Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

NetBSD 6.1.5 - man page for ipftest (netbsd section 1)

ipftest(1)									       ipftest(1)

       ipftest - test packet filter rules with arbitrary input.

       ipftest	[ -6bCdDoRvx ] [ -F input-format ] [ -i <filename> ] [ -I interface ] [ -l <file-
       name> ] [ -N <filename> ] [ -P <filename> ] [ -r <filename> ] [ -S  <ip_address>  ]  [  -T
       <optionlist> ]

       ipftest	is  provided  for the purpose of being able to test a set of filter rules without
       having to put them in place, in operation and proceed to test  their  effectiveness.   The
       hope is that this minimises disruptions in providing a secure IP environment.

       ipftest	will  parse  any standard ruleset for use with ipf, ipnat and/or ippool and apply
       input, returning output as to the result.  However, ipftest will return one of three  val-
       ues  for  packets  passed through the filter: pass, block or nomatch.  This is intended to
       give the operator a better idea of what is happening with packets  passing  through  their
       filter ruleset.

       At least one of -N, -P or -r must be specified.

       -6     Use IPv6.

       -b     Cause  the  output  to  be  a brief summary (one-word) of the result of passing the
	      packet through the filter; either "pass", "block" or "nomatch".  This  is  used  in
	      the regression testing.

       -C     Force  the checksums to be (re)calculated for all packets being input into ipftest.
	      This may be necessary if pcap files from tcpdump are being fed in where  there  are
	      partial checksums present due to hardware offloading.

       -d     Turn on filter rule debugging.  Currently, this only shows you what caused the rule
	      to not match in the IP header checking (addresses/netmasks, etc).

       -D     Dump internal tables before exiting.  This excludes log messages.

       -F     This option is used to select which input format the input file is in.  The follow-
	      ing formats are available: etherfind, hex, pcap, snoop, tcpdump,text.

		     The  input file is to be text output from etherfind.  The text formats which
		     are currently supported are those which result from the following	etherfind
		     option combinations:

			etherfind -n
			etherfind -n -t

	      hex    The  input  file  is to be hex digits, representing the binary makeup of the
		     packet.  No length correction is made, if an incorrect length is put in  the
		     IP  header.   A  packet may be broken up over several lines of hex digits, a
		     blank line indicating the end of the packet.  It is possible to specify both
		     the  interface  name and direction of the packet (for filtering purposes) at
		     the start of the line using this format: [direction,interface]  To define	a
		     packet  going  in	on le0, we would use [in,le0] - the []'s are required and
		     part of the input syntax.

	      pcap The input file specified by -i is a binary file produced using libpcap  (i.e.,
		     tcpdump  version  3).   Packets  are read from this file as being input (for
		     rule purposes).  An interface maybe specified using -I.

	      snoop  The input file is to be in "snoop" format (see RFC 1761).	Packets are  read
		     from  this  file  and used as input from any interface.  This is perhaps the
		     most useful input type, currently.

		     The input file is to be text output from tcpdump.	The  text  formats  which
		     are  currently  supported	are those which result from the following tcpdump
		     option combinations:

			tcpdump -n
			tcpdump -nq
			tcpdump -nqt
			tcpdump -nqtt
			tcpdump -nqte

	      text   The input file is in ipftest text input format.  This is the default  if  no
		     -F argument is specified.	The format used is as follows:
			  "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
			       srchost[,srcport] dsthost[,destport] [FSRPAU]

	      This  allows for a packet going "in" or "out" of an interface (if) to be generated,
	      being one of the three main protocols (optionally), and if either  TCP  or  UDP,	a
	      port  parameter  is  also expected.  If TCP is selected, it is possible to (option-
	      ally) supply TCP flags at the end.  Some examples are:
		   # a UDP packet coming in on le0
		   in on le0 udp,2210,23
		   # an IP packet coming in on le0 from localhost - hmm :)
		   in on le0 localhost
		   # a TCP packet going out of le0 with the SYN flag set.
		   out on le0 tcp,2245,23 S

       -i <filename>
	      Specify the filename from which to take input.  Default is stdin.

       -I <interface>
	      Set the interface name (used in rule matching) to be the name  supplied.	 This  is
	      useful  where it is not otherwise possible to associate a packet with an interface.
	      Normal "text packets" can override this setting.

       -l <filename>
	      Dump log messages generated during testing to the specified file.

       -N <filename>
	      Specify the filename from which to read NAT rules in ipnat(5) format.

       -o     Save output packets that would have been	written  to  each  interface  in  a  file
	      /tmp/interface_name in raw format.

       -P <filename>
	      Read IP pool configuration information in ippool(5) format from the specified file.

       -r <filename>
	      Specify the filename from which to read filter rules in ipf(5) format.

       -R     Don't attempt to convert IP addresses to hostnames.

       -S <ip_address>
	      The IP address specified with this option is used by ipftest to determine whether a
	      packet should be treated as "input" or "output".	If the source address  in  an  IP
	      packet  matches  then it is considered to be inbound.  If it does not match then it
	      is considered to be outbound.  This is primarily for use with tcpdump (pcap)  files
	      where there is no in/out information saved with each packet.

       -T <optionlist>
	      This  option simulates the run-time changing of IPFilter kernel variables available
	      with the -T option of ipf.  The optionlist parameter is a comma separated  list  of
	      tuning  commands.   A tuning command is either "list" (retrieve a list of all vari-
	      ables in the kernel, their maximum, minimum and current value), a  single  variable
	      name  (retrieve  its current value) and a variable name with a following assignment
	      to set a new value.  See ipf(8) for examples.

       -v     Verbose mode.  This provides more information about which parts  of  rule  matching
	      the input packet passes and fails.

       -x     Print a hex dump of each packet before printing the decoded contents.

       ipf(5), ipf(8), tcpdump(8),

       Not all of the input formats are sufficiently capable of introducing a wide enough variety
       of packets for them to be all useful in testing.


All times are GMT -4. The time now is 10:23 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password