summaryrefslogtreecommitdiffstats
path: root/man/ipftest.1
diff options
context:
space:
mode:
Diffstat (limited to 'man/ipftest.1')
-rw-r--r--man/ipftest.1205
1 files changed, 205 insertions, 0 deletions
diff --git a/man/ipftest.1 b/man/ipftest.1
new file mode 100644
index 0000000..5153687
--- /dev/null
+++ b/man/ipftest.1
@@ -0,0 +1,205 @@
+.TH ipftest 1
+.SH NAME
+ipftest \- test packet filter rules with arbitrary input.
+.SH SYNOPSIS
+.B ipftest
+[
+.B \-6bCdDoRvx
+] [
+.B \-F
+input-format
+] [
+.B \-i
+<filename>
+] [
+.B \-I
+interface
+] [
+.B \-l
+<filename>
+] [
+.B \-N
+<filename>
+] [
+.B \-P
+<filename>
+] [
+.B \-r
+<filename>
+] [
+.B \-S
+<ip_address>
+] [
+.B \-T
+<optionlist>
+]
+.SH DESCRIPTION
+.PP
+\fBipftest\fP is provided for the purpose of being able to test a set of
+filter rules without having to put them in place, in operation and proceed
+to test their effectiveness. The hope is that this minimises disruptions
+in providing a secure IP environment.
+.PP
+\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP,
+\fBipnat\fP and/or \fBippool\fP
+and apply input, returning output as to the result. However, \fBipftest\fP
+will return one of three values for packets passed through the filter:
+pass, block or nomatch. This is intended to give the operator a better
+idea of what is happening with packets passing through their filter
+ruleset.
+.PP
+At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified.
+.SH OPTIONS
+.TP
+.B \-6
+Use IPv6.
+.TP
+.B \-b
+Cause the output to be a brief summary (one-word) of the result of passing
+the packet through the filter; either "pass", "block" or "nomatch".
+This is used in the regression testing.
+.TP
+.B \-C
+Force the checksums to be (re)calculated for all packets being input into
+\fBipftest\fP. This may be necessary if pcap files from tcpdump are being
+fed in where there are partial checksums present due to hardware offloading.
+.TP
+.B \-d
+Turn on filter rule debugging. Currently, this only shows you what caused
+the rule to not match in the IP header checking (addresses/netmasks, etc).
+.TP
+.B \-D
+Dump internal tables before exiting.
+This excludes log messages.
+.TP
+.B \-F
+This option is used to select which input format the input file is in.
+The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text.
+.RS
+.TP
+.B etherfind
+The input file is to be text output from etherfind. The text formats which
+are currently supported are those which result from the following etherfind
+option combinations:
+.PP
+.nf
+ etherfind -n
+ etherfind -n -t
+.fi
+.TP
+.B hex
+The input file is to be hex digits, representing the binary makeup of the
+packet. No length correction is made, if an incorrect length is put in
+the IP header. A packet may be broken up over several lines of hex digits,
+a blank line indicating the end of the packet. It is possible to specify
+both the interface name and direction of the packet (for filtering purposes)
+at the start of the line using this format: [direction,interface] To define
+a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
+and part of the input syntax.
+.HP
+.B pcap
+The input file specified by \fB\-i\fP is a binary file produced using libpcap
+(i.e., tcpdump version 3). Packets are read from this file as being input
+(for rule purposes). An interface maybe specified using \fB\-I\fP.
+.TP
+.B snoop
+The input file is to be in "snoop" format (see RFC 1761). Packets are read
+from this file and used as input from any interface. This is perhaps the
+most useful input type, currently.
+.TP
+.B tcpdump
+The input file is to be text output from tcpdump. The text formats which
+are currently supported are those which result from the following tcpdump
+option combinations:
+.PP
+.nf
+ tcpdump -n
+ tcpdump -nq
+ tcpdump -nqt
+ tcpdump -nqtt
+ tcpdump -nqte
+.fi
+.TP
+.B text
+The input file is in \fBipftest\fP text input format.
+This is the default if no \fB\-F\fP argument is specified.
+The format used is as follows:
+.nf
+ "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
+ srchost[,srcport] dsthost[,destport] [FSRPAU]
+.fi
+.PP
+This allows for a packet going "in" or "out" of an interface (if) to be
+generated, being one of the three main protocols (optionally), and if
+either TCP or UDP, a port parameter is also expected. If TCP is selected,
+it is possible to (optionally) supply TCP flags at the end. Some examples
+are:
+.nf
+ # a UDP packet coming in on le0
+ in on le0 udp 10.1.1.1,2210 10.2.1.5,23
+ # an IP packet coming in on le0 from localhost - hmm :)
+ in on le0 localhost 10.4.12.1
+ # a TCP packet going out of le0 with the SYN flag set.
+ out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
+.fi
+.LP
+.RE
+.DT
+.TP
+.BR \-i \0<filename>
+Specify the filename from which to take input. Default is stdin.
+.TP
+.BR \-I \0<interface>
+Set the interface name (used in rule matching) to be the name supplied.
+This is useful where it is
+not otherwise possible to associate a packet with an interface. Normal
+"text packets" can override this setting.
+.TP
+.BR \-l \0<filename>
+Dump log messages generated during testing to the specified file.
+.TP
+.BR \-N \0<filename>
+Specify the filename from which to read NAT rules in \fBipnat\fP(5) format.
+.TP
+.B \-o
+Save output packets that would have been written to each interface in
+a file /tmp/\fIinterface_name\fP in raw format.
+.TP
+.BR \-P \0<filename>
+Read IP pool configuration information in \fBippool\fP(5) format from the
+specified file.
+.TP
+.BR \-r \0<filename>
+Specify the filename from which to read filter rules in \fBipf\fP(5) format.
+.TP
+.B \-R
+Don't attempt to convert IP addresses to hostnames.
+.TP
+.BR \-S \0<ip_address>
+The IP address specifived with this option is used by ipftest to determine
+whether a packet should be treated as "input" or "output". If the source
+address in an IP packet matches then it is considered to be inbound. If it
+does not match then it is considered to be outbound. This is primarily
+for use with tcpdump (pcap) files where there is no in/out information
+saved with each packet.
+.TP
+.BR \-T \0<optionlist>
+This option simulates the run-time changing of IPFilter kernel variables
+available with the \fB\-T\fP option of \fBipf\fP.
+The optionlist parameter is a comma separated list of tuning
+commands. A tuning command is either "list" (retrieve a list of all variables
+in the kernel, their maximum, minimum and current value), a single variable
+name (retrieve its current value) and a variable name with a following
+assignment to set a new value. See \fBipf\fP(8) for examples.
+.TP
+.B \-v
+Verbose mode. This provides more information about which parts of rule
+matching the input packet passes and fails.
+.TP
+.B \-x
+Print a hex dump of each packet before printing the decoded contents.
+.SH SEE ALSO
+ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
+.SH BUGS
+Not all of the input formats are sufficiently capable of introducing a
+wide enough variety of packets for them to be all useful in testing.
OpenPOWER on IntegriCloud