ipftest - test packet filter rules with arbitary input.
ipftest [ -vbdPSTEHX ] [ -I interface ] -r
<filename> [ -i <filename> ]
ipftest is provided for the purpose of being able to test a set of filter
rules without having to put them in place, in operation and proceed to test
their effectiveness. The hope is that this minimises disruptions in providing
a secure IP environment.
ipftest will parse any standard ruleset for use with
ipf and apply input, returning output as to the result. However,
ipftest will return one of three values for packets passed through
the filter: pass, block or nomatch. This is intended to give the operator a
better idea of what is happening with packets passing through their filter
ruleset.
When used without either of -S, -T or -E,
ipftest uses its own text input format to generate "fake"
IP packets. The format used is as follows:
"in"|"out" "on" if ["tcp"|"udp"|"icmp"]
srchost[,srcport] dsthost[,destport] [FSRPAU]
This allows for a packet going "in" or "out"
of an interface (if) to be generated, being one of the three main protocols
(optionally), and if either TCP or UDP, a port parameter is also expected.
If TCP is selected, it is possible to (optionally) supply TCP flags at the
end. Some examples are:
# a UDP packet coming in on le0
in on le0 udp 10.1.1.1,2210 10.2.1.5,23
# an IP packet coming in on le0 from localhost - hmm :)
in on le0 localhost 10.4.12.1
# a TCP packet going out of le0 with the SYN flag set.
out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
- -v
- Verbose mode. This provides more information about which parts of rule
matching the input packet passes and fails.
- -d
- Turn on filter rule debugging. Currently, this only shows you what caused
the rule to not match in the IP header checking (addresses/netmasks,
etc).
- -b
- Cause the output to be a brief summary (one-word) of the result of passing
the packet through the filter; either "pass", "block"
or "nomatch". This is used in the regression testing.
- -I <interface>
- Set the interface name (used in rule matching) to be the name supplied.
This is useful with the -P, -S, -T and -E options, where it
is not otherwise possible to associate a packet with an interface. Normal
"text packets" can override this setting.
- -P
- The input file specified by -i is a binary file produced using
libpcap (i.e., tcpdump version 3). Packets are read from this file as
being input (for rule purposes). An interface maybe specified using
-I.
- -S
- The input file is to be in "snoop" format (see RFC 1761).
Packets are read from this file and used as input from any interface. This
is perhaps the most useful input type, currently.
- -T
- The input file is to be text output from tcpdump. The text formats which
are currently supported are those which result from the following tcpdump
option combinations:
tcpdump -n
tcpdump -nq
tcpdump -nqt
tcpdump -nqtt
tcpdump -nqte
- -H
- The input file is to be hex digits, representing the binary makeup of the
packet. No length correction is made, if an incorrect length is put in the
IP header.
- -X
- The input file is composed of text descriptions of IP packets.
- -E
- The input file is to be text output from etherfind. The text formats which
are currently supported are those which result from the following
etherfind option combinations:
etherfind -n
etherfind -n -t
- -i <filename>
- Specify the filename from which to take input. Default is stdin.
- -r <filename>
- Specify the filename from which to read filter rules.
ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
Not all of the input formats are sufficiently capable of introducing a wide
enough variety of packets for them to be all useful in testing.