstat --protocol $1 -n | grep $2`" ]; then
+	     		echo "Our test network $2 in use: skipping $1 match and target tests"
+	     	else
+	     		tests="$tests $add"
+	     	fi
+	     	:
+	else
+		echo "You have got iptables rules: skipping $1 match and target tests"
+	fi
+}
+
 if [ "$1" ]; then
 	tests="init $@"
+else
+	add_tests inet 10.255.255
+	add_tests inet6 1002:1002:1002:1002::
 fi
 
 for types in $tests; do