diff options
| author | Phil Sutter <phil@nwl.cc> | 2024-01-25 02:12:24 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-02-02 18:26:14 +0100 |
| commit | 285406b1d22e3ed0aec30ea0a534ea76211156a9 (patch) | |
| tree | 95607347977110481518de17fac9e6f7e0631aa6 | |
| parent | 11c77ed471f2d8a6dc60c17aef1e1a3b52ff3591 (diff) | |
extensions: *.t/*.txlate: Test range corner-cases
For every extension option accepting a range, test open and half-open as
well as single element and invalid (negative) ranges.
The added tests merely reflect the status quo, not the expected outcome.
Following patches will fix results and the already existing test cases
highlight the fixes' effects.
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | extensions/libebt_ip.t | 12 | ||||
| -rw-r--r-- | extensions/libebt_ip6.t | 12 | ||||
| -rw-r--r-- | extensions/libebt_stp.t | 45 | ||||
| -rw-r--r-- | extensions/libip6t_ah.t | 6 | ||||
| -rw-r--r-- | extensions/libip6t_ah.txlate | 6 | ||||
| -rw-r--r-- | extensions/libip6t_frag.t | 6 | ||||
| -rw-r--r-- | extensions/libip6t_frag.txlate | 6 | ||||
| -rw-r--r-- | extensions/libip6t_mh.t | 6 | ||||
| -rw-r--r-- | extensions/libip6t_mh.txlate | 9 | ||||
| -rw-r--r-- | extensions/libip6t_rt.t | 6 | ||||
| -rw-r--r-- | extensions/libip6t_rt.txlate | 9 | ||||
| -rw-r--r-- | extensions/libipt_ah.t | 6 | ||||
| -rw-r--r-- | extensions/libipt_ah.txlate | 6 | ||||
| -rw-r--r-- | extensions/libxt_NFQUEUE.t | 7 | ||||
| -rw-r--r-- | extensions/libxt_connbytes.t | 6 | ||||
| -rw-r--r-- | extensions/libxt_conntrack.t | 26 | ||||
| -rw-r--r-- | extensions/libxt_dccp.t | 10 | ||||
| -rw-r--r-- | extensions/libxt_esp.t | 7 | ||||
| -rw-r--r-- | extensions/libxt_esp.txlate | 12 | ||||
| -rw-r--r-- | extensions/libxt_ipcomp.t | 7 | ||||
| -rw-r--r-- | extensions/libxt_length.t | 3 | ||||
| -rw-r--r-- | extensions/libxt_tcp.t | 12 | ||||
| -rw-r--r-- | extensions/libxt_tcp.txlate | 6 | ||||
| -rw-r--r-- | extensions/libxt_tcpmss.t | 4 | ||||
| -rw-r--r-- | extensions/libxt_udp.t | 12 | ||||
| -rw-r--r-- | extensions/libxt_udp.txlate | 6 |
26 files changed, 253 insertions, 0 deletions
diff --git a/extensions/libebt_ip.t b/extensions/libebt_ip.t index cfe4f54d..a9b5b8b5 100644 --- a/extensions/libebt_ip.t +++ b/extensions/libebt_ip.t @@ -6,6 +6,18 @@ -p IPv4 ! --ip-tos 0xFF;=;OK -p IPv4 --ip-proto tcp --ip-dport 22;=;OK -p IPv4 --ip-proto udp --ip-sport 1024:65535;=;OK +-p IPv4 --ip-proto udp --ip-sport :;-p IPv4 --ip-proto udp --ip-sport 0:65535;OK +-p IPv4 --ip-proto udp --ip-sport :4;-p IPv4 --ip-proto udp --ip-sport 0:4;OK +-p IPv4 --ip-proto udp --ip-sport 4:;-p IPv4 --ip-proto udp --ip-sport 4:65535;OK +-p IPv4 --ip-proto udp --ip-sport 3:4;=;OK +-p IPv4 --ip-proto udp --ip-sport 4:4;-p IPv4 --ip-proto udp --ip-sport 4;OK +-p IPv4 --ip-proto udp --ip-sport 4:3;;FAIL +-p IPv4 --ip-proto udp --ip-dport :;-p IPv4 --ip-proto udp --ip-dport 0:65535;OK +-p IPv4 --ip-proto udp --ip-dport :4;-p IPv4 --ip-proto udp --ip-dport 0:4;OK +-p IPv4 --ip-proto udp --ip-dport 4:;-p IPv4 --ip-proto udp --ip-dport 4:65535;OK +-p IPv4 --ip-proto udp --ip-dport 3:4;=;OK +-p IPv4 --ip-proto udp --ip-dport 4:4;-p IPv4 --ip-proto udp --ip-dport 4;OK +-p IPv4 --ip-proto udp --ip-dport 4:3;;FAIL -p IPv4 --ip-proto 253;=;OK -p IPv4 ! --ip-proto 253;=;OK -p IPv4 --ip-proto icmp --ip-icmp-type echo-request;=;OK diff --git a/extensions/libebt_ip6.t b/extensions/libebt_ip6.t index 58e3c73c..cb1be9e3 100644 --- a/extensions/libebt_ip6.t +++ b/extensions/libebt_ip6.t @@ -10,6 +10,18 @@ -p IPv6 --ip6-proto tcp ! --ip6-dport 22;=;OK -p IPv6 --ip6-proto tcp ! --ip6-sport 22 --ip6-dport 22;=;OK -p IPv6 --ip6-proto udp --ip6-sport 1024:65535;=;OK +-p IPv6 --ip6-proto udp --ip6-sport :;-p IPv6 --ip6-proto udp --ip6-sport 0:65535;OK +-p IPv6 --ip6-proto udp --ip6-sport :4;-p IPv6 --ip6-proto udp --ip6-sport 0:4;OK +-p IPv6 --ip6-proto udp --ip6-sport 4:;-p IPv6 --ip6-proto udp --ip6-sport 4:65535;OK +-p IPv6 --ip6-proto udp --ip6-sport 3:4;=;OK +-p IPv6 --ip6-proto udp --ip6-sport 4:4;-p IPv6 --ip6-proto udp --ip6-sport 4;OK +-p IPv6 --ip6-proto udp --ip6-sport 4:3;;FAIL +-p IPv6 --ip6-proto udp --ip6-dport :;-p IPv6 --ip6-proto udp --ip6-dport 0:65535;OK +-p IPv6 --ip6-proto udp --ip6-dport :4;-p IPv6 --ip6-proto udp --ip6-dport 0:4;OK +-p IPv6 --ip6-proto udp --ip6-dport 4:;-p IPv6 --ip6-proto udp --ip6-dport 4:65535;OK +-p IPv6 --ip6-proto udp --ip6-dport 3:4;=;OK +-p IPv6 --ip6-proto udp --ip6-dport 4:4;-p IPv6 --ip6-proto udp --ip6-dport 4;OK +-p IPv6 --ip6-proto udp --ip6-dport 4:3;;FAIL -p IPv6 --ip6-proto 253;=;OK -p IPv6 ! --ip6-proto 253;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request -j CONTINUE;=;OK diff --git a/extensions/libebt_stp.t b/extensions/libebt_stp.t index 06df6073..f72051ac 100644 --- a/extensions/libebt_stp.t +++ b/extensions/libebt_stp.t @@ -27,3 +27,48 @@ ! --stp-hello-time 1;=;OK --stp-forward-delay 1;=;OK ! --stp-forward-delay 1;=;OK +--stp-root-prio :2;--stp-root-prio 0:2;OK +--stp-root-prio 2:;--stp-root-prio 2:65535;OK +--stp-root-prio 1:2;=;OK +--stp-root-prio 1:1;--stp-root-prio 1;OK +--stp-root-prio 2:1;;FAIL +--stp-root-cost :2;--stp-root-cost 0:2;OK +--stp-root-cost 2:;--stp-root-cost 2:4294967295;OK +--stp-root-cost 1:2;=;OK +--stp-root-cost 1:1;--stp-root-cost 1;OK +--stp-root-cost 2:1;;FAIL +--stp-sender-prio :2;--stp-sender-prio 0:2;OK +--stp-sender-prio 2:;--stp-sender-prio 2:65535;OK +--stp-sender-prio 1:2;=;OK +--stp-sender-prio 1:1;--stp-sender-prio 1;OK +--stp-sender-prio 2:1;;FAIL +--stp-port :;--stp-port 0:65535;OK +--stp-port :2;--stp-port 0:2;OK +--stp-port 2:;--stp-port 2:65535;OK +--stp-port 1:2;=;OK +--stp-port 1:1;--stp-port 1;OK +--stp-port 2:1;;FAIL +--stp-msg-age :;--stp-msg-age 0:65535;OK +--stp-msg-age :2;--stp-msg-age 0:2;OK +--stp-msg-age 2:;--stp-msg-age 2:65535;OK +--stp-msg-age 1:2;=;OK +--stp-msg-age 1:1;--stp-msg-age 1;OK +--stp-msg-age 2:1;;FAIL +--stp-max-age :;--stp-max-age 0:65535;OK +--stp-max-age :2;--stp-max-age 