IPFTEST(1)                                                          IPFTEST(1)



NAME
       ipftest - test packet filter rules with arbitrary input.

SYNOPSIS
       ipftest  [  -6bCdDoRvx  ]  [  -F  input-format ] [ -i <filename> ] [ -I
       interface ] [ -l <filename> ] [ -N <filename> ] [ -P <filename> ] [  -r
       <filename> ] [ -S <ip_address> ] [ -T <optionlist> ]

DESCRIPTION
       ipftest is provided for the purpose of being able to test a set of fil-
       ter rules without having to put them in place, in operation and proceed
       to  test  their effectiveness.  The hope is that this minimises disrup-
       tions in providing a secure IP environment.

       ipftest will parse any standard ruleset for use with ipf, ipnat  and/or
       ippool  and  apply  input, returning output as to the result.  However,
       ipftest will return one of three values for packets passed through  the
       filter:  pass, block or nomatch.  This is intended to give the operator
       a better idea of what is happening with packets passing  through  their
       filter ruleset.

       At least one of -N, -P or -r must be specified.

OPTIONS
       -6     Use IPv6.

       -b     Cause  the output to be a brief summary (one-word) of the result
              of passing the packet through the filter; either "pass", "block"
              or "nomatch".  This is used in the regression testing.

       -C     Force  the  checksums to be (re)calculated for all packets being
              input into ipftest.  This may be necessary if  pcap  files  from
              tcpdump  are  being  fed  in  where  there are partial checksums
              present due to hardware offloading.

       -d     Turn on filter rule debugging.  Currently, this only  shows  you
              what  caused  the  rule  to  not match in the IP header checking
              (addresses/netmasks, etc).

       -D     Dump internal tables before exiting.   This  excludes  log  mes-
              sages.

       -F     This  option is used to select which input format the input file
              is in.  The following formats  are  available:  etherfind,  hex,
              pcap, snoop, tcpdump,text.

              etherfind
                     The  input file is to be text output from etherfind.  The
                     text formats which  are  currently  supported  are  those
                     which result from the following etherfind option combina-
                     tions:

                        etherfind -n
                        etherfind -n -t

              hex    The input file is to  be  hex  digits,  representing  the
                     binary  makeup  of  the  packet.  No length correction is
                     made, if an incorrect length is put in the IP header.   A
                     packet may be broken up over several lines of hex digits,
                     a blank line indicating the end of  the  packet.   It  is
                     possible to specify both the interface name and direction
                     of the packet (for filtering purposes) at  the  start  of
                     the  line  using  this  format: [direction,interface]  To
                     define a packet going in on le0, we would use [in,le0]  -
                     the []'s are required and part of the input syntax.

              pcap  The  input  file specified by -i is a binary file produced
                     using libpcap (i.e., tcpdump  version  3).   Packets  are
                     read  from  this file as being input (for rule purposes).
                     An interface maybe specified using -I.

              snoop  The input file is to be in "snoop" format (see RFC 1761).
                     Packets  are  read  from this file and used as input from
                     any interface.  This is perhaps  the  most  useful  input
                     type, currently.

              tcpdump
                     The  input  file  is to be text output from tcpdump.  The
                     text formats which  are  currently  supported  are  those
                     which  result  from the following tcpdump option combina-
                     tions:

                        tcpdump -n
                        tcpdump -nq
                        tcpdump -nqt
                        tcpdump -nqtt
                        tcpdump -nqte

              text   The input file is in ipftest text input format.  This  is
                     the  default  if no -F argument is specified.  The format
                     used is as follows:
                          "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
                               srchost[,srcport] dsthost[,destport] [FSRPAU]

              This allows for a packet going "in" or  "out"  of  an  interface
              (if)  to  be  generated,  being  one of the three main protocols
              (optionally), and if either TCP or UDP, a port parameter is also
              expected.   If  TCP  is selected, it is possible to (optionally)
              supply TCP flags at the end.  Some examples are:
                   # a UDP packet coming in on le0
                   in on le0 udp 10.1.1.1,2210 10.2.1.5,23
                   # an IP packet coming in on le0 from localhost - hmm :)
                   in on le0 localhost 10.4.12.1
                   # a TCP packet going out of le0 with the SYN flag set.
                   out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S

       -i <filename>
              Specify the filename from  which  to  take  input.   Default  is
              stdin.

       -I <interface>
              Set  the  interface  name (used in rule matching) to be the name
              supplied.  This is useful where it is not otherwise possible  to
              associate a packet with an interface.  Normal "text packets" can
              override this setting.

       -l <filename>
              Dump log messages generated  during  testing  to  the  specified
              file.

       -N <filename>
              Specify  the  filename  from which to read NAT rules in ipnat(5)
              format.

       -o     Save output packets that would have been written to each  inter-
              face in a file /tmp/interface_name in raw format.

       -P <filename>
              Read  IP pool configuration information in ippool(5) format from
              the specified file.

       -r <filename>
              Specify the filename from which to read filter rules  in  ipf(5)
              format.

       -R     Don't attempt to convert IP addresses to hostnames.

       -S <ip_address>
              The IP address specifived with this option is used by ipftest to
              determine whether a packet should be treated as "input" or "out-
              put".   If the source address in an IP packet matches then it is
              considered to be inbound.  If it does not match then it is  con-
              sidered  to be outbound.  This is primarily for use with tcpdump
              (pcap) files where there is no  in/out  information  saved  with
              each packet.

       -T <optionlist>
              This  option  simulates the run-time changing of IPFilter kernel
              variables available with the -T option of ipf.   The  optionlist
              parameter  is a comma separated list of tuning commands.  A tun-
              ing command is either "list" (retrieve a list of  all  variables
              in the kernel, their maximum, minimum and current value), a sin-
              gle variable name (retrieve its current value)  and  a  variable
              name with a following assignment to set a new value.  See ipf(8)
              for examples.

       -v     Verbose mode.  This provides more information about which  parts
              of rule matching the input packet passes and fails.

       -x     Print a hex dump of each packet before printing the decoded con-
              tents.

SEE ALSO
       ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)

BUGS
       Not all of the input formats are sufficiently capable of introducing  a
       wide enough variety of packets for them to be all useful in testing.



                                                                    IPFTEST(1)

You can also request any man page by name and (optionally) by section:

Command: 
Section: 
Architecture: 
Collection: 
 

Use the DEFAULT collection to view manual pages for third-party software.


©1994 Man-cgi 1.15, Panagiotis Christias <christia@softlab.ntua.gr>
©1996-2014 Modified for NetBSD by Kimmo Suominen