#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # return code to signal skipped test ksft_skip=4 rc=0 if ! iptables --version >/dev/null 2>&1; then echo "SKIP: Test needs iptables" exit $ksft_skip fi if ! ip -V >/dev/null 2>&1; then echo "SKIP: Test needs iproute2" exit $ksft_skip fi if ! nc -h >/dev/null 2>&1; then echo "SKIP: Test needs netcat" exit $ksft_skip fi pattern="foo bar baz" patlen=11 hdrlen=$((20 + 8)) # IPv4 + UDP ns="ns-$(mktemp -u XXXXXXXX)" trap 'ip netns del $ns' EXIT ip netns add "$ns" ip -net "$ns" link add d0 type dummy ip -net "$ns" link set d0 up ip -net "$ns" addr add 10.1.2.1/24 dev d0 #ip netns exec "$ns" tcpdump -npXi d0 & #tcpdump_pid=$! #trap 'kill $tcpdump_pid; ip netns del $ns' EXIT add_rule() { # (alg, from, to) ip netns exec "$ns" \ iptables -A OUTPUT -o d0 -m string \ --string "$pattern" --algo $1 --from $2 --to $3 } showrules() { # () ip netns exec "$ns" iptables -v -S OUTPUT | grep '^-A' } zerorules() { ip netns exec "$ns" iptables -Z OUTPUT } countrule() { # (pattern) showrules | grep -c -- "$*" } send() { # (offset) ( for ((i = 0; i < $1 - $hdrlen; i++)); do printf " " done printf "$pattern" ) | ip netns exec "$ns" nc -w 1 -u 10.1.2.2 27374 } add_rule bm 1000 1500 add_rule bm 1400 1600 add_rule kmp 1000 1500 add_rule kmp 1400 1600 zerorules send 0 send $((1000 - $patlen)) if [ $(countrule -c 0 0) -ne 4 ]; then echo "FAIL: rules match data before --from" showrules ((rc--)) fi zerorules send 1000 send $((1400 - $patlen)) if [ $(countrule -c 2) -ne 2 ]; then echo "FAIL: only two rules should match at low offset" showrules ((rc--)) fi zerorules send $((1500 - $patlen)) if [ $(countrule -c 1) -ne 4 ]; then echo "FAIL: all rules should match at end of packet" showrules ((rc--)) fi zerorules send 1495 if [ $(countrule -c 1) -ne 1 ]; then echo "FAIL: only kmp with proper --to should match pattern spanning fragments" showrules ((rc--)) fi zerorules send 1500 if [ $(countrule -c 1) -ne 2 ]; then echo "FAIL: two rules should match pattern at start of second fragment" showrules ((rc--)) fi zerorules send $((1600 - $patlen)) if [ $(countrule -c 1) -ne 2 ]; then echo "FAIL: two rules should match pattern at end of largest --to" showrules ((rc--)) fi zerorules send $((1600 - $patlen + 1)) if [ $(countrule -c 1) -ne 0 ]; then echo "FAIL: no rules should match pattern extending largest --to" showrules ((rc--)) fi zerorules send 1600 if [ $(countrule -c 1) -ne 0 ]; then echo "FAIL: no rule should match pattern past largest --to" showrules ((rc--)) fi exit $rc