0:2;OK +--stp-max-age 2:;--stp-max-age 2:65535;OK +--stp-max-age 1:2;=;OK +--stp-max-age 1:1;--stp-max-age 1;OK +--stp-max-age 2:1;;FAIL +--stp-hello-time :;--stp-hello-time 0:65535;OK +--stp-hello-time :2;--stp-hello-time 0:2;OK +--stp-hello-time 2:;--stp-hello-time 2:65535;OK +--stp-hello-time 1:2;=;OK +--stp-hello-time 1:1;--stp-hello-time 1;OK +--stp-hello-time 2:1;;FAIL +--stp-forward-delay :;--stp-forward-delay 0:65535;OK +--stp-forward-delay :2;--stp-forward-delay 0:2;OK +--stp-forward-delay 2:;--stp-forward-delay 2:65535;OK +--stp-forward-delay 1:2;=;OK +--stp-forward-delay 1:1;--stp-forward-delay 1;OK +--stp-forward-delay 2:1;;FAIL diff --git a/extensions/libip6t_ah.t b/extensions/libip6t_ah.t index c1898d44..77c5383c 100644 --- a/extensions/libip6t_ah.t +++ b/extensions/libip6t_ah.t @@ -13,3 +13,9 @@ -m ah --ahspi 0:invalid;;FAIL -m ah --ahspi;;FAIL -m ah;=;OK +-m ah --ahspi :;-m ah;OK +-m ah ! --ahspi :;-m ah;OK +-m ah --ahspi :3;-m ah --ahspi 0:3;OK +-m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK +-m ah --ahspi 3:3;-m ah --ahspi 3;OK +-m ah --ahspi 4:3;=;OK diff --git a/extensions/libip6t_ah.txlate b/extensions/libip6t_ah.txlate index cc33ac27..fc7248ab 100644 --- a/extensions/libip6t_ah.txlate +++ b/extensions/libip6t_ah.txlate @@ -15,3 +15,9 @@ nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength != 120 counter drop' ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept' + +ip6tables-translate -A INPUT -m ah --ahspi 0:4294967295 +nft 'add rule ip6 filter INPUT meta l4proto ah counter' + +ip6tables-translate -A INPUT -m ah ! --ahspi 0:4294967295 +nft 'add rule ip6 filter INPUT meta l4proto ah counter' diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t index 299fa03f..a8907670 100644 --- a/extensions/libip6t_frag.t +++ b/extensions/libip6t_frag.t @@ -1,5 +1,11 @@ :INPUT,FORWARD,OUTPUT +-m frag --fragid :;-m frag;OK +-m frag ! --fragid :;-m frag;OK +-m frag --fragid :42;-m frag --fragid 0:42;OK +-m frag --fragid 42:;-m frag --fragid 42:4294967295;OK -m frag --fragid 1:42;=;OK +-m frag --fragid 3:3;-m frag --fragid 3;OK +-m frag --fragid 4:3;=;OK -m frag --fraglen 42;=;OK -m frag --fragres;=;OK -m frag --fragfirst;=;OK diff --git a/extensions/libip6t_frag.txlate b/extensions/libip6t_frag.txlate index 33fc0631..2b6585af 100644 --- a/extensions/libip6t_frag.txlate +++ b/extensions/libip6t_frag.txlate @@ -15,3 +15,9 @@ nft 'add rule ip6 filter INPUT frag id 100-200 frag frag-off 0 counter accept' ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept' + +ip6tables-translate -t filter -A INPUT -m frag --fragid 0:4294967295 +nft 'add rule ip6 filter INPUT counter' + +ip6tables-translate -t filter -A INPUT -m frag ! --fragid 0:4294967295 +nft 'add rule ip6 filter INPUT counter' diff --git a/extensions/libip6t_mh.t b/extensions/libip6t_mh.t index 6b76d13d..151eabe6 100644 --- a/extensions/libip6t_mh.t +++ b/extensions/libip6t_mh.t @@ -4,3 +4,9 @@ -p mobility-header -m mh --mh-type 1;=;OK -p