Added tests for iptables 'length' match.
Added print_parse_capabilities() so that IPTables::Parse keys/regex's can
easily be seen.
which was updated to allow the value "-1" to be passed in as the rule
insertion number in order to denote "append" (-A <chain>) mode.
- Added "mac_source" tests to t/basic_tests.pl.
+ - Added tests for iptables 'length' match.
+ - Added print_parse_capabilities() so that IPTables::Parse keys/regex's can
+ easily be seen.
- Bug fix to ensure that state tracking arguments are properly processed
by add_ip_rule().
to_port mac_source state ctstate));
if ($IPTables::Parse::VERSION > 1.1) {
+
@parse_keys = ();
### get the keys list from the IPTables::Parse module
return 0, $#$chain_ar+1;
}
+sub print_parse_capabilities() {
+ my $self = shift;
+
+ my $ipt_parse = new IPTables::Parse(
+ 'iptables' => $self->{'_iptables'},
+ 'iptout' => $self->{'_iptout'},
+ 'ipterr' => $self->{'_ipterr'},
+ 'debug' => $self->{'_debug'},
+ 'verbose' => $self->{'_verbose'},
+ 'ipt_alarm' => $self->{'_ipt_alarm'},
+ 'ipt_exec_style' => $self->{'_ipt_exec_style'},
+ 'ipt_exec_sleep' => $self->{'_ipt_exec_sleep'},
+ 'sigchld_handler' => $self->{'_sigchld_handler'},
+ ) or croak "[*] Could not acquire IPTables::Parse object";
+
+ if ($IPTables::Parse::VERSION > 1.1) {
+
+ print "[+] IPTables::Parse regular options:\n";
+ for my $key (keys %{$ipt_parse->{'parse_keys'}->{'regular'}}) {
+ my $p_hr = $ipt_parse->{'parse_keys'}->{'regular'}->{$key};
+ print " $key\n";
+ if (defined $p_hr->{'regex'} and $p_hr->{'regex'}) {
+ print " regex: $p_hr->{'regex'}", "\n";
+ }
+ if (defined $p_hr->{'ipt_match'} and $p_hr->{'ipt_match'}) {
+ print " ipt_match: $p_hr->{'ipt_match'} <val>", "\n";
+ }
+ }
+
+ print "\n[+] IPTables::Parse extended options:\n";
+ for my $key (keys %{$ipt_parse->{'parse_keys'}->{'extended'}}) {
+ my $p_hr = $ipt_parse->{'parse_keys'}->{'extended'}->{$key};
+ print " $key\n";
+ if (defined $p_hr->{'regex'} and $p_hr->{'regex'}) {
+ print " regex: $p_hr->{'regex'}", "\n";
+ }
+ if (defined $p_hr->{'ipt_match'} and $p_hr->{'ipt_match'}) {
+ print " ipt_match: $p_hr->{'ipt_match'} <val>", "\n";
+ }
+ }
+
+ } else {
+ print "[+] IPTables::Parse capabilities:\n";
+ for my $key (qw(protocol s_port d_port to_ip
+ to_port mac_source state ctstate)) {
+ print " $key\n";
+ }
+ }
+ return;
+}
+
sub state_compare() {
my ($state_str1, $state_str2) = @_;
my $chain_past_end = 1000;
#================== end config ===================
-my %targets = (
- 'ACCEPT' => '',
- 'DROP' => '',
- 'QUEUE' => '',
- 'RETURN' => '',
-);
-
my %iptables_chains = (
'mangle' => [qw/PREROUTING INPUT OUTPUT FORWARD POSTROUTING/],
'raw' => [qw/PREROUTING OUTPUT/],
$dst_ip, $test_table, $test_chain, $target,
{'normalize' => 1, 'protocol' => 'udp', 's_port' => 0, 'd_port' => 53});
&pass_fail($rule_position, " Could not find UDP $src_ip(0) -> $dst_ip(53) $target rule");
+
+ ### UDP length
+ &dots_print("add_ext_ip_rules(): $test_table $test_chain UDP $src_ip(0) -> $dst_ip(53) $target length 10:100 ");
+ ($rv, $out_ar, $err_ar) = $ipt_obj->add_ip_rule($src_ip,
+ $dst_ip, $chain_past_end, $test_table, $test_chain, $target,
+ {'protocol' => 'udp', 's_port' => 0, 'd_port' => 53, 'length' => '10:100'});
+ &pass_fail($rv, " Could not add UDP $src_ip(0) -> $dst_ip(53) $target length 10:100 rule");
+
+ &dots_print("find ext rule: $test_table $test_chain UDP $src_ip(0) -> $dst_ip(53) $target ");
+ ($rule_position, $num_chain_rules) = $ipt_obj->find_ip_rule($src_ip,
+ $dst_ip, $test_table, $test_chain, $target,
+ {'normalize' => 1, 'protocol' => 'udp', 's_port' => 0, 'd_port' => 53, 'length' => '10:100'});
+ &pass_fail($rule_position, " Could not find UDP $src_ip(0) -> $dst_ip(53) $target length 10:100 rule");
+
}
return;
for (my $i=length($msg); $i < $PRINT_LEN; $i++) {
$dots .= '.';
}
- &logr($dots);
+ if ($dots) {
+ &logr($dots);
+ } else {
+ &logr(' ') unless $msg =~ /\s$/;
+ }
return;
}
projects / IPTables-ChainMgr.git / commitdiff