Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
ipftest(1)							    ipftest(1)

NAME
       ipftest - test packet filter rules with arbitrary input.

SYNOPSIS
       ipftest	[  -6bCdDoRvx  ]  [  -F	 input-format ]	[ -i <filename>	] [ -I
       interface ] [ -l	<filename> ] [ -N <filename> ] [ -P <filename> ] [  -r
       <filename> ] [ -S <ip_address> ]	[ -T <optionlist> ]

DESCRIPTION
       ipftest is provided for the purpose of being able to test a set of fil-
       ter rules without having	to put them in place, in operation and proceed
       to  test	 their effectiveness.  The hope	is that	this minimises disrup-
       tions in	providing a secure IP environment.

       ipftest will parse any standard ruleset for use with ipf, ipnat	and/or
       ippool  and  apply  input, returning output as to the result.  However,
       ipftest will return one of three	values for packets passed through  the
       filter:	pass, block or nomatch.	 This is intended to give the operator
       a better	idea of	what is	happening with packets passing	through	 their
       filter ruleset.

       At least	one of -N, -P or -r must be specified.

OPTIONS
       -6     Use IPv6.

       -b     Cause  the output	to be a	brief summary (one-word) of the	result
	      of passing the packet through the	filter;	either "pass", "block"
	      or "nomatch".  This is used in the regression testing.

       -C     Force  the  checksums to be (re)calculated for all packets being
	      input into ipftest.  This	may be necessary if  pcap  files  from
	      tcpdump  are  being  fed	in  where  there are partial checksums
	      present due to hardware offloading.

       -d     Turn on filter rule debugging.  Currently, this only  shows  you
	      what  caused  the	 rule  to  not match in	the IP header checking
	      (addresses/netmasks, etc).

       -D     Dump internal tables before exiting.   This  excludes  log  mes-
	      sages.

       -F     This  option is used to select which input format	the input file
	      is in.  The following formats  are  available:  etherfind,  hex,
	      pcap, snoop, tcpdump,text.

	      etherfind
		     The  input	file is	to be text output from etherfind.  The
		     text formats which	 are  currently	 supported  are	 those
		     which result from the following etherfind option combina-
		     tions:

			etherfind -n
			etherfind -n -t

	      hex    The input file is to  be  hex  digits,  representing  the
		     binary  makeup  of	 the  packet.  No length correction is
		     made, if an incorrect length is put in the	IP header.   A
		     packet may	be broken up over several lines	of hex digits,
		     a blank line indicating the end of	 the  packet.	It  is
		     possible to specify both the interface name and direction
		     of	the packet (for	filtering purposes) at	the  start  of
		     the  line	using  this  format: [direction,interface]  To
		     define a packet going in on le0, we would use [in,le0]  -
		     the []'s are required and part of the input syntax.

	      pcap  The	 input	file specified by -i is	a binary file produced
		     using libpcap (i.e., tcpdump  version  3).	  Packets  are
		     read  from	 this file as being input (for rule purposes).
		     An	interface maybe	specified using	-I.

	      snoop  The input file is to be in	"snoop"	format (see RFC	1761).
		     Packets  are  read	 from this file	and used as input from
		     any interface.  This is perhaps  the  most	 useful	 input
		     type, currently.

	      tcpdump
		     The  input	 file  is to be	text output from tcpdump.  The
		     text formats which	 are  currently	 supported  are	 those
		     which  result  from the following tcpdump option combina-
		     tions:

			tcpdump	-n
			tcpdump	-nq
			tcpdump	-nqt
			tcpdump	-nqtt
			tcpdump	-nqte

	      text   The input file is in ipftest text input format.  This  is
		     the  default  if no -F argument is	specified.  The	format
		     used is as	follows:
			  "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
			       srchost[,srcport] dsthost[,destport] [FSRPAU]

	      This allows for a	packet going "in" or  "out"  of	 an  interface
	      (if)  to	be  generated,	being  one of the three	main protocols
	      (optionally), and	if either TCP or UDP, a	port parameter is also
	      expected.	  If  TCP  is selected,	it is possible to (optionally)
	      supply TCP flags at the end.  Some examples are:
		   # a UDP packet coming in on le0
		   in on le0 udp 10.1.1.1,2210 10.2.1.5,23
		   # an	IP packet coming in on le0 from	localhost - hmm	:)
		   in on le0 localhost 10.4.12.1
		   # a TCP packet going	out of le0 with	the SYN	flag set.
		   out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S

       -i <filename>
	      Specify the filename from	 which	to  take  input.   Default  is
	      stdin.

       -I <interface>
	      Set  the	interface  name	(used in rule matching)	to be the name
	      supplied.	 This is useful	where it is not	otherwise possible  to
	      associate	a packet with an interface.  Normal "text packets" can
	      override this setting.

       -l <filename>
	      Dump log messages	generated  during  testing  to	the  specified
	      file.

       -N <filename>
	      Specify  the  filename  from which to read NAT rules in ipnat(5)
	      format.

       -o     Save output packets that would have been written to each	inter-
	      face in a	file /tmp/interface_name in raw	format.

       -P <filename>
	      Read  IP pool configuration information in ippool(5) format from
	      the specified file.

       -r <filename>
	      Specify the filename from	which to read filter rules  in	ipf(5)
	      format.

       -R     Don't attempt to convert IP addresses to hostnames.

       -S <ip_address>
	      The IP address specifived	with this option is used by ipftest to
	      determine	whether	a packet should	be treated as "input" or "out-
	      put".   If the source address in an IP packet matches then it is
	      considered to be inbound.	 If it does not	match then it is  con-
	      sidered  to be outbound.	This is	primarily for use with tcpdump
	      (pcap) files where there is no  in/out  information  saved  with
	      each packet.

       -T <optionlist>
	      This  option  simulates the run-time changing of IPFilter	kernel
	      variables	available with the -T option of	ipf.   The  optionlist
	      parameter	 is a comma separated list of tuning commands.	A tun-
	      ing command is either "list" (retrieve a list of	all  variables
	      in the kernel, their maximum, minimum and	current	value),	a sin-
	      gle variable name	(retrieve its current value)  and  a  variable
	      name with	a following assignment to set a	new value.  See	ipf(8)
	      for examples.

       -v     Verbose mode.  This provides more	information about which	 parts
	      of rule matching the input packet	passes and fails.

       -x     Print a hex dump of each packet before printing the decoded con-
	      tents.

SEE ALSO
       ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)

BUGS
       Not all of the input formats are	sufficiently capable of	introducing  a
       wide enough variety of packets for them to be all useful	in testing.

								    ipftest(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<http://www.freebsd.org/cgi/man.cgi?query=ipftest&sektion=1&manpath=FreeBSD+10.0-RELEASE>

home | help