mobility-header -m mh ! --mh-type 4;=;OK -p mobility-header -m mh --mh-type 4:123;=;OK +-p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK +-p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh;OK +-p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK +-p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK +-p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK +-p mobility-header -m mh --mh-type 4:3;;FAIL diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate index 4dfaf46a..825c9569 100644 --- a/extensions/libip6t_mh.txlate +++ b/extensions/libip6t_mh.txlate @@ -3,3 +3,12 @@ nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter ac ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept' + +ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT +nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' + +ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT +nft 'add rule ip6 filter INPUT counter accept' + +ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT +nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t index 3c7b2d98..2699e800 100644 --- a/extensions/libip6t_rt.t +++ b/extensions/libip6t_rt.t @@ -3,3 +3,9 @@ -m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK -m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK -m rt;=;OK +-m rt --rt-segsleft :;-m rt;OK +-m rt ! --rt-segsleft :;-m rt;OK +-m rt --rt-segsleft :3;-m rt --rt-segsleft 0:3;OK +-m rt --rt-segsleft 3:;-m rt --rt-segsleft 3:4294967295;OK +-m rt --rt-segsleft 3:3;-m rt --rt-segsleft 3;OK +-m rt --rt-segsleft 4:3;=;OK diff --git a/extensions/libip6t_rt.txlate b/extensions/libip6t_rt.txlate index 3578bcba..67d88d07 100644 --- a/extensions/libip6t_rt.txlate +++ b/extensions/libip6t_rt.txlate @@ -12,3 +12,12 @@ nft 'add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop' ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT nft 'add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept' + +ip6tables-translate -A INPUT -m rt --rt-segsleft 13:42 -j ACCEPT +nft 'add rule ip6 filter INPUT rt seg-left 13-42 counter accept' + +ip6tables-translate -A INPUT -m rt --rt-segsleft 0:4294967295 -j ACCEPT +nft 'add rule ip6 filter INPUT counter accept' + +ip6tables-translate -A INPUT -m rt ! --rt-segsleft 0:4294967295 -j ACCEPT +nft 'add rule ip6 filter INPUT counter accept' diff --git a/extensions/libipt_ah.t b/extensions/libipt_ah.t index cd853865..a2aa338f 100644 --- a/extensions/libipt_ah.t +++ b/extensions/libipt_ah.t @@ -11,3 +11,9 @@ -m ah --ahspi;;FAIL -m ah;;FAIL -p ah -m ah;=;OK +-p ah -m ah --ahspi :;-p ah -m ah;OK +-p ah -m ah ! --ahspi :;-p ah -m ah;OK +-p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK +-p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK +-p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK +-p ah -m ah --ahspi 4:3;=;OK diff --git a/extensions/libipt_ah.txlate b/extensions/libipt_ah.txlate index 897c82b5..e35ac17a 100644 --- a/extensions/libipt_ah.txlate +++ b/extensions/libipt_ah.txlate @@ -6,3 +6,9 @@ nft 'add rule ip filter INPUT ah spi 500-600 counter drop' iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP nft 'add rule ip filter INPUT ah spi != 50 counter drop' + +iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' + +iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t index 8fb2b760..1adb8e40 100644 --- a/extensions/libxt_NFQUEUE.t +++ b/extensions/libxt_NFQUEUE.t @@ -8,6 +8,13 @@ -j NFQUEUE --queue-balance 0:65535;;FAIL -j NFQUEUE --queue-balance 0:65536;;FAIL -j NFQUEUE --queue-balance -1:65535;;FAIL +-j NFQUEUE --queue-balance 4;;FAIL +-j NFQUEUE --queue-balance :;;FAIL +-j NFQUEUE --queue-balance :4;-j NFQUEUE --queue-balance 0:4;OK +-j NFQUEUE --queue-balance 4:;-j NFQUEUE --queue-balance 4:65535;OK +-j NFQUEUE --queue-balance 3:4;=;OK +-j NFQUEUE --queue-balance 4:4;;FAIL +-j NFQUEUE --queue-balance 4:3;;FAIL -j NFQUEUE --queue-num 10 --queue-bypass;=;OK -j NFQUEUE --queue-balance 0:6 --queue-cpu-fanout --queue-bypass;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK -j NFQUEUE --queue-bypass --queue-balance 0:6 --queue-cpu-fanout;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK diff --git a/extensions/libxt_connbytes.t b/extensions/libxt_connbytes.t index 6b24e266..60209c69 100644 --- a/extensions/libxt_connbytes.t +++ b/extensions/libxt_connbytes.t @@ -10,6 +10,12 @@ -m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir both;=;OK -m connbytes --connbytes -1:0 --connbytes-mode packets --connbytes-dir original;;FAIL -m connbytes --connbytes 0:-1 --connbytes-mode packets --connbytes-dir original;;FAIL +-m connbytes --connbytes : --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 0 --connbytes-mode packets --connbytes-dir original;OK +-m connbytes --connbytes :1000 --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir original;OK +-m connbytes --connbytes 1000 --connbytes-mode packets --connbytes-dir original;=;OK +-m connbytes --connbytes 1000: --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 1000 --connbytes-mode packets --connbytes-dir original;OK +-m connbytes --connbytes 1000:1000 --connbytes-mode packets --connbytes-dir original;=;OK +-m connbytes --connbytes 1000:0 --connbytes-mode packets --connbytes-dir original;;FAIL # ERROR: cannot find: iptables -I INPUT -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both # -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both;=;OK -m connbytes --connbytes 0:18446744073709551616 --connbytes-mode avgpkt --connbytes-dir both;;FAIL diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t index 2b3c5de9..399d70ab 100644 --- a/extensions/libxt_conntrack.t +++ b/extensions/libxt_conntrack.t @@ -17,6 +17,8 @@ -m conntrack --ctexpire 0:4294967295;=;OK -m conntrack --ctexpire 42949672956;;FAIL -m conntrack --ctexpire -1;;FAIL +-m conntrack --ctexpire 3:3;-m conntrack --ctexpire 3;OK +-m conntrack --ctexpire 4:3;=;OK -m conntrack --ctdir ORIGINAL;=;OK -m conntrack --ctdir REPLY;=;OK -m conntrack --ctstatus NONE;=;OK @@ -27,3 +29,27 @@ -m conntrack;;FAIL -m conntrack --ctproto 0;;FAIL -m conntrack ! --ctproto 0;;FAIL +-m conntrack --ctorigsrcport :;-m conntrack --ctorigsrcport 0:65535;OK +-m conntrack --ctorigsrcport :4;-m conntrack --ctorigsrcport 0:4;OK +-m conntrack --ctorigsrcport 4:;-m conntrack --ctorigsrcport 4:65535;OK +-m conntrack --ctorigsrcport 3:4;=;OK +-m conntrack --ctorigsrcport 4:4;-m conntrack --ctorigsrcport 4;OK +-m conntrack --ctorigsrcport 4:3;=;OK +-m conntrack --ctreplsrcport :;-m conntrack --ctreplsrcport 0:65535;OK +-m conntrack --ctreplsrcport :4;-m conntrack --ctreplsrcport 0:4;OK +-m conntrack --ctreplsrcport 4:;-m conntrack --ctreplsrcport 4:65535;OK +-m conntrack --ctreplsrcport 3:4;=;OK +-m conntrack --ctreplsrcport 4:4;-m conntrack --ctreplsrcport 4;OK +-m conntrack --ctreplsrcport 4:3;=;OK +-m conntrack --ctorigdstport :;-m conntrack --ctorigdstport 0:65535;OK +-m conntrack --ctorigdstport :4;-m conntrack --ctorigdstport 0:4;OK +-m conntrack --ctorigdstport 4:;-m conntrack --ctorigdstport 4:65535;OK +-m conntrack --ctorigdstport 3:4;=;OK +-m conntrack --ctorigdstport 4:4;-m conntrack --ctorigdstport 4;OK +-m conntrack --ctorigdstport 4:3;=;OK +-m conntrack --ctrepldstport :;-m conntrack --ctrepldstport 0:65535;OK +-m conntrack --ctrepldstport :4;-m conntrack --ctrepldstport 0:4;OK +-m conntrack --ctrepldstport 4:;-m conntrack --ctrepldstport 4:65535;OK +-m conntrack --ctrepldstport 3:4;=;OK +-m conntrack --ctrepldstport 4:4;-m conntrack --ctrepldstport 4;OK +-m conntrack --ctrepldstport 4:3;=;OK diff --git a/extensions/libxt_dccp.t b/extensions/libxt_dccp.t index f60b480f..535891a5 100644 --- a/extensions/libxt_dccp.t +++ b/extensions/libxt_dccp.t @@ -6,6 +6,16 @@ -p dccp -m dccp --sport 1:1023;=;OK -p dccp -m dccp --sport 1024:65535;=;OK -p dccp -m dccp --sport 1024:;-p dccp -m dccp --sport 1024:65535;OK +-p dccp -m dccp --sport :;-p dccp -m dccp --sport 0:65535;OK +-p dccp -m dccp --sport :4;-p dccp -m dccp --sport 0:4;OK +-p dccp -m dccp --sport 4:;-p dccp -m dccp --sport 4:65535;OK +-p dccp -m dccp --sport 4:4;-p dccp -m dccp --sport 4;OK +-p dccp -m dccp --sport 4:3;=;OK +-p dccp -m dccp --dport :;-p dccp -m dccp --dport 0:65535;OK +-p dccp -m dccp --dport :4;-p dccp -m dccp --dport 0:4;OK +-p dccp -m dccp --dport 4:;-p dccp -m dccp --dport 4:65535;OK +-p dccp -m dccp --dport 4:4;-p dccp -m dccp --dport 4;OK +-p dccp -m dccp --dport 4:3;=;OK -p dccp -m dccp ! --sport 1;=;OK -p dccp -m dccp ! --sport 65535;=;OK -p dccp -m dccp ! --dport 1;=;OK diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t index 92c5779f..a8bc5287 100644 --- a/extensions/libxt_esp.t +++ b/extensions/libxt_esp.t @@ -4,5 +4,12 @@ -p esp -m esp --espspi 0:4294967295;-p esp -m esp;OK -p esp -m esp ! --espspi 0:4294967294;=;OK -p esp -m esp --espspi -1;;FAIL +-p esp -m esp --espspi :;-p esp -m esp;OK +-p esp -m esp ! --espspi :;-p esp -m esp;OK +-p esp -m esp --espspi :4;-p esp -m esp --espspi 0:4;OK +-p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK +-p esp -m esp --espspi 3:4;=;OK +-p esp -m esp --espspi 4:4;-p esp -m esp --espspi 4;OK +-p esp -m esp --espspi 4:3;=;OK -p esp -m esp;=;OK -m esp;;FAIL diff --git a/extensions/libxt_esp.txlate b/extensions/libxt_esp.txlate index f6aba52f..3b1d5718 100644 --- a/extensions/libxt_esp.txlate +++ b/extensions/libxt_esp.txlate @@ -9,3 +9,15 @@ nft 'add rule ip filter INPUT esp spi 500 counter drop' iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP nft 'add rule ip filter INPUT esp spi 500-600 counter drop' + +iptables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' + +iptables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP +nft 'add rule ip filter INPUT counter drop' + +ip6tables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP +nft 'add rule ip6 filter INPUT counter drop' + +ip6tables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP +nft 'add rule ip6 filter INPUT counter drop' diff --git a/extensions/libxt_ipcomp.t b/extensions/libxt_ipcomp.t index 8546ba9c..f62144ae 100644 --- a/extensions/libxt_ipcomp.t +++ b/extensions/libxt_ipcomp.t @@ -1,3 +1,10 @@ :INPUT,OUTPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK +-p ipcomp -m ipcomp --ipcompspi :;-p ipcomp -m ipcomp;OK +-p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp;OK +-p ipcomp -m ipcomp --ipcompspi :4;-p ipcomp -m ipcomp --ipcompspi 0:4;OK +-p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK +-p ipcomp -m ipcomp --ipcompspi 3:4;=;OK +-p ipcomp -m ipcomp --ipcompspi 4:4;-p ipcomp -m ipcomp --ipcompspi 4;OK +-p ipcomp -m ipcomp --ipcompspi 4:3;=;OK diff --git a/extensions/libxt_length.t b/extensions/libxt_length.t index 8b70fc31..3905d2d0 100644 --- a/extensions/libxt_length.t +++ b/extensions/libxt_length.t @@ -3,8 +3,11 @@ -m length --length :2;-m length --length 0:2;OK -m length --length 0:3;=;OK -m length --length 4:;-m length --length 4:65535;OK +-m length --length :;-m length --length 0:65535;OK -m length --length 0:65535;=;OK -m length ! --length 0:65535;=;OK -m length --length 0:65536;;FAIL -m length --length -1:65535;;FAIL +-m length --length 4:4;-m length --length 4;OK +-m length --length 4:3;=;OK -m length;;FAIL diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t index 7a3bbd08..baa41615 100644 --- a/extensions/libxt_tcp.t +++ b/extensions/libxt_tcp.t @@ -6,6 +6,18 @@ -p tcp -m tcp --sport 1:1023;=;OK -p tcp -m tcp --sport 1024:65535;=;OK -p tcp -m tcp --sport 1024:;-p tcp -m tcp --sport 1024:65535;OK +-p tcp -m tcp --sport :;-p tcp -m tcp;OK +-p tcp -m tcp ! --sport :;-p tcp -m tcp;OK;LEGACY;-p tcp +-p tcp -m tcp --sport :4;-p tcp -m tcp --sport 0:4;OK +-p tcp -m tcp --sport 4:;-p tcp -m tcp --sport 4:65535;OK +-p tcp -m tcp --sport 4:4;-p tcp -m tcp --sport 4;OK +-p tcp -m tcp --sport 4:3;;FAIL +-p tcp -m tcp --dport :;-p tcp -m tcp;OK +-p tcp -m tcp ! --dport :;-p tcp -m tcp;OK;LEGACY;-p tcp +-p tcp -m tcp --dport :4;-p tcp -m tcp --dport 0:4;OK +-p tcp -m tcp --dport 4:;-p tcp -m tcp --dport 