From 073915c8607f0ca74b29d4159488cc96abf97684 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Sun, 10 Apr 2011 16:22:46 +0200 Subject: Testsuite checks added - check iptables match/target extensions with invalid number of dir parameters - check SET target with --del-set option --- tests/iptables.sh | 4 ++++ tests/match_target.t | 18 ++++++++++++++++++ tests/match_target6.t | 18 ++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/tests/iptables.sh b/tests/iptables.sh index 1bf96df..b5b82e4 100755 --- a/tests/iptables.sh +++ b/tests/iptables.sh @@ -60,6 +60,10 @@ start) $cmd -A OUTPUT -d $NET -j DROP cat /dev/null > .foo.err ;; +del) + $cmd -F INPUT + $cmd -A INPUT -j SET --del-set ipport src,src + ;; stop) $cmd -F $cmd -X diff --git a/tests/match_target.t b/tests/match_target.t index 6756be1..0c6e7e7 100644 --- a/tests/match_target.t +++ b/tests/match_target.t @@ -1,3 +1,15 @@ +# Create test set +0 ipset create test hash:ip +# Check that iptables set match catches invalid number of dir parameters +2 iptables -m set --match-set test src,dst,src,dst,src,dst,src +# Check reference number of test set +0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0 +# Check that iptables SET target catches invalid number of dir parameters +2 iptables -j SET --add-set test src,dst,src,dst,src,dst,src +# Check reference number of test set +0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0 +# Destroy test set +0 ipset destroy test # Create sets and inet rules which call set match and SET target 0 ./iptables.sh inet start # Check that 10.255.255.64,tcp:1025 is not in ipport set @@ -38,6 +50,12 @@ 0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 # Check that 10.255.255.64,icmp:3/10 is in ipport set now 0 ipset test ipport 10.255.255.64,icmp:host-prohibited +# Modify rules to check target and deletion +0 ./iptables.sh inet del +# Send probe packet 10.255.255.64,icmp:host-prohibited +0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 +# Check that 10.255.255.64,icmp:3/10 isn't in ipport +1 ipset test ipport 10.255.255.64,icmp:host-prohibited # Destroy sets and rules 0 ./iptables.sh inet stop # eof diff --git a/tests/match_target6.t b/tests/match_target6.t index 6f1fc3d..15a3b9e 100644 --- a/tests/match_target6.t +++ b/tests/match_target6.t @@ -1,3 +1,15 @@ +# Create test set +0 ipset create test hash:ip family inet6 +# Check that iptables set match catches invalid number of dir parameters +2 ip6tables -m set --match-set test src,dst,src,dst,src,dst,src +# Check reference number of test set +0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0 +# Check that iptables SET target catches invalid number of dir parameters +2 ip6tables -j SET --del-set test src,dst,src,dst,src,dst,src +# Check reference number of test set +0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0 +# Destroy test set +0 ipset destroy test # Create sets and inet6 rules which call set match and SET target 0 ./iptables.sh inet6 start # Check that 1002:1002:1002:1002::64,tcp:1025 is not in ipport set @@ -38,6 +50,12 @@ 0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1 # Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is in ipport set now 0 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly +# Modify rules to check target and deletion +0 ./iptables.sh inet6 del +# Send probe packet from 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly +0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1 +# Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly isn't in ipport set +1 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly # Destroy sets and rules 0 ./iptables.sh inet6 stop # eof -- cgit v1.2.3