| .TH IPFTEST 1 |
| .SH NAME |
| ipftest \- test packet filter rules with arbitrary input. |
| .SH SYNOPSIS |
| .B ipftest |
| [ |
| .B \-6bCdDoRvx |
| ] [ |
| .B \-F |
| input-format |
| ] [ |
| .B \-i |
| <filename> |
| ] [ |
| .B \-I |
| interface |
| ] [ |
| .B \-l |
| <filename> |
| ] [ |
| .B \-N |
| <filename> |
| ] [ |
| .B \-P |
| <filename> |
| ] [ |
| .B \-r |
| <filename> |
| ] [ |
| .B \-S |
| <ip_address> |
| ] [ |
| .B \-T |
| <optionlist> |
| ] |
| .SH DESCRIPTION |
| .PP |
| \fBipftest\fP is provided for the purpose of being able to test a set of |
| filter rules without having to put them in place, in operation and proceed |
| to test their effectiveness. The hope is that this minimises disruptions |
| in providing a secure IP environment. |
| .PP |
| \fBipftest\fP will parse any standard ruleset for use with \fBipf\fP, |
| \fBipnat\fP and/or \fBippool\fP |
| and apply input, returning output as to the result. However, \fBipftest\fP |
| will return one of three values for packets passed through the filter: |
| pass, block or nomatch. This is intended to give the operator a better |
| idea of what is happening with packets passing through their filter |
| ruleset. |
| .PP |
| At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified. |
| .SH OPTIONS |
| .TP |
| .B \-6 |
| Use IPv6. |
| .TP |
| .B \-b |
| Cause the output to be a brief summary (one-word) of the result of passing |
| the packet through the filter; either "pass", "block" or "nomatch". |
| This is used in the regression testing. |
| .TP |
| .B \-C |
| Force the checksums to be (re)calculated for all packets being input into |
| \fBipftest\fP. This may be necessary if pcap files from tcpdump are being |
| fed in where there are partial checksums present due to hardware offloading. |
| .TP |
| .B \-d |
| Turn on filter rule debugging. Currently, this only shows you what caused |
| the rule to not match in the IP header checking (addresses/netmasks, etc). |
| .TP |
| .B \-D |
| Dump internal tables before exiting. |
| This excludes log messages. |
| .TP |
| .B \-F |
| This option is used to select which input format the input file is in. |
| The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text. |
| .RS |
| .TP |
| .B etherfind |
| The input file is to be text output from etherfind. The text formats which |
| are currently supported are those which result from the following etherfind |
| option combinations: |
| .PP |
| .nf |
| etherfind -n |
| etherfind -n -t |
| .fi |
| .TP |
| .B hex |
| The input file is to be hex digits, representing the binary makeup of the |
| packet. No length correction is made, if an incorrect length is put in |
| the IP header. A packet may be broken up over several lines of hex digits, |
| a blank line indicating the end of the packet. It is possible to specify |
| both the interface name and direction of the packet (for filtering purposes) |
| at the start of the line using this format: [direction,interface] To define |
| a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required |
| and part of the input syntax. |
| .HP |
| .B pcap |
| The input file specified by \fB\-i\fP is a binary file produced using libpcap |
| (i.e., tcpdump version 3). Packets are read from this file as being input |
| (for rule purposes). An interface maybe specified using \fB\-I\fP. |
| .TP |
| .B snoop |
| The input file is to be in "snoop" format (see RFC 1761). Packets are read |
| from this file and used as input from any interface. This is perhaps the |
| most useful input type, currently. |
| .TP |
| .B tcpdump |
| The input file is to be text output from tcpdump. The text formats which |
| are currently supported are those which result from the following tcpdump |
| option combinations: |
| .PP |
| .nf |
| tcpdump -n |
| tcpdump -nq |
| tcpdump -nqt |
| tcpdump -nqtt |
| tcpdump -nqte |
| .fi |
| .TP |
| .B text |
| The input file is in \fBipftest\fP text input format. |
| This is the default if no \fB\-F\fP argument is specified. |
| The format used is as follows: |
| .nf |
| "in"|"out" "on" if ["tcp"|"udp"|"icmp"] |
| srchost[,srcport] dsthost[,destport] [FSRPAU] |
| .fi |
| .PP |
| This allows for a packet going "in" or "out" of an interface (if) to be |
| generated, being one of the three main protocols (optionally), and if |
| either TCP or UDP, a port parameter is also expected. If TCP is selected, |
| it is possible to (optionally) supply TCP flags at the end. Some examples |
| are: |
| .nf |
| # a UDP packet coming in on le0 |
| in on le0 udp 10.1.1.1,2210 10.2.1.5,23 |
| # an IP packet coming in on le0 from localhost - hmm :) |
| in on le0 localhost 10.4.12.1 |
| # a TCP packet going out of le0 with the SYN flag set. |
| out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S |
| .fi |
| .RE |
| .DT |
| .TP |
| .BR \-i \0<filename> |
| Specify the filename from which to take input. Default is stdin. |
| .TP |
| .BR \-I \0<interface> |
| Set the interface name (used in rule matching) to be the name supplied. |
| This is useful where it is |
| not otherwise possible to associate a packet with an interface. Normal |
| "text packets" can override this setting. |
| .TP |
| .BR \-l \0<filename> |
| Dump log messages generated during testing to the specified file. |
| .TP |
| .BR \-N \0<filename> |
| Specify the filename from which to read NAT rules in \fBipnat\fP(5) format. |
| .TP |
| .B \-o |
| Save output packets that would have been written to each interface in |
| a file /tmp/\fIinterface_name\fP in raw format. |
| .TP |
| .BR \-P \0<filename> |
| Read IP pool configuration information in \fBippool\fP(5) format from the |
| specified file. |
| .TP |
| .BR \-r \0<filename> |
| Specify the filename from which to read filter rules in \fBipf\fP(5) format. |
| .TP |
| .B \-R |
| Don't attempt to convert IP addresses to hostnames. |
| .TP |
| .BR \-S \0<ip_address> |
| The IP address specifived with this option is used by ipftest to determine |
| whether a packet should be treated as "input" or "output". If the source |
| address in an IP packet matches then it is considered to be inbound. If it |
| does not match then it is considered to be outbound. This is primarily |
| for use with tcpdump (pcap) files where there is no in/out information |
| saved with each packet. |
| .TP |
| .BR \-T \0<optionlist> |
| This option simulates the run-time changing of IPFilter kernel variables |
| available with the \fB\-T\fP option of \fBipf\fP. |
| The optionlist parameter is a comma separated list of tuning |
| commands. A tuning command is either "list" (retrieve a list of all variables |
| in the kernel, their maximum, minimum and current value), a single variable |
| name (retrieve its current value) and a variable name with a following |
| assignment to set a new value. See \fBipf\fP(8) for examples. |
| .TP |
| .B \-v |
| Verbose mode. This provides more information about which parts of rule |
| matching the input packet passes and fails. |
| .TP |
| .B \-x |
| Print a hex dump of each packet before printing the decoded contents. |
| .SH SEE ALSO |
| ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) |
| .SH BUGS |
| Not all of the input formats are sufficiently capable of introducing a |
| wide enough variety of packets for them to be all useful in testing. |