From 780f6384c5c6639da3f5a6ac8d30653e8a26d6c0 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Fri, 25 Jun 2010 16:30:52 +0200 Subject: ipset 5: IPv6 port related and manpage fixes, more tests - getting ports for family INET6 fixed - more manpage polishing - tests to check the iptables/ip6tables match and target added --- tests/check_klog.sh | 46 ++++++++++++++++++++++++++++++++ tests/iptables.sh | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++ tests/match_target.t | 21 +++++++++++++++ tests/match_target6.t | 21 +++++++++++++++ tests/runtest.sh | 32 +++++++++++++++++++++++ 5 files changed, 192 insertions(+) create mode 100755 tests/check_klog.sh create mode 100755 tests/iptables.sh create mode 100644 tests/match_target.t create mode 100644 tests/match_target6.t (limited to 'tests') diff --git a/tests/check_klog.sh b/tests/check_klog.sh new file mode 100755 index 0000000..489fa71 --- /dev/null +++ b/tests/check_klog.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# set -x +set -e + +# arguments: ipaddr proto port setname ... + +expand_ipv6() { + # incomplete, but for our addresses it's OK + addr= + n=0 + while read a; do + n=$((n+1)) + if [ -z "$a" ]; then + addr="$addr::" + else + case `echo $a | wc -c` in + 4) a="0$a";; + 3) a="00$a";; + 2) a="000$a";; + esac + addr="$addr$a:" + fi + done < <(echo $1 | tr : '\n') + addr=`echo $addr | sed -e 's/:$//'` + null= + while [ $n -le 8 ]; do + null="$null:0000" + n=$((n+1)) + done + addr=`echo $addr | sed -e "s/::/$null/"` + echo $addr +} + +ipaddr=`expand_ipv6 $1`; shift +proto=`echo $1 | tr a-z A-Z`; shift +port=$1; shift + +for setname in $@; do + match=`grep -e "in set $setname: .* SRC=$ipaddr .* PROTO=$proto SPT=$port .*" /var/log/kern.log` + if [ -z "$match" ]; then + echo "no match!" + exit 1 + fi +done +exit 0 diff --git a/tests/iptables.sh b/tests/iptables.sh new file mode 100755 index 0000000..935b236 --- /dev/null +++ b/tests/iptables.sh @@ -0,0 +1,72 @@ +#!/bin/sh + +set -e + +# We play with the following networks: +# inet: 10.255.255.0/24 +# 10.255.255.0-31 in ip1 +# 10.255.255.32-63 in ip2 +# rest in ipport +# inet6: 1002:1002:1002:1002::/64 +# 1002:1002:1002:1002::1 in ip1 +# 1002:1002:1002:1002::32 in ip2 +# rest in ipport + +case "$1" in +inet) + cmd=iptables + family= + NET=10.255.255.0/24 + IP1=10.255.255.1 + IP2=10.255.255.32 + ;; +inet6) + cmd=ip6tables + family="family inet6" + NET=1002:1002:1002:1002::/64 + IP1=1002:1002:1002:1002::1 + IP2=1002:1002:1002:1002::32 + ;; +*) + echo "Usage: $0 inet|inet6 start|stop" + exit 1 + ;; +esac + + +case "$2" in +start) + ../src/ipset n ip1 hash:ip $family 2>/dev/null + ../src/ipset a ip1 $IP1 2>/dev/null + ../src/ipset n ip2 hash:ip $family 2>/dev/null + ../src/ipset a ip2 $IP2 2>/dev/null + ../src/ipset n ipport hash:ip,port $family proto any 2>/dev/null + ../src/ipset n list list:set 2>/dev/null + ../src/ipset a list ipport 2>/dev/null + ../src/ipset a list ip1 2>/dev/null + $cmd -A INPUT ! -s $NET -j ACCEPT + $cmd -A INPUT -m set ! --match-set ip1 src \ + -m set ! --match-set ip2 src \ + -j SET --add-set ipport src,src + $cmd -A INPUT -m set --match-set ip1 src \ + -j LOG --log-prefix "in set ip1: " + $cmd -A INPUT -m set --match-set ip2 src \ + -j LOG --log-prefix "in set ip2: " + $cmd -A INPUT -m set --match-set ipport src,src \ + -j LOG --log-prefix "in set ipport: " + $cmd -A INPUT -m set --match-set list src,src \ + -j LOG --log-prefix "in set list: " + $cmd -A OUTPUT -d $NET -j DROP + cat /dev/null > .foo.err + ;; +stop) + $cmd -F + $cmd -X + ../src/ipset -F 2>/dev/null + ../src/ipset -X 2>/dev/null + ;; +*) + echo "Usage: $0 start|stop" + exit 1 + ;; +esac diff --git a/tests/match_target.t b/tests/match_target.t new file mode 100644 index 0000000..8c3f3f9 --- /dev/null +++ b/tests/match_target.t @@ -0,0 +1,21 @@ +# Create sets and inet rules which call set match and SET target +0 ./iptables.sh inet start +# Send probe packet from 10.255.255.64,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 10.255.255.64 tcp 1025 ipport list +# Send probe packet from 10.255.255.64,udp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 10.255.255.64 udp 1025 ipport list +# Send probe packet from 10.255.255.1,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.1 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 10.255.255.1 tcp 1025 ip1 list +# Send probe packet from 10.255.255.32,tcp:1025 +0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.32 -p tcp -td 80 -ts 1025 127.0.0.1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 10.255.255.32 tcp 1025 ip2 +# Destroy sets and rules +0 ./iptables.sh inet stop +# eof diff --git a/tests/match_target6.t b/tests/match_target6.t new file mode 100644 index 0000000..58888bd --- /dev/null +++ b/tests/match_target6.t @@ -0,0 +1,21 @@ +# Create sets and inet6 rules which call set match and SET target +0 ./iptables.sh inet6 start +# Send probe packet from 1002:1002:1002:1002::64,tcp:1025 +0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p tcp -td 80 -ts 1025 ::1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 1002:1002:1002:1002::64 tcp 1025 ipport list +# Send probe packet from 1002:1002:1002:1002::64,udp:1025 +0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p udp -ud 80 -us 1025 ::1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 1002:1002:1002:1002::64 udp 1025 ipport list +# Send probe packet from 1002:1002:1002:1002::1,tcp:1025 +0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::1 -p tcp -td 80 -ts 1025 ::1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 1002:1002:1002:1002::1 tcp 1025 ip1 list +# Send probe packet from 1002:1002:1002:1002::32,tcp:1025 +0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::32 -p tcp -td 80 -ts 1025 ::1 +# Check that proper sets matched and target worked +0 ./check_klog.sh 1002:1002:1002:1002::32 tcp 1025 ip2 +# Destroy sets and rules +0 ./iptables.sh inet6 stop +# eof diff --git a/tests/runtest.sh b/tests/runtest.sh index ccd057e..32702c9 100755 --- a/tests/runtest.sh +++ b/tests/runtest.sh @@ -10,8 +10,40 @@ tests="$tests nethash hash:net hash:net6" tests="$tests setlist" tests="$tests iptree iptreemap" +add_tests() { + # inet|inet6 network + if [ $1 = "inet" ]; then + cmd=iptables-save + add=match_target + else + cmd=ip6tables-save + add=match_target6 + fi + modprobe ip_tables + if [ ! -e /var/log/kern.log -a -z "`grep 'kernel: ip_tables: ' /var/log/kern/log`" ]; then + echo "The destination for kernel log is not /var/log/kern.log, skipping $1 match and target tests" + return + fi + if [ `$cmd -t filter | wc -l` -eq 7 -a \ + `$cmd -t filter | grep ACCEPT | wc -l` -eq 3 ]; then + if [ -z "`which sendip`" ]; then + echo "sendip utility is missig: skipping $1 match and target tests" + elif [ -n "`netstat --protocol $1 -n | grep $2`" ]; then + echo "Our test network $2 in use: skipping $1 match and target tests" + else + tests="$tests $add" + fi + : + else + echo "You have got iptables rules: skipping $1 match and target tests" + fi +} + if [ "$1" ]; then tests="init $@" +else + add_tests inet 10.255.255 + add_tests inet6 1002:1002:1002:1002:: fi for types in $tests; do -- cgit v1.2.3