From 0b6f88e662d54cabf15ef3dbf70e9f0fcdb1412e Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Mon, 18 Apr 2011 12:53:25 +0200 Subject: Options and flags support added to the kernel API The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries. --- tests/iptables.sh | 4 ++++ tests/match_target.t | 22 ++++++++++++++++++++++ 2 files changed, 26 insertions(+) (limited to 'tests') diff --git a/tests/iptables.sh b/tests/iptables.sh index b5b82e4..9b1c90c 100755 --- a/tests/iptables.sh +++ b/tests/iptables.sh @@ -64,6 +64,10 @@ del) $cmd -F INPUT $cmd -A INPUT -j SET --del-set ipport src,src ;; +timeout) + ../src/ipset n test hash:ip,port timeout 2 + $cmd -A INPUT -j SET --add-set test src,src --timeout 10 --exist + ;; stop) $cmd -F $cmd -X diff --git a/tests/match_target.t b/tests/match_target.t index 0c6e7e7..4a2b9be 100644 --- a/tests/match_target.t +++ b/tests/match_target.t @@ -58,4 +58,26 @@ 1 ipset test ipport 10.255.255.64,icmp:host-prohibited # Destroy sets and rules 0 ./iptables.sh inet stop +# Create set and rules to check --exist and --timeout flags of SET target +0 ./iptables.sh inet timeout +# Add 10.255.255.64,icmp:host-prohibited to the set +0 ipset add test 10.255.255.64,icmp:host-prohibited +# Check that 10.255.255.64,icmp:3/10 is in ipport set +0 ipset test test 10.255.255.64,icmp:host-prohibited +# Sleep 3s so that entry can time out +0 sleep 3s +# Check that 10.255.255.64,icmp:3/10 is not in ipport set +1 ipset test test 10.255.255.64,icmp:host-prohibited +# Add 10.255.255.64,icmp:host-prohibited to the set again +0 ipset add test 10.255.255.64,icmp:host-prohibited +# Sleep 1s +0 sleep 1s +# Send probe packet 10.255.255.64,icmp:host-prohibited +0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 +# Sleep 5s, so original entry could time out +0 sleep 5s +# Check that 10.255.255.64,icmp:3/10 is not in ipport set +0 ipset test test 10.255.255.64,icmp:host-prohibited +# Destroy sets and rules +0 ./iptables.sh inet stop # eof -- cgit v1.2.3