summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rwxr-xr-xtests/iptables.sh29
-rw-r--r--tests/match_flags.t49
-rwxr-xr-xtests/runtest.sh2
3 files changed, 79 insertions, 1 deletions
diff --git a/tests/iptables.sh b/tests/iptables.sh
index 9b1c90c..63b0b92 100755
--- a/tests/iptables.sh
+++ b/tests/iptables.sh
@@ -59,6 +59,35 @@ start)
-j LOG --log-prefix "in set list: "
$cmd -A OUTPUT -d $NET -j DROP
cat /dev/null > .foo.err
+ cat /dev/null > /var/log/kern.log
+ ;;
+start_flags)
+ ../src/ipset n test hash:net $family 2>/dev/null
+ ../src/ipset a test 10.0.0.0/16 2>/dev/null
+ ../src/ipset a test 10.0.0.0/24 nomatch 2>/dev/null
+ ../src/ipset a test 10.0.0.1 2>/dev/null
+ $cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
+ $cmd -A INPUT -m set --match-set test src \
+ -j LOG --log-prefix "in set test: "
+ $cmd -A INPUT -m set --match-set test src --return-nomatch \
+ -j LOG --log-prefix "in set test-nomatch: "
+ $cmd -A INPUT -s 10.0.0.0/16 -j DROP
+ cat /dev/null > .foo.err
+ cat /dev/null > /var/log/kern.log
+ ;;
+start_flags_reversed)
+ ../src/ipset n test hash:net $family 2>/dev/null
+ ../src/ipset a test 10.0.0.0/16 2>/dev/null
+ ../src/ipset a test 10.0.0.0/24 nomatch 2>/dev/null
+ ../src/ipset a test 10.0.0.1 2>/dev/null
+ $cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
+ $cmd -A INPUT -m set --match-set test src --return-nomatch \
+ -j LOG --log-prefix "in set test-nomatch: "
+ $cmd -A INPUT -m set --match-set test src \
+ -j LOG --log-prefix "in set test: "
+ $cmd -A INPUT -s 10.0.0.0/16 -j DROP
+ cat /dev/null > .foo.err
+ cat /dev/null > /var/log/kern.log
;;
del)
$cmd -F INPUT
diff --git a/tests/match_flags.t b/tests/match_flags.t
new file mode 100644
index 0000000..8cede10
--- /dev/null
+++ b/tests/match_flags.t
@@ -0,0 +1,49 @@
+# Create sets and inet rules which call set match
+0 ./iptables.sh inet start_flags
+# Send probe packet from 10.0.0.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.1,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.0.1 tcp 1025 test
+# Send probe packet from 10.0.0.2,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.255,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch
+# Send probe packet from 10.0.1.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.1.0 tcp 1025 test
+# Destroy sets and rules
+0 ./iptables.sh inet stop
+# Create sets and inet rules which call set match, reversed rule order
+0 ./iptables.sh inet start_flags_reversed
+# Send probe packet from 10.0.0.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.1,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.0.1 tcp 1025 test
+# Send probe packet from 10.0.0.2,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch
+# Send probe packet from 10.0.0.255,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched with --return-nomatch
+0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch
+# Send probe packet from 10.0.1.0,tcp:1025
+0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
+# Check that test set matched
+0 ./check_klog.sh 10.0.1.0 tcp 1025 test
+# Destroy sets and rules
+0 ./iptables.sh inet stop
+# eof
diff --git a/tests/runtest.sh b/tests/runtest.sh
index ff5c492..ad2ac42 100755
--- a/tests/runtest.sh
+++ b/tests/runtest.sh
@@ -22,7 +22,7 @@ add_tests() {
# inet|inet6 network
if [ $1 = "inet" ]; then
cmd=iptables-save
- add=match_target
+ add="match_target match_flags"
else
cmd=ip6tables-save
add=match_target6