Check ICMP and ICMPv6 with the set match and target in the testsuite

"sendip" needs data otherwise ICMP/ICMPv6 gets truncated...

diff --git a/tests/match_target.t b/tests/match_target.t
index 8c3f3f9e0baaa10edfec727810906f2b18568284..6756be14f778cadad96c7e0ed1b77e53fee91e69 100644 (file)
--- a/tests/match_target.t
+++ b/tests/match_target.t
@@ -1,21 +1,43 @@
 # Create sets and inet rules which call set match and SET target
 0 ./iptables.sh inet start
+# Check that 10.255.255.64,tcp:1025 is not in ipport set
+1 ipset test ipport 10.255.255.64,tcp:1025
 # Send probe packet from 10.255.255.64,tcp:1025
 0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p tcp -td 80 -ts 1025 127.0.0.1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 10.255.255.64 tcp 1025 ipport list
+# Check that 10.255.255.64,tcp:1025 is in ipport set now
+0 ipset test ipport 10.255.255.64,tcp:1025
+# Check that 10.255.255.64,udp:1025 is not in ipport set
+1 ipset test ipport 10.255.255.64,udp:1025
 # Send probe packet from 10.255.255.64,udp:1025 
 0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 10.255.255.64 udp 1025 ipport list
+# Check that 10.255.255.64,udp:1025 is in ipport set now
+0 ipset test ipport 10.255.255.64,udp:1025
+# Check that 10.255.255.1,tcp:1025 is not in ipport set
+1 ipset test ipport 10.255.255.1,tcp:1025
 # Send probe packet from 10.255.255.1,tcp:1025
 0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.1 -p tcp -td 80 -ts 1025 127.0.0.1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 10.255.255.1 tcp 1025 ip1 list
+# Check that 10.255.255.1,tcp:1025 is not in ipport set
+1 ipset test ipport 10.255.255.1,tcp:1025
+# Check that 10.255.255.32,tcp:1025 is not in ipport set
+1 ipset test ipport 10.255.255.32,tcp:1025
 # Send probe packet from 10.255.255.32,tcp:1025
 0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.32 -p tcp -td 80 -ts 1025 127.0.0.1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 10.255.255.32 tcp 1025 ip2
+# Check that 10.255.255.32,tcp:1025 is not in ipport set
+1 ipset test ipport 10.255.255.32,tcp:1025
+# Check that 10.255.255.64,icmp:host-prohibited is not in ipport set
+1 ipset test ipport 10.255.255.64,icmp:host-prohibited
+# Send probe packet 10.255.255.64,icmp:host-prohibited
+0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
+# Check that 10.255.255.64,icmp:3/10 is in ipport set now
+0 ipset test ipport 10.255.255.64,icmp:host-prohibited
 # Destroy sets and rules
 0 ./iptables.sh inet stop
 # eof

diff --git a/tests/match_target6.t b/tests/match_target6.t
index 58888bd1b5ad08f8320a688b62307157a3093f16..6f1fc3d83290c8b00db8d9a7f8abd530c5bbb5b8 100644 (file)
--- a/tests/match_target6.t
+++ b/tests/match_target6.t
@@ -1,21 +1,43 @@
 # Create sets and inet6 rules which call set match and SET target
 0 ./iptables.sh inet6 start
+# Check that 1002:1002:1002:1002::64,tcp:1025 is not in ipport set
+1 ipset test ipport 1002:1002:1002:1002::64,tcp:1025
 # Send probe packet from 1002:1002:1002:1002::64,tcp:1025
 0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p tcp -td 80 -ts 1025 ::1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 1002:1002:1002:1002::64 tcp 1025 ipport list
+# Check that 1002:1002:1002:1002::64,tcp:1025 is in ipport set now
+0 ipset test ipport 1002:1002:1002:1002::64,tcp:1025
+# Check that 1002:1002:1002:1002::64,udp:1025 is not in ipport set
+1 ipset test ipport 1002:1002:1002:1002::64,udp:1025
 # Send probe packet from 1002:1002:1002:1002::64,udp:1025 
 0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p udp -ud 80 -us 1025 ::1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 1002:1002:1002:1002::64 udp 1025 ipport list
+# Check that 1002:1002:1002:1002::64,udp:1025 is in ipport set now
+0 ipset test ipport 1002:1002:1002:1002::64,udp:1025
+# Check that 1002:1002:1002:1002::1,tcp:1025 is not in ipport set
+1 ipset test ipport 1002:1002:1002:1002::1,tcp:1025
 # Send probe packet from 1002:1002:1002:1002::1,tcp:1025
 0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::1 -p tcp -td 80 -ts 1025 ::1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 1002:1002:1002:1002::1 tcp 1025 ip1 list
+# Check that 1002:1002:1002:1002::1,tcp:1025 is not in ipport set
+1 ipset test ipport 1002:1002:1002:1002::1,tcp:1025
+# Check that 1002:1002:1002:1002::32,tcp:1025 is not in ipport set
+1 ipset test ipport 1002:1002:1002:1002::32,tcp:1025
 # Send probe packet from 1002:1002:1002:1002::32,tcp:1025
 0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::32 -p tcp -td 80 -ts 1025 ::1
 # Check that proper sets matched and target worked
 0 ./check_klog.sh 1002:1002:1002:1002::32 tcp 1025 ip2
+# Check that 1002:1002:1002:1002::32,tcp:1025 is not in ipport set
+1 ipset test ipport 1002:1002:1002:1002::32,tcp:1025
+# Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is not in ipport set
+1 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
+# Send probe packet from 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
+0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1
+# Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is in ipport set now
+0 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
 # Destroy sets and rules
 0 ./iptables.sh inet6 stop
 # eof