blob: 54b5407315cf3ad522a5c8f5ca727e171b854b2b [file] [log] [blame] [view] [raw]
.TH IPFTEST 1
.SH NAME
ipftest \- test packet filter rules with arbitrary input.
.SH SYNOPSIS
.B ipftest
[
.B \-6bCdDoRvx
] [
.B \-F
input-format
] [
.B \-i
<filename>
] [
.B \-I
interface
] [
.B \-l
<filename>
] [
.B \-N
<filename>
] [
.B \-P
<filename>
] [
.B \-r
<filename>
] [
.B \-S
<ip_address>
] [
.B \-T
<optionlist>
]
.SH DESCRIPTION
.PP
\fBipftest\fP is provided for the purpose of being able to test a set of
filter rules without having to put them in place, in operation and proceed
to test their effectiveness. The hope is that this minimises disruptions
in providing a secure IP environment.
.PP
\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP,
\fBipnat\fP and/or \fBippool\fP
and apply input, returning output as to the result. However, \fBipftest\fP
will return one of three values for packets passed through the filter:
pass, block or nomatch. This is intended to give the operator a better
idea of what is happening with packets passing through their filter
ruleset.
.PP
At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified.
.SH OPTIONS
.TP
.B \-6
Use IPv6.
.TP
.B \-b
Cause the output to be a brief summary (one-word) of the result of passing
the packet through the filter; either "pass", "block" or "nomatch".
This is used in the regression testing.
.TP
.B \-C
Force the checksums to be (re)calculated for all packets being input into
\fBipftest\fP. This may be necessary if pcap files from tcpdump are being
fed in where there are partial checksums present due to hardware offloading.
.TP
.B \-d
Turn on filter rule debugging. Currently, this only shows you what caused
the rule to not match in the IP header checking (addresses/netmasks, etc).
.TP
.B \-D
Dump internal tables before exiting.
This excludes log messages.
.TP
.B \-F
This option is used to select which input format the input file is in.
The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text.
.RS
.TP
.B etherfind
The input file is to be text output from etherfind. The text formats which
are currently supported are those which result from the following etherfind
option combinations:
.PP
.nf
etherfind -n
etherfind -n -t
.fi
.TP
.B hex
The input file is to be hex digits, representing the binary makeup of the
packet. No length correction is made, if an incorrect length is put in
the IP header. A packet may be broken up over several lines of hex digits,
a blank line indicating the end of the packet. It is possible to specify
both the interface name and direction of the packet (for filtering purposes)
at the start of the line using this format: [direction,interface] To define
a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
and part of the input syntax.
.HP
.B pcap
The input file specified by \fB\-i\fP is a binary file produced using libpcap
(i.e., tcpdump version 3). Packets are read from this file as being input
(for rule purposes). An interface maybe specified using \fB\-I\fP.
.TP
.B snoop
The input file is to be in "snoop" format (see RFC 1761). Packets are read
from this file and used as input from any interface. This is perhaps the
most useful input type, currently.
.TP
.B tcpdump
The input file is to be text output from tcpdump. The text formats which
are currently supported are those which result from the following tcpdump
option combinations:
.PP
.nf
tcpdump -n
tcpdump -nq
tcpdump -nqt
tcpdump -nqtt
tcpdump -nqte
.fi
.TP
.B text
The input file is in \fBipftest\fP text input format.
This is the default if no \fB\-F\fP argument is specified.
The format used is as follows:
.nf
"in"|"out" "on" if ["tcp"|"udp"|"icmp"]
srchost[,srcport] dsthost[,destport] [FSRPAU]
.fi
.PP
This allows for a packet going "in" or "out" of an interface (if) to be
generated, being one of the three main protocols (optionally), and if
either TCP or UDP, a port parameter is also expected. If TCP is selected,
it is possible to (optionally) supply TCP flags at the end. Some examples
are:
.nf
# a UDP packet coming in on le0
in on le0 udp 10.1.1.1,2210 10.2.1.5,23
# an IP packet coming in on le0 from localhost - hmm :)
in on le0 localhost 10.4.12.1
# a TCP packet going out of le0 with the SYN flag set.
out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
.fi
.RE
.DT
.TP
.BR \-i \0<filename>
Specify the filename from which to take input. Default is stdin.
.TP
.BR \-I \0<interface>
Set the interface name (used in rule matching) to be the name supplied.
This is useful where it is
not otherwise possible to associate a packet with an interface. Normal
"text packets" can override this setting.
.TP
.BR \-l \0<filename>
Dump log messages generated during testing to the specified file.
.TP
.BR \-N \0<filename>
Specify the filename from which to read NAT rules in \fBipnat\fP(5) format.
.TP
.B \-o
Save output packets that would have been written to each interface in
a file /tmp/\fIinterface_name\fP in raw format.
.TP
.BR \-P \0<filename>
Read IP pool configuration information in \fBippool\fP(5) format from the
specified file.
.TP
.BR \-r \0<filename>
Specify the filename from which to read filter rules in \fBipf\fP(5) format.
.TP
.B \-R
Don't attempt to convert IP addresses to hostnames.
.TP
.BR \-S \0<ip_address>
The IP address specifived with this option is used by ipftest to determine
whether a packet should be treated as "input" or "output". If the source
address in an IP packet matches then it is considered to be inbound. If it
does not match then it is considered to be outbound. This is primarily
for use with tcpdump (pcap) files where there is no in/out information
saved with each packet.
.TP
.BR \-T \0<optionlist>
This option simulates the run-time changing of IPFilter kernel variables
available with the \fB\-T\fP option of \fBipf\fP.
The optionlist parameter is a comma separated list of tuning
commands. A tuning command is either "list" (retrieve a list of all variables
in the kernel, their maximum, minimum and current value), a single variable
name (retrieve its current value) and a variable name with a following
assignment to set a new value. See \fBipf\fP(8) for examples.
.TP
.B \-v
Verbose mode. This provides more information about which parts of rule
matching the input packet passes and fails.
.TP
.B \-x
Print a hex dump of each packet before printing the decoded contents.
.SH SEE ALSO
ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.