4:65535;OK +-p tcp -m tcp --dport 4:4;-p tcp -m tcp --dport 4;OK +-p tcp -m tcp --dport 4:3;;FAIL -p tcp -m tcp ! --sport 1;=;OK -p tcp -m tcp ! --sport 65535;=;OK -p tcp -m tcp ! --dport 1;=;OK diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate index 9802ddfe..a7e921bf 100644 --- a/extensions/libxt_tcp.txlate +++ b/extensions/libxt_tcp.txlate @@ -30,3 +30,9 @@ nft 'add rule ip filter INPUT tcp option 23 exists counter' iptables-translate -A INPUT -p tcp ! --tcp-option 23 nft 'add rule ip filter INPUT tcp option 23 missing counter' + +iptables-translate -I OUTPUT -p tcp --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' + +iptables-translate -I OUTPUT -p tcp ! --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' diff --git a/extensions/libxt_tcpmss.t b/extensions/libxt_tcpmss.t index 2b415957..d0fb52fa 100644 --- a/extensions/libxt_tcpmss.t +++ b/extensions/libxt_tcpmss.t @@ -1,6 +1,10 @@ :INPUT,FORWARD,OUTPUT -m tcpmss --mss 42;;FAIL -p tcp -m tcpmss --mss 42;=;OK +-p tcp -m tcpmss --mss :;-p tcp -m tcpmss --mss 0:65535;OK +-p tcp -m tcpmss --mss :42;-p tcp -m tcpmss --mss 0:42;OK +-p tcp -m tcpmss --mss 42:;-p tcp -m tcpmss --mss 42:65535;OK +-p tcp -m tcpmss --mss 42:42;-p tcp -m tcpmss --mss 42;OK -p tcp -m tcpmss --mss 42:12345;=;OK -p tcp -m tcpmss --mss 42:65536;;FAIL -p tcp -m tcpmss --mss 65535:1000;;FAIL diff --git a/extensions/libxt_udp.t b/extensions/libxt_udp.t index f5347701..d62dd5e3 100644 --- a/extensions/libxt_udp.t +++ b/extensions/libxt_udp.t @@ -6,6 +6,18 @@ -p udp -m udp --sport 1:1023;=;OK -p udp -m udp --sport 1024:65535;=;OK -p udp -m udp --sport 1024:;-p udp -m udp --sport 1024:65535;OK +-p udp -m udp --sport :;-p udp -m udp;OK +-p udp -m udp ! --sport :;-p udp -m udp;OK;LEGACY;-p udp +-p udp -m udp --sport :4;-p udp -m udp --sport 0:4;OK +-p udp -m udp --sport 4:;-p udp -m udp --sport 4:65535;OK +-p udp -m udp --sport 4:4;-p udp -m udp --sport 4;OK +-p udp -m udp --sport 4:3;=;OK +-p udp -m udp --dport :;-p udp -m udp;OK +-p udp -m udp ! --dport :;-p udp -m udp;OK;LEGACY;-p udp +-p udp -m udp --dport :4;-p udp -m udp --dport 0:4;OK +-p udp -m udp --dport 4:;-p udp -m udp --dport 4:65535;OK +-p udp -m udp --dport 4:4;-p udp -m udp --dport 4;OK +-p udp -m udp --dport 4:3;=;OK -p udp -m udp ! --sport 1;=;OK -p udp -m udp ! --sport 65535;=;OK -p udp -m udp ! --dport 1;=;OK diff --git a/extensions/libxt_udp.txlate b/extensions/libxt_udp.txlate index 28e7ca20..3aed7cd1 100644 --- a/extensions/libxt_udp.txlate +++ b/extensions/libxt_udp.txlate @@ -9,3 +9,9 @@ nft 'insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accep iptables-translate -I OUTPUT -p udp --dport 1020:1023 --sport 53 -j ACCEPT nft 'insert rule ip filter OUTPUT udp sport 53 udp dport 1020-1023 counter accept' + +iptables-translate -I OUTPUT -p udp --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' + +iptables-translate -I OUTPUT -p udp ! --sport 0:65535 -j ACCEPT +nft 'insert rule ip filter OUTPUT counter accept' |