# arguments: ipaddr proto port setname ...
+test -f .loglines || exit 1
+loglines=$(<.loglines)
+if [ $loglines -ne 0 ]; then
+ loglines=$((loglines - 1))
+fi
+
expand_ipv6() {
# incomplete, but for our addresses it's OK
addr=
port=$1; shift
for setname in $@; do
- match=`dmesg| tail -n 2 | grep -e "in set $setname: .* SRC=$ipaddr .* PROTO=$proto SPT=$port .*"`
+ match=`tail -n +$loglines /var/log/kern.log | grep -e "in set $setname: .* SRC=$ipaddr .* PROTO=$proto SPT=$port .*"`
if [ -z "$match" ]; then
echo "no match!"
exit 1
;;
esac
-
case "$2" in
start)
$ipset n ip1 hash:ip $family 2>/dev/null
;;
del)
$cmd -F INPUT
- $cmd -A INPUT -j SET --del-set ipport src,src
+ $cmd -A INPUT -s $NET -j SET --del-set ipport src,src
;;
add)
$ipset n test hash:net $family 2>/dev/null
$cmd -F INPUT
- $cmd -A INPUT -j SET --add-set test src
+ $cmd -A INPUT -s $NET -j SET --add-set test src
;;
timeout)
$ipset n test hash:ip,port timeout 2
- $cmd -A INPUT -j SET --add-set test src,src --timeout 10 --exist
+ $cmd -A INPUT -s $NET -j SET --add-set test src,src --timeout 10 --exist
;;
mangle)
$ipset n test hash:net $family skbinfo 2>/dev/null
# Create sets and inet rules which call set match
0 ./iptables.sh inet start_flags
# Send probe packet from 10.0.0.0,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched with --return-nomatch
0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch
# Send probe packet from 10.0.0.1,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched
0 ./check_klog.sh 10.0.0.1 tcp 1025 test
# Send probe packet from 10.0.0.2,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched with --return-nomatch
0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch
# Send probe packet from 10.0.0.255,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched with --return-nomatch
0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch
# Send probe packet from 10.0.1.0,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched
0 ./check_klog.sh 10.0.1.0 tcp 1025 test
# Destroy sets and rules
# Create sets and inet rules which call set match, reversed rule order
0 ./iptables.sh inet start_flags_reversed
# Send probe packet from 10.0.0.0,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched with --return-nomatch
0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch
# Send probe packet from 10.0.0.1,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched
0 ./check_klog.sh 10.0.0.1 tcp 1025 test
# Send probe packet from 10.0.0.2,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched with --return-nomatch
0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch
# Send probe packet from 10.0.0.255,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched with --return-nomatch
0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch
# Send probe packet from 10.0.1.0,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that test set matched
0 ./check_klog.sh 10.0.1.0 tcp 1025 test
# Destroy sets and rules
# Check that 10.255.255.64,tcp:1025 is not in ipport set
1 ipset test ipport 10.255.255.64,tcp:1025
# Send probe packet from 10.255.255.64,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that proper sets matched and target worked
0 ./check_klog.sh 10.255.255.64 tcp 1025 ipport list
# Check that 10.255.255.64,tcp:1025 is in ipport set now
# Check that 10.255.255.64,udp:1025 is not in ipport set
1 ipset test ipport 10.255.255.64,udp:1025
# Send probe packet from 10.255.255.64,udp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
# Check that proper sets matched and target worked
0 ./check_klog.sh 10.255.255.64 udp 1025 ipport list
# Check that 10.255.255.64,udp:1025 is in ipport set now
# Check that 10.255.255.1,tcp:1025 is not in ipport set
1 ipset test ipport 10.255.255.1,tcp:1025
# Send probe packet from 10.255.255.1,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.1 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.1 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that proper sets matched and target worked
0 ./check_klog.sh 10.255.255.1 tcp 1025 ip1 list
# Check that 10.255.255.1,tcp:1025 is not in ipport set
# Check that 10.255.255.32,tcp:1025 is not in ipport set
1 ipset test ipport 10.255.255.32,tcp:1025
# Send probe packet from 10.255.255.32,tcp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.32 -p tcp -td 80 -ts 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.32 -p tcp -td 80 -ts 1025 127.0.0.1
# Check that proper sets matched and target worked
0 ./check_klog.sh 10.255.255.32 tcp 1025 ip2
# Check that 10.255.255.32,tcp:1025 is not in ipport set
# Check that 10.255.255.64,icmp:host-prohibited is not in ipport set
1 ipset test ipport 10.255.255.64,icmp:host-prohibited
# Send probe packet 10.255.255.64,icmp:host-prohibited
-0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
+0 ./sendip.sh -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
# Check that 10.255.255.64,icmp:3/10 is in ipport set now
0 ipset test ipport 10.255.255.64,icmp:host-prohibited
# Modify rules to check target and deletion
0 ./iptables.sh inet del
