diff options
Diffstat (limited to 'contrib/ipfilter/man/ipftest.1')
-rw-r--r-- | contrib/ipfilter/man/ipftest.1 | 205 |
1 files changed, 0 insertions, 205 deletions
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 deleted file mode 100644 index 5153687..0000000 --- a/contrib/ipfilter/man/ipftest.1 +++ /dev/null @@ -1,205 +0,0 @@ -.TH ipftest 1 -.SH NAME -ipftest \- test packet filter rules with arbitrary input. -.SH SYNOPSIS -.B ipftest -[ -.B \-6bCdDoRvx -] [ -.B \-F -input-format -] [ -.B \-i -<filename> -] [ -.B \-I -interface -] [ -.B \-l -<filename> -] [ -.B \-N -<filename> -] [ -.B \-P -<filename> -] [ -.B \-r -<filename> -] [ -.B \-S -<ip_address> -] [ -.B \-T -<optionlist> -] -.SH DESCRIPTION -.PP -\fBipftest\fP is provided for the purpose of being able to test a set of -filter rules without having to put them in place, in operation and proceed -to test their effectiveness. The hope is that this minimises disruptions -in providing a secure IP environment. -.PP -\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP, -\fBipnat\fP and/or \fBippool\fP -and apply input, returning output as to the result. However, \fBipftest\fP -will return one of three values for packets passed through the filter: -pass, block or nomatch. This is intended to give the operator a better -idea of what is happening with packets passing through their filter -ruleset. -.PP -At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified. -.SH OPTIONS -.TP -.B \-6 -Use IPv6. -.TP -.B \-b -Cause the output to be a brief summary (one-word) of the result of passing -the packet through the filter; either "pass", "block" or "nomatch". -This is used in the regression testing. -.TP -.B \-C -Force the checksums to be (re)calculated for all packets being input into -\fBipftest\fP. This may be necessary if pcap files from tcpdump are being -fed in where there are partial checksums present due to hardware offloading. -.TP -.B \-d -Turn on filter rule debugging. Currently, this only shows you what caused -the rule to not match in the IP header checking (addresses/netmasks, etc). -.TP -.B \-D -Dump internal tables before exiting. -This excludes log messages. -.TP -.B \-F -This option is used to select which input format the input file is in. -The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text. -.RS -.TP -.B etherfind -The input file is to be text output from etherfind. The text formats which -are currently supported are those which result from the following etherfind -option combinations: -.PP -.nf - etherfind -n - etherfind -n -t -.fi -.TP -.B hex -The input file is to be hex digits, representing the binary makeup of the -packet. No length correction is made, if an incorrect length is put in -the IP header. A packet may be broken up over several lines of hex digits, -a blank line indicating the end of the packet. It is possible to specify -both the interface name and direction of the packet (for filtering purposes) -at the start of the line using this format: [direction,interface] To define -a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required -and part of the input syntax. -.HP -.B pcap -The input file specified by \fB\-i\fP is a binary file produced using libpcap -(i.e., tcpdump version 3). Packets are read from this file as being input -(for rule purposes). An interface maybe specified using \fB\-I\fP. -.TP -.B snoop -The input file is to be in "snoop" format (see RFC 1761). Packets are read -from this file and used as input from any interface. This is perhaps the -most useful input type, currently. -.TP -.B tcpdump -The input file is to be text output from tcpdump. The text formats which -are currently supported are those which result from the following tcpdump -option combinations: -.PP -.nf - tcpdump -n - tcpdump -nq - tcpdump -nqt - tcpdump -nqtt - tcpdump -nqte -.fi -.TP -.B text -The input file is in \fBipftest\fP text input format. -This is the default if no \fB\-F\fP argument is specified. -The format used is as follows: -.nf - "in"|"out" "on" if ["tcp"|"udp"|"icmp"] - srchost[,srcport] dsthost[,destport] [FSRPAU] -.fi -.PP -This allows for a packet going "in" or "out" of an interface (if) to be -generated, being one of the three main protocols (optionally), and if -either TCP or UDP, a port parameter is also expected. If TCP is selected, -it is possible to (optionally) supply TCP flags at the end. Some examples -are: -.nf - # a UDP packet coming in on le0 - in on le0 udp 10.1.1.1,2210 10.2.1.5,23 - # an IP packet coming in on le0 from localhost - hmm :) - in on le0 localhost 10.4.12.1 - # a TCP packet going out of le0 with the SYN flag set. - out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S -.fi -.LP -.RE -.DT -.TP -.BR \-i \0<filename> -Specify the filename from which to take input. Default is stdin. -.TP -.BR \-I \0<interface> -Set the interface name (used in rule matching) to be the name supplied. -This is useful where it is -not otherwise possible to associate a packet with an interface. Normal -"text packets" can override this setting. -.TP -.BR \-l \0<filename> -Dump log messages generated during testing to the specified file. -.TP -.BR \-N \0<filename> -Specify the filename from which to read NAT rules in \fBipnat\fP(5) format. -.TP -.B \-o -Save output packets that would have been written to each interface in -a file /tmp/\fIinterface_name\fP in raw format. -.TP -.BR \-P \0<filename> -Read IP pool configuration information in \fBippool\fP(5) format from the -specified file. -.TP -.BR \-r \0<filename> -Specify the filename from which to read filter rules in \fBipf\fP(5) format. -.TP -.B \-R -Don't attempt to convert IP addresses to hostnames. -.TP -.BR \-S \0<ip_address> -The IP address specifived with this option is used by ipftest to determine -whether a packet should be treated as "input" or "output". If the source -address in an IP packet matches then it is considered to be inbound. If it -does not match then it is considered to be outbound. This is primarily -for use with tcpdump (pcap) files where there is no in/out information -saved with each packet. -.TP -.BR \-T \0<optionlist> -This option simulates the run-time changing of IPFilter kernel variables -available with the \fB\-T\fP option of \fBipf\fP. -The optionlist parameter is a comma separated list of tuning -commands. A tuning command is either "list" (retrieve a list of all variables -in the kernel, their maximum, minimum and current value), a single variable -name (retrieve its current value) and a variable name with a following -assignment to set a new value. See \fBipf\fP(8) for examples. -.TP -.B \-v -Verbose mode. This provides more information about which parts of rule -matching the input packet passes and fails. -.TP -.B \-x -Print a hex dump of each packet before printing the decoded contents. -.SH SEE ALSO -ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) -.SH BUGS -Not all of the input formats are sufficiently capable of introducing a -wide enough variety of packets for them to be all useful in testing. |