blob: 1802653a472873f948bdbdabe73415c93c101b1f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# return code to signal skipped test
ksft_skip=4
rc=0
if ! iptables --version >/dev/null 2>&1; then
echo "SKIP: Test needs iptables"
exit $ksft_skip
fi
if ! ip -V >/dev/null 2>&1; then
echo "SKIP: Test needs iproute2"
exit $ksft_skip
fi
if ! nc -h >/dev/null 2>&1; then
echo "SKIP: Test needs netcat"
exit $ksft_skip
fi
pattern="foo bar baz"
patlen=11
hdrlen=$((20 + 8)) # IPv4 + UDP
ns="ns-$(mktemp -u XXXXXXXX)"
trap 'ip netns del $ns' EXIT
ip netns add "$ns"
ip -net "$ns" link add d0 type dummy
ip -net "$ns" link set d0 up
ip -net "$ns" addr add 10.1.2.1/24 dev d0
#ip netns exec "$ns" tcpdump -npXi d0 &
#tcpdump_pid=$!
#trap 'kill $tcpdump_pid; ip netns del $ns' EXIT
add_rule() { # (alg, from, to)
ip netns exec "$ns" \
iptables -A OUTPUT -o d0 -m string \
--string "$pattern" --algo $1 --from $2 --to $3
}
showrules() { # ()
ip netns exec "$ns" iptables -v -S OUTPUT | grep '^-A'
}
zerorules() {
ip netns exec "$ns" iptables -Z OUTPUT
}
countrule() { # (pattern)
showrules | grep -c -- "$*"
}
send() { # (offset)
( for ((i = 0; i < $1 - $hdrlen; i++)); do
printf " "
done
printf "$pattern"
) | ip netns exec "$ns" nc -w 1 -u 10.1.2.2 27374
}
add_rule bm 1000 1500
add_rule bm 1400 1600
add_rule kmp 1000 1500
add_rule kmp 1400 1600
zerorules
send 0
send $((1000 - $patlen))
if [ $(countrule -c 0 0) -ne 4 ]; then
echo "FAIL: rules match data before --from"
showrules
((rc--))
fi
zerorules
send 1000
send $((1400 - $patlen))
if [ $(countrule -c 2) -ne 2 ]; then
echo "FAIL: only two rules should match at low offset"
showrules
((rc--))
fi
zerorules
send $((1500 - $patlen))
if [ $(countrule -c 1) -ne 4 ]; then
echo "FAIL: all rules should match at end of packet"
showrules
((rc--))
fi
zerorules
send 1495
if [ $(countrule -c 1) -ne 1 ]; then
echo "FAIL: only kmp with proper --to should match pattern spanning fragments"
showrules
((rc--))
fi
zerorules
send 1500
if [ $(countrule -c 1) -ne 2 ]; then
echo "FAIL: two rules should match pattern at start of second fragment"
showrules
((rc--))
fi
zerorules
send $((1600 - $patlen))
if [ $(countrule -c 1) -ne 2 ]; then
echo "FAIL: two rules should match pattern at end of largest --to"
showrules
((rc--))
fi
zerorules
send $((1600 - $patlen + 1))
if [ $(countrule -c 1) -ne 0 ]; then
echo "FAIL: no rules should match pattern extending largest --to"
showrules
((rc--))
fi
zerorules
send 1600
if [ $(countrule -c 1) -ne 0 ]; then
echo "FAIL: no rule should match pattern past largest --to"
showrules
((rc--))
fi
exit $rc
|