# Send probe packet 10.255.255.64,icmp:host-prohibited
-0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
+0 ./sendip.sh -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
# Check that 10.255.255.64,icmp:3/10 isn't in ipport
1 ipset test ipport 10.255.255.64,icmp:host-prohibited
# Destroy sets and rules
# Sleep 1s
0 sleep 1s
# Send probe packet 10.255.255.64,icmp:host-prohibited
-0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
+0 ./sendip.sh -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
# Sleep 5s, so original entry could time out
0 sleep 5s
# Check that 10.255.255.64,icmp:3/10 is not in ipport set
# Create test set and iptables rules
0 ./iptables.sh inet mangle
# Send probe packet from 10.255.255.64,udp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
# Check that proper sets matched and target worked
0 ./check_klog.sh 10.255.255.64 udp 1025 mark
# Destroy sets and rules
# Create test set and iptables rules
0 ./iptables.sh inet add
# Send probe packet from 10.255.255.64,udp:1025
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
# Check that 10.255.255.64 is added to the set
0 ipset t test 10.255.255.64
# Flush set
# Add a /24 network to the set
0 ipset a test 1.1.1.0/24
# Send probe packet from 10.255.255.64,udp:1025 again
-0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
+0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
# Check that 10.255.255.0/24 is added to the set
0 ipset t test 10.255.255.0/24
# Destroy sets and rules
# Create set and rules for 0.0.0.0/0 check in hash:net,iface
0 ./iptables.sh inet netiface
# Send probe packet
-0 sendip -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1
+0 ./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1
# Check kernel log that the packet matched the set
0 ./check_klog.sh 10.255.255.64 udp 1025 netiface
# Destroy sets and rules
# Check that 1002:1002:1002:1002::64,tcp:1025 is not in ipport set
1 ipset test ipport 1002:1002:1002:1002::64,tcp:1025
# Send probe packet from 1002:1002:1002:1002::64,tcp:1025
-0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p tcp -td 80 -ts 1025 ::1
+0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p tcp -td 80 -ts 1025 ::1
# Check that proper sets matched and target worked
0 ./check_klog.sh 1002:1002:1002:1002::64 tcp 1025 ipport list
# Check that 1002:1002:1002:1002::64,tcp:1025 is in ipport set now
# Check that 1002:1002:1002:1002::64,udp:1025 is not in ipport set
1 ipset test ipport 1002:1002:1002:1002::64,udp:1025
# Send probe packet from 1002:1002:1002:1002::64,udp:1025
-0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p udp -ud 80 -us 1025 ::1
+0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p udp -ud 80 -us 1025 ::1
# Check that proper sets matched and target worked
0 ./check_klog.sh 1002:1002:1002:1002::64 udp 1025 ipport list
# Check that 1002:1002:1002:1002::64,udp:1025 is in ipport set now
# Check that 1002:1002:1002:1002::1,tcp:1025 is not in ipport set
1 ipset test ipport 1002:1002:1002:1002::1,tcp:1025
# Send probe packet from 1002:1002:1002:1002::1,tcp:1025
-0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::1 -p tcp -td 80 -ts 1025 ::1
+0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::1 -p tcp -td 80 -ts 1025 ::1
# Check that proper sets matched and target worked
0 ./check_klog.sh 1002:1002:1002:1002::1 tcp 1025 ip1 list
# Check that 1002:1002:1002:1002::1,tcp:1025 is not in ipport set
# Check that 1002:1002:1002:1002::32,tcp:1025 is not in ipport set
1 ipset test ipport 1002:1002:1002:1002::32,tcp:1025
# Send probe packet from 1002:1002:1002:1002::32,tcp:1025
-0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::32 -p tcp -td 80 -ts 1025 ::1
+0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::32 -p tcp -td 80 -ts 1025 ::1
# Check that proper sets matched and target worked
0 ./check_klog.sh 1002:1002:1002:1002::32 tcp 1025 ip2
# Check that 1002:1002:1002:1002::32,tcp:1025 is not in ipport set
# Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is not in ipport set
1 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
# Send probe packet from 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
-0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1
+0 ./sendip.sh -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1
# Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is in ipport set now
0 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
# Modify rules to check target and deletion
0 ./iptables.sh inet6 del
# Send probe packet from 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
-0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1
+0 ./sendip.sh -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1
# Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly isn't in ipport set
1 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
# Destroy sets and rules
--- /dev/null
+#!/bin/bash
+
+# Save lineno for checking
+wc -l /var/log/kern.log | cut -d ' ' -f 1 > .loglines
+sendip "$@"
+
projects / ipset / commitdiff