From 3a3794573386d0cb2930a9daad5615036c06f4e2 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Fri, 21 Sep 2012 21:03:24 +0200 Subject: Support to match elements marked with "nomatch" in hash:*net* sets Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... --- tests/iptables.sh | 29 +++++++++++++++++++++++++++++ tests/match_flags.t | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ tests/runtest.sh | 2 +- 3 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 tests/match_flags.t (limited to 'tests') diff --git a/tests/iptables.sh b/tests/iptables.sh index 9b1c90c..63b0b92 100755 --- a/tests/iptables.sh +++ b/tests/iptables.sh @@ -59,6 +59,35 @@ start) -j LOG --log-prefix "in set list: " $cmd -A OUTPUT -d $NET -j DROP cat /dev/null > .foo.err + cat /dev/null > /var/log/kern.log + ;; +start_flags) + ../src/ipset n test hash:net $family 2>/dev/null + ../src/ipset a test 10.0.0.0/16 2>/dev/null + ../src/ipset a test 10.0.0.0/24 nomatch 2>/dev/null + ../src/ipset a test 10.0.0.1 2>/dev/null + $cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT + $cmd -A INPUT -m set --match-set test src \ + -j LOG --log-prefix "in set test: " + $cmd -A INPUT -m set --match-set test src --return-nomatch \ + -j LOG --log-prefix "in set test-nomatch: " + $cmd -A INPUT -s 10.0.0.0/16 -j DROP + cat /dev/null > .foo.err + cat /dev/null > /var/log/kern.log + ;; +start_flags_reversed) + ../src/ipset n test hash:net $family 2>/dev/null + ../src/ipset a test 10.0.0.0/16 2>/dev/null + ../src/ipset a test 10.0.0.0/24 nomatch 2>/dev/null + ../src/ipset a test 10.0.0.1 2>/dev/null + $cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT + $cmd -A INPUT -m set --match-set test src --return-nomatch \ + -j LOG --log-prefix "in set test-nomatch: " + $cmd -A INPUT -m set --match-set test src \ + -j LOG --log-prefix "in set test: " + $cmd -A INPUT -s 10.0.0.0/16 -j DROP + cat /dev/null > .foo.err + cat /dev/null > /var/log/kern.log ;; del) $cmd -F INPUT diff --git a/tests/match_flags.t b/tests/match_flags.t new file mode 100644 index 0000000..8cede10 --- /dev/null +++ b/tests/match_flags.t @@ -0,0 +1,49 @@ +# Create sets and inet rules which call set match +0 ./iptables.sh inet start_flags +# Send probe packet from 10.0.0.0,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched with --return-nomatch +0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch +# Send probe packet from 10.0.0.1,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched +0 ./check_klog.sh 10.0.0.1 tcp 1025 test +# Send probe packet from 10.0.0.2,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched with --return-nomatch +0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch +# Send probe packet from 10.0.0.255,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched with --return-nomatch +0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch +# Send probe packet from 10.0.1.0,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched +0 ./check_klog.sh 10.0.1.0 tcp 1025 test +# Destroy sets and rules +0 ./iptables.sh inet stop +# Create sets and inet rules which call set match, reversed rule order +0 ./iptables.sh inet start_flags_reversed +# Send probe packet from 10.0.0.0,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched with --return-nomatch +0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch +# Send probe packet from 10.0.0.1,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched +0 ./check_klog.sh 10.0.0.1 tcp 1025 test +# Send probe packet from 10.0.0.2,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched with --return-nomatch +0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch +# Send probe packet from 10.0.0.255,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched with --return-nomatch +0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch +# Send probe packet from 10.0.1.0,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that test set matched +0 ./check_klog.sh 10.0.1.0 tcp 1025 test +# Destroy sets and rules +0 ./iptables.sh inet stop +# eof diff --git a/tests/runtest.sh b/tests/runtest.sh index ff5c492..ad2ac42 100755 --- a/tests/runtest.sh +++ b/tests/runtest.sh @@ -22,7 +22,7 @@ add_tests() { # inet|inet6 network if [ $1 = "inet" ]; then cmd=iptables-save - add=match_target + add="match_target match_flags" else cmd=ip6tables-save add=match_target6 -- cgit v1.2.3