summaryrefslogtreecommitdiffstats
path: root/tests/iptables.sh
blob: 7ea90e025b6f539963348a7d32e78a2343e0fb97 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/sh

# set -x
set -e

ipset=${IPSET_BIN:-../src/ipset}

# We play with the following networks:
# inet: 10.255.255.0/24
# 	10.255.255.0-31 in ip1
# 	10.255.255.32-63 in ip2
# 	rest in ipport
# inet6: 1002:1002:1002:1002::/64
#	1002:1002:1002:1002::1 in ip1
#	1002:1002:1002:1002::32 in ip2
#	rest in ipport

case "$1" in
inet)
	cmd=iptables
	family=
	NET=10.255.255.0/24
	IP1=10.255.255.1
	IP2=10.255.255.32
	;;
inet6)
	cmd=ip6tables
	family="family inet6"
	NET=1002:1002:1002:1002::/64
	IP1=1002:1002:1002:1002::1
	IP2=1002:1002:1002:1002::32
	;;
*)
	echo "Usage: $0 inet|inet6 start|stop"
	exit 1
	;;
esac


case "$2" in
start)
	$ipset n ip1 hash:ip $family 2>/dev/null
	$ipset a ip1 $IP1 2>/dev/null
	$ipset n ip2 hash:ip $family 2>/dev/null
	$ipset a ip2 $IP2 2>/dev/null
	$ipset n ipport hash:ip,port $family 2>/dev/null
	$ipset n list list:set 2>/dev/null
	$ipset a list ipport 2>/dev/null
	$ipset a list ip1 2>/dev/null
	$cmd -A INPUT ! -s $NET -j ACCEPT
	$cmd -A INPUT -m set ! --match-set ip1 src \
		      -m set ! --match-set ip2 src \
		      -j SET --add-set ipport src,src
	$cmd -A INPUT -m set --match-set ip1 src \
		      -j LOG --log-prefix "in set ip1: "
	$cmd -A INPUT -m set --match-set ip2 src \
		      -j LOG --log-prefix "in set ip2: "
	$cmd -A INPUT -m set --match-set ipport src,src \
		      -j LOG --log-prefix "in set ipport: "
	$cmd -A INPUT -m set --match-set list src,src \
		      -j LOG --log-prefix "in set list: "
	$cmd -A OUTPUT -d $NET -j DROP
	cat /dev/null > .foo.err
	cat /dev/null > /var/log/kern.log
	;;
start_flags)
	$ipset n test hash:net $family 2>/dev/null
	$ipset a test 10.0.0.0/16 2>/dev/null
	$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
	$ipset a test 10.0.0.1 2>/dev/null
	$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
	$cmd -A INPUT -m set --match-set test src \
		      -j LOG --log-prefix "in set test: "
	$cmd -A INPUT -m set --match-set test src --return-nomatch \
		      -j LOG --log-prefix "in set test-nomatch: "
	$cmd -A INPUT -s 10.0.0.0/16 -j DROP
	cat /dev/null > .foo.err
	cat /dev/null > /var/log/kern.log
	;;
start_flags_reversed)
	$ipset n test hash:net $family 2>/dev/null
	$ipset a test 10.0.0.0/16 2>/dev/null
	$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
	$ipset a test 10.0.0.1 2>/dev/null
	$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
	$cmd -A INPUT -m set --match-set test src --return-nomatch \
		      -j LOG --log-prefix "in set test-nomatch: "
	$cmd -A INPUT -m set --match-set test src \
		      -j LOG --log-prefix "in set test: "
	$cmd -A INPUT -s 10.0.0.0/16 -j DROP
	cat /dev/null > .foo.err
	cat /dev/null > /var/log/kern.log
	;;
del)
	$cmd -F INPUT
	$cmd -A INPUT -j SET --del-set ipport src,src
	;;
add)
	$ipset n test hash:net $family 2>/dev/null
	$cmd -F INPUT
	$cmd -A INPUT -j SET --add-set test src
	;;
timeout)
	$ipset n test hash:ip,port timeout 2
	$cmd -A INPUT -j SET --add-set test src,src --timeout 10 --exist
	;;
mangle)
	$ipset n test hash:net $family skbinfo 2>/dev/null
	$ipset a test 10.255.0.0/16 skbmark 0x1234 2>/dev/null
	$cmd -t mangle -A INPUT -j SET --map-set test src --map-mark
	$cmd -t mangle -A INPUT -m mark --mark 0x1234 -j LOG --log-prefix "in set mark: "
	$cmd -t mangle -A INPUT -s 10.255.0.0/16 -j DROP
	;;
stop)
	$cmd -F
	$cmd -X
	$cmd -F -t mangle
	$cmd -X -t mangle
	$ipset -F 2>/dev/null
	$ipset -X 2>/dev/null
	;;
*)
	echo "Usage: $0 start|stop"
	exit 1
	;;
esac