DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

ipftest(ADMN)




NAME

     ipftest - test packet filter rules with arbitrary input.


SYNOPSIS

     ipftest [ -6bdDoRvx ] [ -F input-format ] [ -i <filename>  ]
     [  -I  interface  ] [ -l <filename> ] [ -N <filename> ] [ -P
     <filename> ] [ -r <filename> ] [ -T <optionlist> ]


DESCRIPTION

     ipftest is provided for the purpose of being able to test  a
     set  of filter rules without having to put them in place, in
     operation and proceed to test their effectiveness.  The hope
     is  that this minimises disruptions in providing a secure IP
     environment.

     ipftest will parse any standard ruleset for  use  with  ipf,
     ipnat  and/or ippool and apply input, returning output as to
     the result.  However,  ipftest  will  return  one  of  three
     values  for  packets passed through the filter:  pass, block
     or nomatch.  This is intended to give the operator a  better
     idea of what is happening with packets passing through their
     filter ruleset.

     At least one of -N, -P or -r must be specified.


OPTIONS

     -6   Use IPv6.

     -b   Cause the output to be a brief  summary  (one-word)  of
          the  result  of  passing the packet through the filter;
          either "pass", "block" or "nomatch".  This is  used  in
          the regression testing.

     -d   Turn on filter rule debugging.   Currently,  this  only
          shows  you  what caused the rule to not match in the IP
          header checking (addresses/netmasks, etc).

     -D   Dump internal tables before exiting.  This excludes log
          messages.

     -F   This option is used to select which  input  format  the
          input file is in.  The following formats are available:
          etherfind, hex, pcap, snoop, tcpdump, text.

          etherfind
               The input file is to be text  output  from  ether-
               find.   The  text formats which are currently sup-
               ported are those which result from  the  following
               etherfind option combinations:

                    etherfind -n
                    etherfind -n -t

          hex  The input file is to be hex  digits,  representing
               the  binary  makeup  of  the  packet.   No  length
               correction is made, if an incorrect length is  put
               in  the IP header.  A packet may be broken up over
               several lines of hex digits, a blank line indicat-
               ing  the  end  of  the  packet.  It is possible to
               specify both the interface name and  direction  of
               the  packet  (for filtering purposes) at the start
               of     the     line     using     this     format:
               [direction,interface]  To define a packet going in
               on le0, we would  use  [in,le0]  -  the  []'s  are
               required and part of the input syntax.

          pcap The input file specified by -i is  a  binary  file
               produced  using libpcap (i.e., tcpdump version 3).
               Packets are read from this  file  as  being  input
               (for rule purposes).  An interface maybe specified
               using -I.

          snoop
               The input file is to be in "snoop" format (see RFC
               1761).   Packets  are read from this file and used
               as input from any interface.  This is perhaps  the
               most useful input type, currently.

          tcpdump
               The input file is to be text output from  tcpdump.
               The text formats which are currently supported are
               those which  result  from  the  following  tcpdump
               option combinations:

                    tcpdump -n
                    tcpdump -nq
                    tcpdump -nqt
                    tcpdump -nqtt
                    tcpdump -nqte

          text The input file is in ipftest  text  input  format.
               This  is  the  default if no -F argument is speci-
               fied.  The format used is as follows:
                    "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
                         srchost[,srcport] dsthost[,destport] [FSRPAU]

          This allows for a packet going  "in"  or  "out"  of  an
          interface  (if) to be generated, being one of the three
          main protocols (optionally), and if either TCP or  UDP,
          a port parameter is also expected.  If TCP is selected,
          it is possible to (optionally) supply TCP flags at  the
          end.  Some examples are:
               # a UDP packet coming in on le0
               in on le0 udp 10.1.1.1,2210 10.2.1.5,23
               # an IP packet coming in on le0 from localhost - hmm :)
               in on le0 localhost 10.4.12.1
               # a TCP packet going out of le0 with the SYN flag set.
               out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S

     -i <filename>
          Specify the filename from which to take input.  Default
          is stdin.

     -I <interface>
          Set the interface name (used in rule  matching)  to  be
          the name supplied.  This is useful where it is not oth-
          erwise possible to associate a packet  with  an  inter-
          face.  Normal "text packets" can override this setting.

     -l <filename>
          Dump log  messages  generated  during  testing  to  the
          specified file.

     -N <filename>
          Specify the filename from which to read  NAT  rules  in
          ipnat(SFF) format.

     -o   Save output packets that would  have  been  written  to
          each  interface  in  a  file /tmp/interface_name in raw
          format.

     -P <filename>
          Read IP pool configuration information  in  ippool(SFF)
          format from the specified file.

     -r <filename>
          Specify the filename from which to read filter rules in
          ipf(SFF) format.

     -R   Don't attempt to convert IP addresses to hostnames.

     -T <optionlist>
          This option simulates the run-time changing of IPFilter
          kernel  variables  available with the -T option of ipf.
          The optionlist parameter is a comma separated  list  of
          tuning  commands.   A  tuning  command is either "list"
          (retrieve a list of all variables in the kernel,  their
          maximum,  minimum and current value), a single variable
          name (retrieve its current value) and a  variable  name
          with  a  following  assignment to set a new value.  See
          ipf(ADMN) for examples.

     -v   Verbose mode.  This  provides  more  information  about
          which  parts  of  rule matching the input packet passes
          and fails.

     -x   Print a hex dump of each  packet  before  printing  the
          decoded contents.


SEE ALSO

     ipf(SFF), ipf(ADMN), tcpdump(ADMN)


BUGS

     Not all of the input formats  are  sufficiently  capable  of
     introducing  a wide enough variety of packets for them to be
     all useful in testing.


Man(1) output converted with man2html