FreeBSD 7.0 manual page repository
FreeBSD is a free computer operating system based on BSD UNIX originally. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.
ipftest - test packet filter rules with arbitrary input.
ipftest - test packet filter rules with arbitrary input.
ipftest [ -6bCdDoRvx ] [ -F input-format ] [ -i <filename> ] [ -I interface ] [ -l <filename> ] [ -N <filename> ] [ -P <filename> ] [ -r <filename> ] [ -S <ip_address> ] [ -T <optionlist> ]
ipftest is provided for the purpose of being able to test a set of fil‐ ter rules without having to put them in place, in operation and proceed to test their effectiveness. The hope is that this minimises disrup‐ tions in providing a secure IP environment. ipftest will parse any standard ruleset for use with ipf, ipnat and/or ippool and apply input, returning output as to the result. However, ipftest will return one of three values for packets passed through the filter: pass, block or nomatch. This is intended to give the operator a better idea of what is happening with packets passing through their filter ruleset. At least one of -N, -P or -r must be specified.
-6 Use IPv6. -b Cause the output to be a brief summary (one-word) of the result of passing the packet through the filter; either "pass", "block" or "nomatch". This is used in the regression testing. -C Force the checksums to be (re)calculated for all packets being input into ipftest. This may be necessary if pcap files from tcpdump are being fed in where there are partial checksums present due to hardware offloading. -d Turn on filter rule debugging. Currently, this only shows you what caused the rule to not match in the IP header checking (addresses/netmasks, etc). -D Dump internal tables before exiting. This excludes log mes‐ sages. -F This option is used to select which input format the input file is in. The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text. etherfind The input file is to be text output from etherfind. The text formats which are currently supported are those which result from the following etherfind option combina‐ tions: etherfind -n etherfind -n -t hex The input file is to be hex digits, representing the binary makeup of the packet. No length correction is made, if an incorrect length is put in the IP header. A packet may be broken up over several lines of hex digits, a blank line indicating the end of the packet. It is possible to specify both the interface name and direction of the packet (for filtering purposes) at the start of the line using this format: [direction,interface] To define a packet going in on le0, we would use [in,le0] - the ’s are required and part of the input syntax. pcap The input file specified by -i is a binary file produced using libpcap (i.e., tcpdump version 3). Packets are read from this file as being input (for rule purposes). An interface maybe specified using -I. snoop The input file is to be in "snoop" format (see RFC 1761). Packets are read from this file and used as input from any interface. This is perhaps the most useful input type, currently. tcpdump The input file is to be text output from tcpdump. The text formats which are currently supported are those which result from the following tcpdump option combina‐ tions: tcpdump -n tcpdump -nq tcpdump -nqt tcpdump -nqtt tcpdump -nqte text The input file is in ipftest text input format. This is the default if no -F argument is specified. The format used is as follows: "in"|"out" "on" if ["tcp"|"udp"|"icmp"] srchost[,srcport] dsthost[,destport] [FSRPAU] This allows for a packet going "in" or "out" of an interface (if) to be generated, being one of the three main protocols (optionally), and if either TCP or UDP, a port parameter is also expected. If TCP is selected, it is possible to (optionally) supply TCP flags at the end. Some examples are: # a UDP packet coming in on le0 in on le0 udp 10.1.1.1,2210 10.2.1.5,23 # an IP packet coming in on le0 from localhost - hmm :) in on le0 localhost 10.4.12.1 # a TCP packet going out of le0 with the SYN flag set. out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S -i <filename> Specify the filename from which to take input. Default is stdin. -I <interface> Set the interface name (used in rule matching) to be the name supplied. This is useful where it is not otherwise possible to associate a packet with an interface. Normal "text packets" can override this setting. -l <filename> Dump log messages generated during testing to the specified file. -N <filename> Specify the filename from which to read NAT rules in ipnat(5) format. -o Save output packets that would have been written to each inter‐ face in a file /tmp/interface_name in raw format. -P <filename> Read IP pool configuration information in ippool(5) format from the specified file. -r <filename> Specify the filename from which to read filter rules in ipf(5) format. -R Don’t attempt to convert IP addresses to hostnames. -S <ip_address> The IP address specifived with this option is used by ipftest to determine whether a packet should be treated as "input" or "out‐ put". If the source address in an IP packet matches then it is considered to be inbound. If it does not match then it is con‐ sidered to be outbound. This is primarily for use with tcpdump (pcap) files where there is no in/out information saved with each packet. -T <optionlist> This option simulates the run-time changing of IPFilter kernel variables available with the -T option of ipf. The optionlist parameter is a comma separated list of tuning commands. A tun‐ ing command is either "list" (retrieve a list of all variables in the kernel, their maximum, minimum and current value), a sin‐ gle variable name (retrieve its current value) and a variable name with a following assignment to set a new value. See ipf(8) for examples. -v Verbose mode. This provides more information about which parts of rule matching the input packet passes and fails. -x Print a hex dump of each packet before printing the decoded con‐ tents. ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. ipftest(1)